jsn0327 Posted December 9, 2015 Share Posted December 9, 2015 Hi everyone. Does unRAID support HTTPS (Port 443)? I can not find anywhere within the settings page to enable it. I've searched the forum and haven't found anything. Thanks. Quote Link to comment
jsn0327 Posted December 9, 2015 Author Share Posted December 9, 2015 I figured that was the case. Why isn't it supported? Quote Link to comment
jsn0327 Posted December 9, 2015 Author Share Posted December 9, 2015 That's a ridiculous approach if u ask me. I mean, it's only holding ALL of our confidential documents. Guess that's why they haven't implemented VLAN's either... Thanks for confirming what I hoped wasn't the case. Quote Link to comment
StevenD Posted December 9, 2015 Share Posted December 9, 2015 That's a ridiculous approach if u ask me. I mean, it's only holding ALL of our confidential documents. It was designed, and marketed, as a MEDIA server. Quote Link to comment
jumperalex Posted December 9, 2015 Share Posted December 9, 2015 I'm also curious: what attack vector are you trying to protect against with HTTPS? For the context of my question, I'm working under the assumption that you are running unraid on an internal network, behind a router, and that you trust the other people on your internal network not to attempt sniffing your traffic. Quote Link to comment
jsn0327 Posted December 9, 2015 Author Share Posted December 9, 2015 How is that an excuse not to implement security? Even if that is the case, it has evolved a lot with the implementation of VM's and Docker. It's sad that every Web interface that I run on top of unraid is https enabled, yet unraid doesn't support it. Quote Link to comment
jsn0327 Posted December 9, 2015 Author Share Posted December 9, 2015 I'm also curious: what attack vector are you trying to protect against with HTTPS? For the context of my question, I'm working under the assumption that you are running unraid on an internal network, behind a router, and that you trust the other people on your internal network not to attempt sniffing your traffic. I work in the field of Cyber Security and you don't have to open your network up to the world for there to be risks of intrusion through vulnerabilities of many other avenues. As I mentioned previously, I use unraid as my primary NAS and store a lot of important documents on it. In the event that my network is compromised, I'd rather not make it even easier for the attacker by sending my login credentials to him in the clear. I find it hard to believe that with all of the cyber crime going on throughout the world, simple SSL security is an afterthought on a product that we pay for. I could kind of see that being the case for an open source/free product. 1 Quote Link to comment
jumperalex Posted December 9, 2015 Share Posted December 9, 2015 Well I won't presume to know more than you, but I do know that in the world of security there are always trade-offs and you should put effort on the largest and highest risk attack surfaces. And you still didn't answer the question: what is the attack vector for unencrypted http streams on an internal network? I ask because if my network is compromised I have bigger worries than unencrypted http streams. Like yuo know, the fact that they have unhindered access to my network, they probably have access to my router (that's how they likely got in) and they have access to any and all devices attached to my network for which I have decided to open (like smb or nfs shares). So how is an encrypted https call going to protect me. so you got to the end of that and probably think I'm poking you in the eye with a stick. I am holding the stick, true, but not poking yet. I'm really honestly asking to be educated. Because if you can articulate the actual risk, and that it is a higher risk than the fact that the network has already been owned, then it goes a long way to justifying the level of effort required on both LT's part and the users to implement robust https with all the effort required to establish certificates as well. Quote Link to comment
gundamguy Posted December 9, 2015 Share Posted December 9, 2015 Honestly I think the main reason for adding SSL to unraid is because people expect it. The danger is that it can give people a sense of security that doesn't exist. Quote Link to comment
Medwynd Posted December 9, 2015 Share Posted December 9, 2015 That's a ridiculous approach if u ask me. I mean, it's only holding ALL of our confidential documents. It was designed, and marketed, as a MEDIA server. This. Even in the wiki it states unRAID is by no means a secure operating system and should NOT be connected directly to the Internet under any circumstances. http://lime-technology.com/wiki/index.php/Configuration_Tutorial#Security Quote Link to comment
johner Posted March 20, 2017 Share Posted March 20, 2017 Is there seriously no HTTPS? now I have to implement VPN to remote in to manage my NAS rather than port forward. If a media server why no media server out of the box without having to install flex docker or a plugin? Quote Link to comment
