bluecamel Posted October 6, 2018 Share Posted October 6, 2018 I'm trying to bind multiple services to port 80 on different virtual IP addresses. I can get this to work if I change the unraid UI port from 80 to 81. The problem is that unraid binds these ports to 0.0.0.0. Is there a way to only bind to a host IP address (192.168.1.x)? Quote Link to comment
bonienl Posted October 6, 2018 Share Posted October 6, 2018 In the file /config/ident.cfg on your flash devices, set BIND_MGT="yes" Restart nginx or reboot your system. Afterwards the GUI only listens to eth0 1 Quote Link to comment
AndyT86 Posted July 2, 2021 Share Posted July 2, 2021 So, I followed the above Yet I am still getting this >sudo lsof -i -P -n | grep LISTEN nginx 24950 root 9u IPv4 6995 0t0 TCP 192.168.1.240:80 (LISTEN) nginx 24950 root 10u IPv6 6996 0t0 TCP *:80 (LISTEN) nginx 24951 root 9u IPv4 6995 0t0 TCP 192.168.1.240:80 (LISTEN) nginx 24951 root 10u IPv6 6996 0t0 TCP *:80 (LISTEN) Output of ident.cfg cat /boot/config/ident.cfg BIND_MGT="yes" USE_TELNET="yes" PORTTELNET="23" USE_SSH="yes" PORTSSH="22" USE_UPNP="yes" START_PAGE="Dashboard" So the issue here is that nginx that serves the GUI (based in the PID) IS in fact bound to eth0 (technically br0) but the first interface [*.1.240]. but its still listening on all interfaces. Setting `BIND_MGMT=yes` only made it bind eth0 in addition to all interfaces [*] rather than instead of. This server has 7 interfaces. Its not worth the discussion of why, its how its made to some degree (5 on board, 2 10G). But I want one of those other interfaces, on a different subnet What I want is to bind other http services to :80 and :443 on other interfaces, and on other subnets. For instance- eth1/br1 on 192.168.1.241 should serve something internally to users- thats not the Unraid GUI. and eth3/br3 should serve on the subnet 192.168.2.*:80 / *.2.*:443 to requests coming from the WAN. Quote Link to comment
bonienl Posted July 2, 2021 Share Posted July 2, 2021 3 hours ago, AndyT86 said: Yet I am still getting this It works as expected. The IPv4 network is limited to interface eth0 (192.168.1.240) only, which is the management interface of Unraid. There is no IPv6 address configured on your system, hence it listens to all. 3 hours ago, AndyT86 said: What I want is to bind other http services to :80 and :443 on other interfaces, and on other subnets. That is beyond the scope of Unraid, it doesn't manage other http services. Quote Link to comment
Homebrewzero Posted July 21, 2022 Share Posted July 21, 2022 So I am looking to do the same thing, so when I have a docker app bind with the vlan interface it doesn't conflict. I just want to be able to reach port 80 and 443 on my mgmt vlan, and not my other vlans. This way I can have docker bind to port 80 and 443 for other containers Quote Link to comment
sjtuross Posted July 30, 2022 Share Posted July 30, 2022 (edited) This hidden setting BIND_MGT no longer works since 6.10 because it's not used in /etc/rc.d/rc.nginx at all. It was in 6.9.2 though (I found the code here https://gist.github.com/ljm42/59749ee5495d14e1f6d0bd2f13001c06) @bonienl Is this a bug or is it intended to not support this hidden setting any more? Edited July 30, 2022 by sjtuross Quote Link to comment
ljm42 Posted August 1, 2022 Share Posted August 1, 2022 There were a lot of good improvements to SSL support in Unraid 6.10, unfortunately the hidden BIND_MGT setting was a casualty. I deleted that gist as it was from 2019. If you want to see the current rc.nginx, look on your server at /etc/rc.d/rc.ngxinx Quote Link to comment
primeval_god Posted August 3, 2022 Share Posted August 3, 2022 On 8/1/2022 at 5:44 PM, ljm42 said: unfortunately the hidden BIND_MGT setting was a casualty. So just to clarify are you saying this is a bug or that the ability to bind the webui to a single IP address with this mechanism is no longer a feature? Quote Link to comment
ljm42 Posted August 3, 2022 Share Posted August 3, 2022 Not a bug, but a technical limitation. Support for this hidden setting is unlikely to return. Quote Link to comment
