Prof93 Posted January 4, 2019 Share Posted January 4, 2019 Hi All, Sorry if this has been resolved in this forum. Couldn't find it when looking maybe I was searching for the wrong thing. Basically I cannot be bothered to type or remember the ip of my server and would like to access it via the hostname. When I access it via the hostname I get a issue where the site is not secure. But if I access via the IP it works fine. I use pfSense as my firewall and have put the following into the dns resolver/custom settings : server: private-domain: "unraid.net" Probably something simple but hope you can help Many Thanks, Ben Quote Link to comment
Frank1940 Posted January 5, 2019 Share Posted January 5, 2019 Are we talking about the GUI? And what are you using to access the server (PC, Smartphone, etc., which program or App)? Quote Link to comment
Prof93 Posted January 5, 2019 Author Share Posted January 5, 2019 Yeah just to GUI. I am using a windows 10 computer running chrome. It is secure using the IP just not the host name so must be config ? The host name is a host override in pfSense so this could be the issue. This was the only way I could give it a host name as the server is static and outside of the DHCP pool. Quote Link to comment
Frank1940 Posted January 5, 2019 Share Posted January 5, 2019 Let me make a suggestion. 1-- Create a new Bookmark in your browser. (You will probably have to open the Bookmarks manger to do this.) 2-- Name the Bookmark with the name of your Server. Now in the URL box, enter the IP address of you server followed by /Main ( 192.168.XXX.X/Main ). Now save the Bookmark. (You can also use 192.168.XXX.X/Dashboard to open up on the Dashboard page rather than the Main page.) 3-- Drag this new Bookmark in the spot when you want it in the Bookmark hierarchy. Quote Link to comment
Prof93 Posted January 5, 2019 Author Share Posted January 5, 2019 Haha that is for sure a solution currently I have Heimdall installed and it has the IP set rather than the host name. But I was looking for a solution to it being secure via the host name. I also know how to bookmark. I am a IT tech so very computer literate. Just can't work out why it will not work with the hostname. Seems a odd setup the cert has lots of strange config. I kinda know the answer and that is because the hostname is not mentioned in the cert but I don't know if there is a way round this. Anyway hopefully someone knows how it works and can explain Quote Link to comment
Frank1940 Posted January 5, 2019 Share Posted January 5, 2019 OK. I did a bit of playing and I did get the http://Server_Name/Main to work. The server does have a fixed IP address and the router's (Ubiquiti ER-X) Static mapping table has the Server_name as a part of the Static Mapping Information. This would make it available for the router to be able to resolve that IP address from the host name. Using https://Server_Name/Main does result in a security warning violation. Does this help... Quote Link to comment
Prof93 Posted January 6, 2019 Author Share Posted January 6, 2019 Not really as I want to find the reason behind why it doesn't work for HTTPS securely via the host name. You now have the same issue that I have. Quote Link to comment
unevent Posted January 6, 2019 Share Posted January 6, 2019 Probably the way LT obtains the cert (DNS method a guess). Look into pfsense DNS rebinding protections for a solution, or disable https access to the GUI. Quote Link to comment
ljm42 Posted January 6, 2019 Share Posted January 6, 2019 5 hours ago, Prof93 said: Not really as I want to find the reason behind why it doesn't work for HTTPS securely via the host name. You now have the same issue that I have. Fully functional SSL certificates that don't throw warnings are not available for a simple hostname like https://tower/ , you have to use a Fully Qualified Domain Name like http://tower.mydomain.com/ , which uniquely identifies your computer on the Internet. That means you have to own a domain, control the DNS, and purchase a certificate. This is generally not very easy to do for a device that is only available on your LAN. LT has simplified the process greatly by providing DDNS and an xxx.unraid.net certificate through LetsEncrypt. The only downside is that you have no control over the url. If you want to control the url you need to purchase your own domain, your own certificate, and manage your own DNS. It is not trivial, but you can configure Unraid to use your own cert by going to Settings -> Identification -> Management Access and turning on the help. It is far simpler to just create a bookmark that points at the url LT provides. Quote Link to comment
