Bind unraid ports to specific IP address instead of all (0.0.0.0)

[bluecamel]

I'm trying to bind multiple services to port 80 on different virtual IP addresses.  I can get this to work if I change the unraid UI port from 80 to 81.  The problem is that unraid binds these ports to 0.0.0.0.  Is there a way to only bind to a host IP address (192.168.1.x)?

[bonienl]

In the file /config/ident.cfg on your flash devices, set

BIND_MGT="yes"

Restart nginx or reboot your system. Afterwards the GUI only listens to eth0

[AndyT86]

So, I followed the above

 

Yet I am still getting this

 

>sudo lsof -i -P -n | grep LISTEN

nginx     24950  root    9u  IPv4    6995      0t0  TCP 192.168.1.240:80 (LISTEN)
nginx     24950  root   10u  IPv6    6996      0t0  TCP *:80 (LISTEN)
nginx     24951  root    9u  IPv4    6995      0t0  TCP 192.168.1.240:80 (LISTEN)
nginx     24951  root   10u  IPv6    6996      0t0  TCP *:80 (LISTEN)

Output of ident.cfg

cat /boot/config/ident.cfg

BIND_MGT="yes"
USE_TELNET="yes"
PORTTELNET="23"
USE_SSH="yes"
PORTSSH="22"
USE_UPNP="yes"
START_PAGE="Dashboard"

 

So the issue here is that nginx that serves the GUI (based in the PID) IS in fact bound to eth0 (technically br0) but the first interface [*.1.240].

but its still listening on all interfaces. Setting `BIND_MGMT=yes` only made it bind eth0 in addition to all interfaces [*] rather than instead of.

 

This server has 7 interfaces.  Its not worth the discussion of why, its how its made to some degree (5 on board, 2 10G). But I want one of those other interfaces, on a different subnet

 

What I want is to bind other http services to :80 and :443 on other interfaces, and on other subnets.

 

For instance- eth1/br1 on 192.168.1.241 should serve something internally to users- thats not the Unraid GUI.

and eth3/br3 should serve on the subnet 192.168.2.*:80 / *.2.*:443 to requests coming from the WAN.

 

 

[bonienl]

3 hours ago, AndyT86 said:

Yet I am still getting this

It works as expected.

The IPv4 network is limited to interface eth0 (192.168.1.240) only, which is the management interface of Unraid.

There is no IPv6 address configured on your system, hence it listens to all.

 

3 hours ago, AndyT86 said:

What I want is to bind other http services to :80 and :443 on other interfaces, and on other subnets.

That is beyond the scope of Unraid, it doesn't manage other http services.

[Homebrewzero]

So I am looking to do the same thing, so when I have a docker app bind with the vlan interface it doesn't conflict.  I just want to be able to reach port 80 and 443 on my mgmt vlan, and not my other vlans. This way I can have docker bind to port 80 and 443 for other containers 

 

[sjtuross]

This hidden setting BIND_MGT no longer works since 6.10 because it's not used in /etc/rc.d/rc.nginx at all. It was in 6.9.2 though (I found the code here https://gist.github.com/ljm42/59749ee5495d14e1f6d0bd2f13001c06)

 

@bonienl Is this a bug or is it intended to not support this hidden setting any more?

Edited July 30, 2022 by sjtuross

[ljm42]

There were a lot of good improvements to SSL support in Unraid 6.10, unfortunately the hidden BIND_MGT setting was a casualty.

I deleted that gist as it was from 2019. If you want to see the current rc.nginx, look on your server at /etc/rc.d/rc.ngxinx

[primeval_god]

On 8/1/2022 at 5:44 PM, ljm42 said:

unfortunately the hidden BIND_MGT setting was a casualty.

So just to clarify are you saying this is a bug or that the ability to bind the webui to a single IP address with this mechanism is no longer a feature?

[ljm42]

Not a bug, but a technical limitation. Support for this hidden setting is unlikely to return.

[sjtuross]

Sorry to hear that. I thought it's a security feature and also useful if you want to bind 80/443 to a secondary IP of the primary interface for your own service like reverse proxy.

 

I applied the logic to the current version of /etc/rc.d/rc.nginx and it works well for myself. I just share it to my gist if someone finds it useful - https://gist.github.com/sjtuross/8b7e9d5762b92ca6459f447429c814a4

 

To persist the change on reboot, add a user script running at first array start.

 

#!/bin/bash
cp /boot/config/plugins/user.scripts/scripts/support_bind_mgt/rc.nginx /etc/rc.d/rc.nginx
/etc/rc.d/rc.nginx restart

[leuwk88]

On 8/5/2022 at 9:13 PM, sjtuross said:

I applied the logic to the current version of /etc/rc.d/rc.nginx and it works well for myself. I just share it to my gist if someone finds it useful - https://gist.github.com/sjtuross/8b7e9d5762b92ca6459f447429c814a4

 

To persist the change on reboot, add a user script running at first array start.

Does this still work in Unraid version 6.11.5?

 

I have tried using your gist file as is but receive the following error when restarting nginx:

bash: /etc/rc.d/rc.nginx: cannot execute: required file not found

 

If I merge the missing BIND_MGT references into my existing rc.nginx config, I can restart nginx fine, but then lose complete access to the Unraid GUI on all interfaces.

 

Am I missing something?

rc.nginx

[sjtuross]

I updated the gist for 6.11.5 with very minor change. You can also compare it with the original file to see what's changed. It should work. This is no longer needed since 6.12 because management services listen on specific IP addresses by default.

[leuwk88]

On 7/29/2023 at 2:49 PM, sjtuross said:

I updated the gist for 6.11.5 with very minor change. You can also compare it with the original file to see what's changed. It should work. This is no longer needed since 6.12 because management services listen on specific IP addresses by default.

I tried this as well but had no luck unfortunately.

 

I have since upgrade to 6.12.3. May I ask what you meant by 'Management services listen on specific IP addresses by default'?

 

I am hoping for a way to restrict management access to ETH0 interface only, and have docker, VMs etc accessible via ETH1.

[sjtuross]

Before 6.12, nginx, samba such services listen on 0.0.0.0, so I changed rc.nginx to listen on the interface configured IP.

 

Check "Network Improvements" from https://unraid.net/blog/6-12-0-stable. You can now include/exclude listening interfaces. Also the services now listen on IP address of each interface rather than 0.0.0.0

[leuwk88]

Thanks for the info, though I'm not really sure this solves my problem.

 

As mentioned, I was hoping to restrict the Unraid Web Interface to ETH0 (and perhaps SSH etc), and have other services such as SMB only accessible on the ETH1 interface.

 

On my server these two interfaces connect to do different networks, ETH0 being on a restricted 'management' network, and ETH1 being on my 'home' network. I don't want people on the home network to be able to access the Unraid web interface or attempt SSH connections etc. This should only be possible from the management network.

 

Hope this makes sense?

[sjtuross]

On 8/3/2023 at 6:43 AM, leuwk88 said:

Thanks for the info, though I'm not really sure this solves my problem.

 

As mentioned, I was hoping to restrict the Unraid Web Interface to ETH0 (and perhaps SSH etc), and have other services such as SMB only accessible on the ETH1 interface.

 

On my server these two interfaces connect to do different networks, ETH0 being on a restricted 'management' network, and ETH1 being on my 'home' network. I don't want people on the home network to be able to access the Unraid web interface or attempt SSH connections etc. This should only be possible from the management network.

 

Hope this makes sense?

I don't think this is possible to config in unraid, but you could achieve that through firewall rule in your router.