Best practice to secure OMV WebGUI with enabled letsencrypt auto-renew

    • OMV 4.x
    • Resolved
    • Best practice to secure OMV WebGUI with enabled letsencrypt auto-renew

      Hello people,

      I am trying to find a best practice solution to secure the OMV's WebGUI while still having the letsencrypt plugin automatically renew the installed certificate(s).

      I want to achive the following:
      • a nextcloud instance running on the OMV computer is accessible from the Internet via https
        • therefore router forwards port 443 to some custom port OMV's nginx listens to to handle nextcloud requests
      • the ssl certificate comes from letsencrypt, auto-renew is enabled
        • this to my knowledge requires that the router also forwards port 80 to 80 of the OMV machine
      • I don't want OMV's WebGUI to be accessible from the Internet at all, only from LAN
      I thought hard about how to achieve this, but I'm not sure what the most elegant and secure solution for this problem is. I thought of or found the following possible solutions:
      1. On an old freenas machine that I want to replace I was using jails, each with their own IP address. This enabled me to forward the ports only to those jails that needed this (one for the cloud service, one for letsencrypt) and keep the WebGUI out of the internet. Apparently something similar is not possible with OMV, only by editing the underlying Debian system (multiple IP adresses possible ?). This I would like to avoid, out of the "Treating servers as cattle, not as pets" principle
      2. Move the WebGUI to another port, but again this seems to be not directly supported by OMV and would require editing system files
      3. Block access from anywhere but the LAN (OMV-Webgui reachable/not reachable from Internet). This again requires editing system files and feels too much of a last resort measure, I would prefer the WebGUI to stay out of Internet access without having to block it in its web server
      Does anyone know of a better solution of how to achieve this? If not, which of the above would be your solution of choice and why?


      Thanks for your help!
    • danielwbn wrote:

      Move the WebGUI to another port, but again this seems to be not directly supported by OMV and would require editing system files
      You can easily change the port in the GUI of OMV in the general settings.
      Odroid HC2 - armbian - Seagate ST4000DM004 - OMV4.x
      Asrock Q1900DC-ITX - 16GB - 2x Seagate ST3000VN000 - Intenso SSD 120GB - OMV4.x
      :!: Backup - Solutions to common problems - OMV setup videos - OMV4 Documentation - user guide :!: