Secure access via hostname


Prof93

Recommended Posts

Hi All, 

 

Sorry if this has been resolved in this forum. Couldn't find it when looking maybe I was searching for the wrong thing. 

 

Basically I cannot be bothered to type or remember the ip of my server and would like to access it via the hostname. 

 

When I access it via the hostname I get a issue where the site is not secure. But if I access via the IP it works fine. 

 

I use pfSense as my firewall and have put the following into the dns resolver/custom settings

server:
private-domain: "unraid.net"

 

Probably something simple but hope you can help :)

 

Many Thanks,

Ben 

Link to comment

Yeah just to GUI. I am using a windows 10 computer running chrome. It is secure using the IP just not the host name so must be config ? The host name is a host override in pfSense so this could be the issue. This was the only way I could give it a host name as the server is static and outside of the DHCP pool. 

Link to comment

Let me make a suggestion. 

 

1-- Create a new Bookmark in your browser.  (You will probably have to open the Bookmarks manger to do this.)

 

2-- Name the Bookmark with the name of your Server.  Now in the URL box,  enter the IP address of you server followed by /Main  (     192.168.XXX.X/Main     ).  Now save the Bookmark. (You can also use   192.168.XXX.X/Dashboard    to open up on the Dashboard page rather than the Main page.) 

 

3-- Drag this new Bookmark in the spot when you want it in the Bookmark hierarchy.  

 

 

Link to comment

Haha that is for sure a solution currently I have Heimdall installed and it has the IP set rather than the host name. But I was looking for a solution to it being secure via the host name. 

 

I also know how to bookmark. I am a IT tech so very computer literate. Just can't work out why it will not work with the hostname. Seems a odd setup the cert has lots of strange config. 

 

I kinda know the answer and that is because the hostname is not mentioned in the cert but I don't know if there is a way round this. 

 

Anyway hopefully someone knows how it works and can explain :) 

Link to comment

OK.  I did a bit of playing and I did get the http://Server_Name/Main to work.  The server does have a fixed IP address and the router's (Ubiquiti ER-X) Static mapping table has the Server_name  as a part of the Static Mapping Information. This would make it available for the router to be able to resolve that IP address from the host name. 

 

Using https://Server_Name/Main does result in a security warning violation. 

 

Does this help... 

Link to comment
5 hours ago, Prof93 said:

Not really as I want to find the reason behind why it doesn't work for HTTPS securely via the host name. You now have the same issue that I have. 

Fully functional SSL certificates that don't throw warnings are not available for a simple hostname like https://tower/ , you have to use a Fully Qualified Domain Name like http://tower.mydomain.com/ , which uniquely identifies your computer on the Internet. That means you have to own a domain, control the DNS, and purchase a certificate. This is generally not very easy to do for a device that is only available on your LAN.

 

LT has simplified the process greatly by providing DDNS and an xxx.unraid.net certificate through LetsEncrypt.  The only downside is that you have no control over the url. If you want to control the url you need to purchase your own domain, your own certificate, and manage your own DNS. It is not trivial, but you can configure Unraid to use your own cert by going to Settings -> Identification -> Management Access and turning on the help.

 

It is far simpler to just create a bookmark that points at the url LT provides.

Link to comment
10 hours ago, ljm42 said:

Fully functional SSL certificates that don't throw warnings are not available for a simple hostname like https://tower/ , you have to use a Fully Qualified Domain Name like http://tower.mydomain.com/ , which uniquely identifies your computer on the Internet. That means you have to own a domain, control the DNS, and purchase a certificate. This is generally not very easy to do for a device that is only available on your LAN.

 

LT has simplified the process greatly by providing DDNS and an xxx.unraid.net certificate through LetsEncrypt.  The only downside is that you have no control over the url. If you want to control the url you need to purchase your own domain, your own certificate, and manage your own DNS. It is not trivial, but you can configure Unraid to use your own cert by going to Settings -> Identification -> Management Access and turning on the help.

 

It is far simpler to just create a bookmark that points at the url LT provides.

This is the correct and complete answer, however there is one additional wrench to throw in. When you set up a FQDN that points to a non-routable private IP, there is a security concern that is raised, namely DNS Rebinding. If you read that article, the first protection technique that is used is a complete disabling of the mechanism that unraid utilizes to provide a valid FQDN with the accompanying SSL cert. So, to get unraid's FQDN SSL cert to work, you have to disable some or all of the rebind protection of your local DNS, hopefully by just adding an exception for unraid.net. That is router dependent, so unraid can't really do a whole lot to help get it working for everybody.