JonathanM Posted January 6, 2019 Share Posted January 6, 2019 10 hours ago, ljm42 said: Fully functional SSL certificates that don't throw warnings are not available for a simple hostname like https://tower/ , you have to use a Fully Qualified Domain Name like http://tower.mydomain.com/ , which uniquely identifies your computer on the Internet. That means you have to own a domain, control the DNS, and purchase a certificate. This is generally not very easy to do for a device that is only available on your LAN. LT has simplified the process greatly by providing DDNS and an xxx.unraid.net certificate through LetsEncrypt. The only downside is that you have no control over the url. If you want to control the url you need to purchase your own domain, your own certificate, and manage your own DNS. It is not trivial, but you can configure Unraid to use your own cert by going to Settings -> Identification -> Management Access and turning on the help. It is far simpler to just create a bookmark that points at the url LT provides. This is the correct and complete answer, however there is one additional wrench to throw in. When you set up a FQDN that points to a non-routable private IP, there is a security concern that is raised, namely DNS Rebinding. If you read that article, the first protection technique that is used is a complete disabling of the mechanism that unraid utilizes to provide a valid FQDN with the accompanying SSL cert. So, to get unraid's FQDN SSL cert to work, you have to disable some or all of the rebind protection of your local DNS, hopefully by just adding an exception for unraid.net. That is router dependent, so unraid can't really do a whole lot to help get it working for everybody. Quote Link to comment
unevent Posted January 6, 2019 Share Posted January 6, 2019 Since you run pfsense you can issue your own cert from your CA and rid yourself of the unraid.net requirement or can install the acme package for pfsense and issue LE cert that way as well. Quote Link to comment
ljm42 Posted January 6, 2019 Share Posted January 6, 2019 1 hour ago, jonathanm said: This is the correct and complete answer, however there is one additional wrench to throw in. When you set up a FQDN that points to a non-routable private IP, there is a security concern that is raised, namely DNS Rebinding The OP seems to have Unraid SSL setup already, so they are past that potential issue. I think. 1 hour ago, unevent said: Since you run pfsense you can issue your own cert from your CA and rid yourself of the unraid.net requirement True, you can run a self-signed cert at https://tower/ if you are willing to put up with browser warnings or add exceptions (or your personal CA) to every browser you use. 1 hour ago, unevent said: or can install the acme package for pfsense and issue LE cert that way as well. Ok, so this is a variation of the "purchase your own domain, your own certificate, and manage your own DNS" option that I gave. It saves on the cost of purchasing a cert but adds extra work every three months to copy the LE cert from pfsense to Unraid. Another variation would be to reverse proxy the Unraid server. But if the reverse proxy is hosted on Unraid, then it would only work while the array is up. For most people, the best option is to create a bookmark that points at the xxxx.unraid.net url that LT provides. The url might not be pretty, but it bypasses all the complexity of bringing SSL to a LAN device. Quote Link to comment
Prof93 Posted January 6, 2019 Author Share Posted January 6, 2019 Hi, Thank you for the suggestions. I currently have my own domain name. If I wanted to make this secure internally I don't understand how that helps. I have other things such as Nextcloud etc using lets encrypt. Whats the easiest way of securing internal services with SSL ? I don't want to make the GUI externally accessible. Would using lets encrypt on the GUI but not adding the subdomain to fasthosts DNS solve this or is this the incorrect way of doing it ? Many Thanks, Ben Quote Link to comment
ljm42 Posted January 6, 2019 Share Posted January 6, 2019 2 hours ago, Prof93 said: Whats the easiest way of securing internal services with SSL ? The easiest way is to use the xxxxx.unraid.net certificate that Unraid provides. There are several options for using your own domain mentioned in this thread. None of them are easy. Quote Link to comment