aptalca Posted March 20, 2017 Share Posted March 20, 2017 Is there seriously no HTTPS? now I have to implement VPN to remote in to manage my NAS rather than port forward. If a media server why no media server out of the box without having to install flex docker or a plugin?Unraid is not a media server. It's a NAS intended for LAN access. If you turn it into a media server by installing services through docker or VMs, you can also install a reverse proxy in docker to provide access to those guis securely. You can try the linuxserver letsencrypt container which gets and maintains free 3rd party validated certs automatically. For remote smb or ssh access to unraid, you can set up vpn through docker as well Quote Link to comment
tdallen Posted March 20, 2017 Share Posted March 20, 2017 3 hours ago, johner said: Is there seriously no HTTPS? now I have to implement VPN to remote in to manage my NAS rather than port forward. If a media server why no media server out of the box without having to install flex docker or a plugin? Yes, VPN is the recommended approach. Even if unRAID supported HTTPS I suspect it would still be the recommended approach (see the " unRAID is by no means a secure operating system " comments above). Quote Link to comment
StevenD Posted March 20, 2017 Share Posted March 20, 2017 1 minute ago, tdallen said: (see the " unRAID is by no means a secure operating system " comments above). Sorry...but that is starting to no longer be a valid excuse. 1 Quote Link to comment
tdallen Posted March 20, 2017 Share Posted March 20, 2017 I happen to agree that the unRAID Admin UI should support HTTPS, but comments from posters like @johner make it sound like all we need it HTTPS on the UI and suddenly unRAID is secure. That's not true, and I suspect VPN will continue to be the recommended remote management solution even after Limetech implements HTTPS at some point (just my POV). Quote Link to comment
CHBMB Posted March 20, 2017 Share Posted March 20, 2017 I agree, even with https I still wouldn't entertain opening it to WAN without a VPN. Quote Link to comment
kjoconis Posted June 26, 2017 Share Posted June 26, 2017 Hey, I know this post is old and new to unraid but not sure they got https yet. if so, excuse my ignorance and can someone please show me where this setting is. Reason i am asking is because I ran into a situation this week where i setup openvpn into my network. I am using my mac to connect through vpn. Once connected i bring up my unraid box through safari. Anyways I run snort and it showed that when logged in through VPN and accessing my unraid box from my mac that the password I sent to login to the unraid box was unencrypted. Not sure why this is happening as I am forcing all traffic through the VPN. I would say that this is a good case as to why we need unraid to have https if it doesn't already. Quote Link to comment
Frank1940 Posted June 26, 2017 Share Posted June 26, 2017 1 hour ago, kjoconis said: Hey, I know this post is old and new to unraid but not sure they got https yet. if so, excuse my ignorance and can someone please show me where this setting is. Reason i am asking is because I ran into a situation this week where i setup openvpn into my network. I am using my mac to connect through vpn. Once connected i bring up my unraid box through safari. Anyways I run snort and it showed that when logged in through VPN and accessing my unraid box from my mac that the password I sent to login to the unraid box was unencrypted. Not sure why this is happening as I am forcing all traffic through the VPN. I would say that this is a good case as to why we need unraid to have https if it doesn't already. It has been in the version 6.4.0-rc3 and higher. See here: Quote Link to comment
Kacper Posted May 15, 2020 Share Posted May 15, 2020 On 12/9/2015 at 1:36 PM, StevenD said: It was designed, and marketed, as a MEDIA server. A digression of topic: What a nonsense excuse. Obviously it supposed to have https with self-signed cert as default. I hate this way o thinking to postpone the responsibility. It is very convenient these days. I was born in days where companies were asking users for their opinion and using it to improve their product. It seams that now we live in world where companies are ignoring user feedback, with bunch of “system happy “ users complementing this system. To the topic: There is stunnel package that can wrap http connection over ssl, so there if someone knows how to make plugins it can be done easily. Maybe it already is? Quote Link to comment
Squid Posted May 15, 2020 Share Posted May 15, 2020 Just so you're aware, you do realize that you quoted a 5 year old post on a thread that hasn't had a reply in 3 years 1 Quote Link to comment
Kacper Posted May 16, 2020 Share Posted May 16, 2020 Good point! I am not familiar with forums I can see that in unraid 6.4.3 settings->management acces there is option Use SSL Thanks hehe Quote Link to comment
SLNetworks Posted March 4, 2021 Share Posted March 4, 2021 I think the best reason to implement HTTPS support is because most browsers default to HTTPS.. even if you do manually type it in as HTTP. Bloody annoying. Quote Link to comment
Energen Posted March 4, 2021 Share Posted March 4, 2021 (edited) 4 hours ago, SLNetworks said: I think the best reason to implement HTTPS support is because most browsers default to HTTPS.. even if you do manually type it in as HTTP. Bloody annoying. Once again, this thread is originally 6 years old. HTTPS is already implemented. @SLNetworks look at thread dates before bumping for no reason. Edited March 4, 2021 by Energen Quote Link to comment
SLNetworks Posted March 6, 2021 Share Posted March 6, 2021 Haha, alright. Set it as default on fresh installs. Cheers. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.