October 6, 20187 yr I'm trying to bind multiple services to port 80 on different virtual IP addresses. I can get this to work if I change the unraid UI port from 80 to 81. The problem is that unraid binds these ports to 0.0.0.0. Is there a way to only bind to a host IP address (192.168.1.x)?
October 6, 20187 yr In the file /config/ident.cfg on your flash devices, set BIND_MGT="yes" Restart nginx or reboot your system. Afterwards the GUI only listens to eth0
July 2, 20215 yr So, I followed the above Yet I am still getting this >sudo lsof -i -P -n | grep LISTEN nginx 24950 root 9u IPv4 6995 0t0 TCP 192.168.1.240:80 (LISTEN) nginx 24950 root 10u IPv6 6996 0t0 TCP *:80 (LISTEN) nginx 24951 root 9u IPv4 6995 0t0 TCP 192.168.1.240:80 (LISTEN) nginx 24951 root 10u IPv6 6996 0t0 TCP *:80 (LISTEN) Output of ident.cfg cat /boot/config/ident.cfg BIND_MGT="yes" USE_TELNET="yes" PORTTELNET="23" USE_SSH="yes" PORTSSH="22" USE_UPNP="yes" START_PAGE="Dashboard" So the issue here is that nginx that serves the GUI (based in the PID) IS in fact bound to eth0 (technically br0) but the first interface [*.1.240]. but its still listening on all interfaces. Setting `BIND_MGMT=yes` only made it bind eth0 in addition to all interfaces [*] rather than instead of. This server has 7 interfaces. Its not worth the discussion of why, its how its made to some degree (5 on board, 2 10G). But I want one of those other interfaces, on a different subnet What I want is to bind other http services to :80 and :443 on other interfaces, and on other subnets. For instance- eth1/br1 on 192.168.1.241 should serve something internally to users- thats not the Unraid GUI. and eth3/br3 should serve on the subnet 192.168.2.*:80 / *.2.*:443 to requests coming from the WAN.
July 2, 20215 yr 3 hours ago, AndyT86 said: Yet I am still getting this It works as expected. The IPv4 network is limited to interface eth0 (192.168.1.240) only, which is the management interface of Unraid. There is no IPv6 address configured on your system, hence it listens to all. 3 hours ago, AndyT86 said: What I want is to bind other http services to :80 and :443 on other interfaces, and on other subnets. That is beyond the scope of Unraid, it doesn't manage other http services.
July 21, 20223 yr So I am looking to do the same thing, so when I have a docker app bind with the vlan interface it doesn't conflict. I just want to be able to reach port 80 and 443 on my mgmt vlan, and not my other vlans. This way I can have docker bind to port 80 and 443 for other containers
July 30, 20223 yr This hidden setting BIND_MGT no longer works since 6.10 because it's not used in /etc/rc.d/rc.nginx at all. It was in 6.9.2 though (I found the code here https://gist.github.com/ljm42/59749ee5495d14e1f6d0bd2f13001c06) @bonienl Is this a bug or is it intended to not support this hidden setting any more? Edited July 30, 20223 yr by sjtuross
August 1, 20223 yr There were a lot of good improvements to SSL support in Unraid 6.10, unfortunately the hidden BIND_MGT setting was a casualty. I deleted that gist as it was from 2019. If you want to see the current rc.nginx, look on your server at /etc/rc.d/rc.ngxinx
August 3, 20223 yr On 8/1/2022 at 5:44 PM, ljm42 said: unfortunately the hidden BIND_MGT setting was a casualty. So just to clarify are you saying this is a bug or that the ability to bind the webui to a single IP address with this mechanism is no longer a feature?
August 3, 20223 yr Not a bug, but a technical limitation. Support for this hidden setting is unlikely to return.
August 5, 20223 yr Sorry to hear that. I thought it's a security feature and also useful if you want to bind 80/443 to a secondary IP of the primary interface for your own service like reverse proxy. I applied the logic to the current version of /etc/rc.d/rc.nginx and it works well for myself. I just share it to my gist if someone finds it useful - https://gist.github.com/sjtuross/8b7e9d5762b92ca6459f447429c814a4 To persist the change on reboot, add a user script running at first array start. #!/bin/bash cp /boot/config/plugins/user.scripts/scripts/support_bind_mgt/rc.nginx /etc/rc.d/rc.nginx /etc/rc.d/rc.nginx restart
July 26, 20232 yr On 8/5/2022 at 9:13 PM, sjtuross said: I applied the logic to the current version of /etc/rc.d/rc.nginx and it works well for myself. I just share it to my gist if someone finds it useful - https://gist.github.com/sjtuross/8b7e9d5762b92ca6459f447429c814a4 To persist the change on reboot, add a user script running at first array start. Does this still work in Unraid version 6.11.5? I have tried using your gist file as is but receive the following error when restarting nginx: bash: /etc/rc.d/rc.nginx: cannot execute: required file not found If I merge the missing BIND_MGT references into my existing rc.nginx config, I can restart nginx fine, but then lose complete access to the Unraid GUI on all interfaces. Am I missing something? rc.nginx
July 29, 20232 yr I updated the gist for 6.11.5 with very minor change. You can also compare it with the original file to see what's changed. It should work. This is no longer needed since 6.12 because management services listen on specific IP addresses by default.
August 1, 20232 yr On 7/29/2023 at 2:49 PM, sjtuross said: I updated the gist for 6.11.5 with very minor change. You can also compare it with the original file to see what's changed. It should work. This is no longer needed since 6.12 because management services listen on specific IP addresses by default. I tried this as well but had no luck unfortunately. I have since upgrade to 6.12.3. May I ask what you meant by 'Management services listen on specific IP addresses by default'? I am hoping for a way to restrict management access to ETH0 interface only, and have docker, VMs etc accessible via ETH1.
August 1, 20232 yr Before 6.12, nginx, samba such services listen on 0.0.0.0, so I changed rc.nginx to listen on the interface configured IP. Check "Network Improvements" from https://unraid.net/blog/6-12-0-stable. You can now include/exclude listening interfaces. Also the services now listen on IP address of each interface rather than 0.0.0.0
August 2, 20232 yr Thanks for the info, though I'm not really sure this solves my problem. As mentioned, I was hoping to restrict the Unraid Web Interface to ETH0 (and perhaps SSH etc), and have other services such as SMB only accessible on the ETH1 interface. On my server these two interfaces connect to do different networks, ETH0 being on a restricted 'management' network, and ETH1 being on my 'home' network. I don't want people on the home network to be able to access the Unraid web interface or attempt SSH connections etc. This should only be possible from the management network. Hope this makes sense?
August 7, 20232 yr On 8/3/2023 at 6:43 AM, leuwk88 said: Thanks for the info, though I'm not really sure this solves my problem. As mentioned, I was hoping to restrict the Unraid Web Interface to ETH0 (and perhaps SSH etc), and have other services such as SMB only accessible on the ETH1 interface. On my server these two interfaces connect to do different networks, ETH0 being on a restricted 'management' network, and ETH1 being on my 'home' network. I don't want people on the home network to be able to access the Unraid web interface or attempt SSH connections etc. This should only be possible from the management network. Hope this makes sense? I don't think this is possible to config in unraid, but you could achieve that through firewall rule in your router.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.