Jump to content
kit17

How does unRAID web UI SSL work?

8 posts in this topic Last Reply

Recommended Posts

Just out of curiosity.

 

After issuing the certificate, I am being redirected to `https://<some random hex characters>.unraid.net` when I browse to the web UI with the URL `http://192.168.1.199`.

 

Did unRAID create a subdomain `<some random hex characters>.unraid.net` that pointed to my local IP address?

 

Can someone explain this? I am a programmer but just not so advanced in networking, so technical terms should be okay.

Share this post


Link to post

There is a DNS server handling the unraid.net domain.

 

And unRAID will report back your local IP number and this "random hex name" to this DNS server.

And the DNS will append the host list for the domain unraid.net to include your unRAID system.

If you change the IP of your unRAID, then your unRAID will report in the IP number change to the DNS to make sure the next DNS lookup will point to the new IP.

 

Anyone who knows this "random hex name" and asks the DNS will manage to perform a DNS lookup and find the private IP of your unRAID. Which obviously doesn't matter because I can't from my home make use of the IP 192.168.1.199 to reach your unRAID - my machine would just try to find a machine with that IP within one of my networks.

Share this post


Link to post
1 hour ago, pwm said:

There is a DNS server handling the unraid.net domain.

 

And unRAID will report back your local IP number and this "random hex name" to this DNS server.

And the DNS will append the host list for the domain unraid.net to include your unRAID system.

If you change the IP of your unRAID, then your unRAID will report in the IP number change to the DNS to make sure the next DNS lookup will point to the new IP.

 

Anyone who knows this "random hex name" and asks the DNS will manage to perform a DNS lookup and find the private IP of your unRAID. Which obviously doesn't matter because I can't from my home make use of the IP 192.168.1.199 to reach your unRAID - my machine would just try to find a machine with that IP within one of my networks.

Thanks for the answer.

 

So I guess this is just a CNAME record on the `unraid.net` DNS, pointing to `192.168.1.199`?

 

And since `<some random hex characters>.unraid.net` is accessible on my local network,

the browser knows that it equals to `192.168.1.199`, that's why I got redirected when I access `http://192.168.1.199`?

 

Lastly, there is never nothing deal with my public address?

Edited by kit17

Share this post


Link to post
1 minute ago, kit17 said:

Lastly, there is never nothing deal with my public address?

That's a question that only the the company hosting the DNS can answer.


But it isn't impossible that the DNS server has a log entry with your public IP number from when the unRAID system reached out to register the CNAME entry.

And it isn't impossible that the DNS server has log entries with your public IP number from when you make hostname lookup requests.

Share this post


Link to post
11 hours ago, pwm said:

That's a question that only the the company hosting the DNS can answer.


But it isn't impossible that the DNS server has a log entry with your public IP number from when the unRAID system reached out to register the CNAME entry.

And it isn't impossible that the DNS server has log entries with your public IP number from when you make hostname lookup requests.

I see.

 

Are the first 2 questions correct?

Share this post


Link to post

A CNAME is a record with an alias name mapping to the Canonical Name.

 

So service-oriented name www.somedomain.com might get normalized into the actual machine name rambo.somedomain.com

 

So you want to visit www.somedomain.com and the CNAME record translates www.somedomain.com into rambo.somedomain.com and then an A or AAAA record translates from rambo.somedomain.com into an actual IP number.

 

In this case, you want a translation from a name into an IP number. So the DNS would register A records for IPv4 or AAAA records for IPv6.

 

The browser asks the DNS for help with '<some random hex characters>.unraid.net' and the DNS locates an matching A or AAAA record and returns back an IPv4 or IPv6 address. The browser in this case receives back a private IP number (like 192.168.1.199) only meaningful within your local network while inside your firewall.

 

https://en.wikipedia.org/wiki/CNAME_record

Share this post


Link to post

Thanks for the great explanations!

 

During my research, I read that CAs are not allowed to issue certificates to internal names or reserved ip addresses (source).

So when I ping '<some random hex characters>.unraid.net' I didn't expect to see my internal ip of 192.168.x.x. I thought this wasn't allowed, or am I missing something?

 

On 2/4/2018 at 4:26 PM, kit17 said:

And since `<some random hex characters>.unraid.net` is accessible on my local network,

the browser knows that it equals to `192.168.1.199`, that's why I got redirected when I access `http://192.168.1.199`?

From my understanding, when you access `http://192.168.1.199` the web browser automatically goes to port 80 and your unraid server basically tells the browser that it doesn't do insecure connections so it redirects it to the unraid subdomain.

If you manually specify the port with `https://192.168.1.199:443` the unraid server will accept the connection, however you are not redirected to the unraid subdomain so the SSL certificate provided by letsencypt (which is assigned to your specific unraid subdomain) does not look valid. 

Share this post


Link to post
Posted (edited)
8 hours ago, Cameron said:

During my research, I read that CAs are not allowed to issue certificates to internal names or reserved ip addresses (source).

So when I ping '<some random hex characters>.unraid.net' I didn't expect to see my internal ip of 192.168.x.x. I thought this wasn't allowed, or am I missing something?

CAs are not allowed to generate a certificate for https://192.168.1.199 because that would work on many computers, it does not uniquely identity one machine. They can however generate certs for any Fully Qualified Domain Name (i.e. xyz.unraid.net), and there is no restriction on what IP address the DNS for that FQDN actually points to.

 

8 hours ago, Cameron said:

From my understanding, when you access `http://192.168.1.199` the web browser automatically goes to port 80 and your unraid server basically tells the browser that it doesn't do insecure connections so it redirects it to the unraid subdomain.

If you manually specify the port with `https://192.168.1.199:443` the unraid server will accept the connection, however you are not redirected to the unraid subdomain so the SSL certificate provided by letsencypt (which is assigned to your specific unraid subdomain) does not look valid. 

 

Your browser is able to connect to http://192.168.1.199 because it is an insecure connection, no SSL cert required. Unraid responds and redirects to the proper  FQDN for the https connection.

 

Your browser refuses to connect to https://192.168.1.199 (regardless of port) because the browser is asking for a secure connection and Unraid doesn't have a certificate that matches "192.168.1.199" (per the comment above). Since your browser refuses to make an https connection without a valid cert, it never finds out that Unraid just wants to redirect it to the proper FQDN

Edited by ljm42

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.