sjtuross Posted August 5, 2022 Share Posted August 5, 2022 Sorry to hear that. I thought it's a security feature and also useful if you want to bind 80/443 to a secondary IP of the primary interface for your own service like reverse proxy. I applied the logic to the current version of /etc/rc.d/rc.nginx and it works well for myself. I just share it to my gist if someone finds it useful - https://gist.github.com/sjtuross/8b7e9d5762b92ca6459f447429c814a4 To persist the change on reboot, add a user script running at first array start. #!/bin/bash cp /boot/config/plugins/user.scripts/scripts/support_bind_mgt/rc.nginx /etc/rc.d/rc.nginx /etc/rc.d/rc.nginx restart 1 Quote Link to comment
leuwk88 Posted July 26, 2023 Share Posted July 26, 2023 On 8/5/2022 at 9:13 PM, sjtuross said: I applied the logic to the current version of /etc/rc.d/rc.nginx and it works well for myself. I just share it to my gist if someone finds it useful - https://gist.github.com/sjtuross/8b7e9d5762b92ca6459f447429c814a4 To persist the change on reboot, add a user script running at first array start. Does this still work in Unraid version 6.11.5? I have tried using your gist file as is but receive the following error when restarting nginx: bash: /etc/rc.d/rc.nginx: cannot execute: required file not found If I merge the missing BIND_MGT references into my existing rc.nginx config, I can restart nginx fine, but then lose complete access to the Unraid GUI on all interfaces. Am I missing something? rc.nginx Quote Link to comment
sjtuross Posted July 29, 2023 Share Posted July 29, 2023 I updated the gist for 6.11.5 with very minor change. You can also compare it with the original file to see what's changed. It should work. This is no longer needed since 6.12 because management services listen on specific IP addresses by default. Quote Link to comment
leuwk88 Posted August 1, 2023 Share Posted August 1, 2023 On 7/29/2023 at 2:49 PM, sjtuross said: I updated the gist for 6.11.5 with very minor change. You can also compare it with the original file to see what's changed. It should work. This is no longer needed since 6.12 because management services listen on specific IP addresses by default. I tried this as well but had no luck unfortunately. I have since upgrade to 6.12.3. May I ask what you meant by 'Management services listen on specific IP addresses by default'? I am hoping for a way to restrict management access to ETH0 interface only, and have docker, VMs etc accessible via ETH1. Quote Link to comment
sjtuross Posted August 1, 2023 Share Posted August 1, 2023 Before 6.12, nginx, samba such services listen on 0.0.0.0, so I changed rc.nginx to listen on the interface configured IP. Check "Network Improvements" from https://unraid.net/blog/6-12-0-stable. You can now include/exclude listening interfaces. Also the services now listen on IP address of each interface rather than 0.0.0.0 Quote Link to comment
leuwk88 Posted August 2, 2023 Share Posted August 2, 2023 Thanks for the info, though I'm not really sure this solves my problem. As mentioned, I was hoping to restrict the Unraid Web Interface to ETH0 (and perhaps SSH etc), and have other services such as SMB only accessible on the ETH1 interface. On my server these two interfaces connect to do different networks, ETH0 being on a restricted 'management' network, and ETH1 being on my 'home' network. I don't want people on the home network to be able to access the Unraid web interface or attempt SSH connections etc. This should only be possible from the management network. Hope this makes sense? Quote Link to comment
sjtuross Posted August 7, 2023 Share Posted August 7, 2023 On 8/3/2023 at 6:43 AM, leuwk88 said: Thanks for the info, though I'm not really sure this solves my problem. As mentioned, I was hoping to restrict the Unraid Web Interface to ETH0 (and perhaps SSH etc), and have other services such as SMB only accessible on the ETH1 interface. On my server these two interfaces connect to do different networks, ETH0 being on a restricted 'management' network, and ETH1 being on my 'home' network. I don't want people on the home network to be able to access the Unraid web interface or attempt SSH connections etc. This should only be possible from the management network. Hope this makes sense? I don't think this is possible to config in unraid, but you could achieve that through firewall rule in your router. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.