i-chat Posted July 25, 2020 Share Posted July 25, 2020 Dear all, A few days ago i started testing unraid for my new fileserver-build as i came across the SSL-encryption setting. so i figured to test it out. the first thing it did was generate a self-signed cert so i went on this form looking and found out that you shouldn't set encryption to yes (but instead) to auto. all of a sudden i get a huge-string of random -numbers.unraid.net adres only after disabling the dns-rebinding feature. now my question is two-fold, 1: why on earth cant this be done without dns-rebinding as any-security-aware person would never disable this feature willingly. instead, i would recoment logging into you router and editing its hosts-file most (if not all) consumer-routers allow you to do so from a web-interface. because now: when clicking on any link from the webinterface sends me to 029reasdjfikpjfafdjapfasjfdpaoijfp.unraid.net resolving to an internal IP, 2 Secondly it would have been nice to have an automated/intergrated LetsEncrypt feature for regular domain names that you can provide for from the interface ... in example it would have left my with the option to: created a: c name record for: home.mydomain.net to: myaccound.duckdns.org conect to my duckdns account login to my router's dhcp/dns section: create a static hostname: home.mydomain.net to 192.168.my.ip and be able to use this both internal AND external. hell - actually now to think of it, during its setup instead of asking people to turn of dns-rebinding-protection you could also send them to a page to explain howto add hostname to the router's hosts file or how to use the windows hosts-file. and use the wanIP as a regular dynDNS - this would have effectively saved me a step. Quote Link to comment
Frank1940 Posted July 25, 2020 Share Posted July 25, 2020 2 hours ago, i-chat said: 1: why on earth cant this be done without dns-rebinding as any-security-aware person would never disable this feature willingly. instead, i would recoment logging into you router and editing its hosts-file most (if not all) consumer-routers allow you to do so from a web-interface. because now: when clicking on any link from the webinterface sends me to 029reasdjfikpjfafdjapfasjfdpaoijfp.unraid.net resolving to an internal IP, I may be jumping in over my head here but I seem to recall that most home routers don't require 'turning off' dns rebinding so it is not an issue for most folks. The problem rears its head when a user is using a more secure router setup than the normal consumer router provides. (You can see the list of the identified ones by going to Settings >>> Management Access and turning on the 'Help' feature.) 2 hours ago, i-chat said: actually now to think of it, during its setup instead of asking people to turn of dns-rebinding-protection you could also send them to a page to explain howto add hostname to the router's hosts file or how to use the windows hosts-file. and use the wanIP as a regular dynDNS - this would have effectively saved me a step. If you feel this would be a desirable addition, why don't you undertake to provide this documentation. After you have written and thoroughly checked it out for accuracy, post it in this thread: https://forums.unraid.net/topic/46803-faq-feedback-for-faq-for-unraid-v6/ 1 Quote Link to comment
i-chat Posted July 25, 2020 Author Share Posted July 25, 2020 (edited) the problem with dns-rebinding - (and btw i run openwrt with near-defaults on all my routers and accespoints). is to me that it prevents users to login from other than the home-network. for example the netgear interface i ran on this router before openwrt released a build for it, only leaves a diferent ip range for remotely logged-on users so i would have to do some advanced routing to be able to logon to unraids webinteface ... for now im actually quite confused on how to proceed, a reversed proxy, would be nice for the webinterface and later probably for stuf like: nextcloud, or emby or plex or simular, and maybe even for some other stuf. but how about stuff like sftp or ftp or nfs - in the end id rather have a single cert to rull them all. how do other people Edited July 25, 2020 by i-chat Quote Link to comment
Frank1940 Posted July 25, 2020 Share Posted July 25, 2020 What are trying to do? (I should point out that Unraid is not designed or hardened to permit to directly be exposed to the Internet.) There are some ways to safely (relatively) access the server from the Internet. I am in no way an expert in this area as I, personally, never intend to even attempt to to do so. But there are several folks who have done it successfully without undue security risks. The approach will vary depending on what you want to do. Quote Link to comment
trurl Posted July 25, 2020 Share Posted July 25, 2020 The builtin WireGuard VPN is the simplest way to allow remote access to your server: Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.