Jump to content

why is SSL support only via unraid.net


Recommended Posts

Posted

Dear all, 

 

A few days ago i started testing unraid for my new fileserver-build as i came across the SSL-encryption setting. 

so i figured to test it out. the first thing it did was generate a self-signed cert so i went on this form looking and found out that you shouldn't set encryption to yes (but instead) to auto.  all of a sudden i get a huge-string of random -numbers.unraid.net adres only after disabling the dns-rebinding feature. 

 

now my question is two-fold, 

1:  why on earth cant this be done without dns-rebinding as any-security-aware person would never disable this feature willingly.  instead, i would recoment logging into you router and  editing its hosts-file most (if not all)  consumer-routers  allow you to do so from a web-interface.   because now:  when clicking on any link from the webinterface sends me to  029reasdjfikpjfafdjapfasjfdpaoijfp.unraid.net  resolving to an internal IP, 


2 Secondly it would have been nice to have an automated/intergrated LetsEncrypt  feature for regular domain names that you can provide for from the interface ... in example it would have left my with the option to: 

 

created a: c name record for:       home.mydomain.net    to:    myaccound.duckdns.org

conect to my duckdns account 
login to my router's  dhcp/dns section:     create a static hostname:     home.mydomain.net    to    192.168.my.ip

 

and be able to use this both internal  AND external.    

 

hell - actually now to think of it,   during its setup instead of asking people to turn of  dns-rebinding-protection  you could also send them to a page to explain howto  add hostname to the router's hosts file  or how to use  the windows hosts-file.  and use the  wanIP as a regular dynDNS - this would have effectively  saved me a step. 

 

 

Posted
2 hours ago, i-chat said:

1:  why on earth cant this be done without dns-rebinding as any-security-aware person would never disable this feature willingly.  instead, i would recoment logging into you router and  editing its hosts-file most (if not all)  consumer-routers  allow you to do so from a web-interface.   because now:  when clicking on any link from the webinterface sends me to  029reasdjfikpjfafdjapfasjfdpaoijfp.unraid.net  resolving to an internal IP, 

 

I may be jumping in over my head here but I seem to recall that most home routers don't require 'turning off' dns rebinding so it is not an issue for most folks.  The problem rears its head when a user is using a more secure router setup than the normal consumer router provides.  (You can see the list of the identified ones  by going to   Settings   >>>  Management Access  and turning on the 'Help' feature.)

 

2 hours ago, i-chat said:

actually now to think of it,   during its setup instead of asking people to turn of  dns-rebinding-protection  you could also send them to a page to explain howto  add hostname to the router's hosts file  or how to use  the windows hosts-file.  and use the  wanIP as a regular dynDNS - this would have effectively  saved me a step. 

 If you feel this would be a desirable addition, why don't you undertake to provide this documentation.  After you have written and thoroughly checked it out for accuracy, post it in this thread:

 

   https://forums.unraid.net/topic/46803-faq-feedback-for-faq-for-unraid-v6/

 

  • Like 1
Posted (edited)

the problem with dns-rebinding - (and btw i run openwrt with near-defaults on all my routers and accespoints). is to me that it prevents users to login from  other than the home-network.  for example  the  netgear interface i ran on this router before openwrt released a build for it,  only leaves a diferent ip range for remotely logged-on  users  so i would have to do some advanced routing  to be able to logon to  unraids webinteface ...  

 

for now im actually quite confused on how to proceed,   a reversed proxy, would be nice for the webinterface and later probably for  stuf like:  nextcloud, or emby or plex or simular, and maybe even for some other stuf.  but how about  stuff like  sftp or ftp or nfs   - in the end id rather have a single cert to rull them all. 

 

 

how do other people ???

Edited by i-chat
Posted

What are trying to do?  (I should point out that Unraid is not designed or hardened to permit to directly be exposed to the Internet.)  There are some ways to safely (relatively) access the server from the Internet.  I am in no way an expert in this area as I, personally, never intend to even attempt to to do so.  But there are several folks who have done it successfully without undue security risks.  The approach will vary depending on what you want to do.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...