Link to comment
1 hour ago, jonathanm said:

This is the correct and complete answer, however there is one additional wrench to throw in. When you set up a FQDN that points to a non-routable private IP, there is a security concern that is raised, namely DNS Rebinding

The OP seems to have Unraid SSL setup already, so they are past that potential issue.  I think.
 

1 hour ago, unevent said:

Since you run pfsense you can issue your own cert from your CA and rid yourself of the unraid.net requirement

True, you can run a self-signed cert at https://tower/ if you are willing to put up with browser warnings or add exceptions (or your personal CA) to every browser you use.

 

1 hour ago, unevent said:

or can install the acme package for pfsense and issue LE cert that way as well.

Ok, so this is a variation of the "purchase your own domain, your own certificate, and manage your own DNS" option that I gave. It saves on the cost of purchasing a cert but adds extra work every three months to copy the LE cert from pfsense to Unraid.

 

Another variation would be to reverse proxy the Unraid server. But if the reverse proxy is hosted on Unraid, then it would only work while the array is up.

 

For most people, the best option is to create a bookmark that points at the xxxx.unraid.net url that LT provides. The url might not be pretty, but it bypasses all the complexity of bringing SSL to a LAN device.

Link to comment

Hi,

 

Thank you for the suggestions. 

 

I currently have my own domain name. If I wanted to make this secure internally I don't understand how that helps. 

 

I have other things such as Nextcloud etc using lets encrypt. 

 

Whats the easiest way of securing internal services with SSL ? 

 

I don't want to make the GUI externally accessible. Would using lets encrypt on the GUI but not adding the subdomain to fasthosts DNS solve this or is this the incorrect way of doing it ? 

 

Many Thanks,

Ben

Link to comment
2 hours ago, Prof93 said:

Whats the easiest way of securing internal services with SSL ? 

The easiest way is to use the xxxxx.unraid.net certificate that Unraid provides.

 

There are several options for using your own domain mentioned in this thread. None of them are easy.

Link to comment

Hi All, 

 

I found the reason that it would not resolve by the local dns name. 

 

The "Local TLD" setting was set to Local but by default pfSense uses Localdomain. So now when I enter BenUnraid it redirects me to the messy but very usable secure unraid.com url :) 

 

***Just checked again and I was wrong says secure on host name until you login then it goes to not secure when logged in :/ Never mind host IP address for now. ***

Edited by Prof93
I was wrong
Link to comment
  • 1 month later...
  • 6 months later...
  • 3 months later...

Hi every1, could not really read out an answer from further post.

 

I currently have bought a domain name and have forwarded it to my unraid.

 

When i ener my domain name xxxxxxxx.com i get forwarded to Unraid GUI login page and it is not secure, seems to me my machine is exposed to internet and every1 who enters my domain will land on Unraid GUI landing page. 

 

I also have an created an open vpn to be able enter the data. so data can ONLY be seen using openvpn.

 

If there a way to secure Unraid GUI for external usage? i could net remember being able to login via external browser to my Unraid GUI but something seems to have changed lately and i can now without using openvpn.

 

What could happen? Without knowing my password no one would be able to login to unraid GUI i suppose?

Link to comment
7 hours ago, un4given said:

I currently have bought a domain name and have forwarded it to my unraid.

Do not do this. This is why your machine is exposed to the internet. I am not sure what you were trying to accomplish but directly forwarding to unRAID's webserver port(s) is the wrong way of doing it.

7 hours ago, un4given said:

What could happen? Without knowing my password no one would be able to login to unraid GUI i suppose?

The unRAID GUI is not secure enough to be exposed to the internet in this way. 

Link to comment
1 hour ago, primeval_god said:

Do not do this. This is why your machine is exposed to the internet. I am not sure what you were trying to accomplish but directly forwarding to unRAID's webserver port(s) is the wrong way of doing it.

The unRAID GUI is not secure enough to be exposed to the internet in this way. 

if u ask me i have currently no idea how it happened. what ports are unraid webserver ports? i will close them in my router.

Link to comment
3 minutes ago, itimpi said:

It should be the other way around - you should not be letting any ports through to Unraid that you have not explicitly decided that it is safe to do so.

i found out the root cause. in my router DMZ was activated and pointed towards Unraid. Switched it off and cant reach my Box anymore.

OpenVPN access still working. Case solved as it seems to me. Only Nextcloud and OpenVPN ports are forwarded to Unraid internal IP.

Edited by un4given
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.