dalben Posted March 21, 2017 Share Posted March 21, 2017 After installing the Minecraft PE Docker now available for unRAID, my kids are nagging me to allow theirs friends to join their server. Until now I've resisted opening anything unRAID related to the internet but I'm wondering if it's now supported by enough dockers to do so with peace of mind. my immediate need is to open one port, 19132 currently, pointing to a docker container. What's the best Wa. I saw a guide using duck DNA, letsencrypt and Ngiam reverse proxy. Seems a bit much but if that's the safest and easiest way I'll head down that route. Are there any other options? If the above is the best, I have my own domain names so I could use my own and configure my DNS host to act as a dynamic dns server. Is that better or worse than a duck DNS type service. If is how the whole hog with letsencrypt and Ngiam reverse, is it safe to open other ports to dockets, or even the unRAID gui itself? any answers or pointers greatly appreciated. Quote Link to comment
JonathanM Posted March 22, 2017 Share Posted March 22, 2017 Until you need more services exposed, I'd just forward that single port through your router to the server IP and call it a day. Depending on how often your IP changes, and how much hassle it is, maybe just manually tell your kid's friends the current IP, and when they bitch that the connection is down, check and give them the new IP. Each port that you open is another risk, the application answering on that port needs to be vetted for security concerns. Opening the unraid GUI to the world is NOT safe, even when behind letsencrypt and reverse proxy. That may change with the new upcoming GUI, but emhttp isn't web safe. I'm not even sure that a minecraft port would answer properly on a reverse proxy, probably not, as it's meant for web pages. Quote Link to comment
dalben Posted March 22, 2017 Author Share Posted March 22, 2017 Thanks, that makes sense and makes it easier. On container protection, if someone managed to break to the cli of the docket that I'm forwarding a port to, what chance is there that they can then break from docker into the server's cli? A hacked Minecraft server I cab deal with. Is my server's safety in worried about. Quote Link to comment
JonathanM Posted March 22, 2017 Share Posted March 22, 2017 8 hours ago, dalben said: On container protection, if someone managed to break to the cli of the docket that I'm forwarding a port to, what chance is there that they can then break from docker into the server's cli? Currently I don't know of any exploits that allow moving from inside the docker environment to the host, HOWEVER... most containers have mapped resources that can be accessed from inside the container, plus, the container is either hosted or natted inside your lan, so if someone malicious has control over a docker, they most likely will be able to do at least some damage to the server or possibly your lan, limited by whatever access has been granted to that docker. 9 hours ago, jonathanm said: Each port that you open is another risk, the application answering on that port needs to be vetted for security concerns. The beauty of the nginx letsencrypt reverse proxy is that only one port and application needs to be opened and audited to allow access to many other possibly less secure web control panels for apps like sonarr and nzbget, etc. Quote Link to comment
dalben Posted March 23, 2017 Author Share Posted March 23, 2017 Thanks jon. I'll start playing around and see where I end up. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.