Prof93 Posted January 6, 2019 Author Share Posted January 6, 2019 Fair enough will stick with that for now until. I find some nice instructions on how to do it through lets encrypt or pfSense Thanks for the reply's If I find a easy solution other than using the built in method I will let you know. Quote Link to comment
Prof93 Posted January 7, 2019 Author Share Posted January 7, 2019 (edited) Hi All, I found the reason that it would not resolve by the local dns name. The "Local TLD" setting was set to Local but by default pfSense uses Localdomain. So now when I enter BenUnraid it redirects me to the messy but very usable secure unraid.com url ***Just checked again and I was wrong says secure on host name until you login then it goes to not secure when logged in Never mind host IP address for now. *** Edited January 7, 2019 by Prof93 I was wrong Quote Link to comment
jthacker48 Posted February 28, 2019 Share Posted February 28, 2019 I was able to accomplish this scenario by changing the domain in both pfsense and unraid (under "identification" setting) to mypersonaldomain.com. I've also setup alternative names in pfsense in DNS Resolver under Host Overrides. I'm able to access Unraid by entering tower.mypersonaldomain.com. Quote Link to comment
CIA Posted September 13, 2019 Share Posted September 13, 2019 Not to rehash an old topic but the correct way of doing this behind pfsense with 1 external IP from your ISP with multiple hostnames to either access locally or externally is to use HAProxy + Acme. If you have any questions just PM. Quote Link to comment
un4given Posted January 8, 2020 Share Posted January 8, 2020 Hi every1, could not really read out an answer from further post. I currently have bought a domain name and have forwarded it to my unraid. When i ener my domain name xxxxxxxx.com i get forwarded to Unraid GUI login page and it is not secure, seems to me my machine is exposed to internet and every1 who enters my domain will land on Unraid GUI landing page. I also have an created an open vpn to be able enter the data. so data can ONLY be seen using openvpn. If there a way to secure Unraid GUI for external usage? i could net remember being able to login via external browser to my Unraid GUI but something seems to have changed lately and i can now without using openvpn. What could happen? Without knowing my password no one would be able to login to unraid GUI i suppose? Quote Link to comment
primeval_god Posted January 8, 2020 Share Posted January 8, 2020 7 hours ago, un4given said: I currently have bought a domain name and have forwarded it to my unraid. Do not do this. This is why your machine is exposed to the internet. I am not sure what you were trying to accomplish but directly forwarding to unRAID's webserver port(s) is the wrong way of doing it. 7 hours ago, un4given said: What could happen? Without knowing my password no one would be able to login to unraid GUI i suppose? The unRAID GUI is not secure enough to be exposed to the internet in this way. Quote Link to comment
un4given Posted January 8, 2020 Share Posted January 8, 2020 1 hour ago, primeval_god said: Do not do this. This is why your machine is exposed to the internet. I am not sure what you were trying to accomplish but directly forwarding to unRAID's webserver port(s) is the wrong way of doing it. The unRAID GUI is not secure enough to be exposed to the internet in this way. if u ask me i have currently no idea how it happened. what ports are unraid webserver ports? i will close them in my router. Quote Link to comment
itimpi Posted January 8, 2020 Share Posted January 8, 2020 It should be the other way around - you should not be letting any ports through to Unraid that you have not explicitly decided that it is safe to do so. Quote Link to comment
un4given Posted January 8, 2020 Share Posted January 8, 2020 (edited) 3 minutes ago, itimpi said: It should be the other way around - you should not be letting any ports through to Unraid that you have not explicitly decided that it is safe to do so. i found out the root cause. in my router DMZ was activated and pointed towards Unraid. Switched it off and cant reach my Box anymore. OpenVPN access still working. Case solved as it seems to me. Only Nextcloud and OpenVPN ports are forwarded to Unraid internal IP. Edited January 8, 2020 by un4given Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.