Security Problem: WebGUI Zugriff aus dem Internet verhindern

    • OMV 1.0
    • Resolved
    • Security Problem: WebGUI Zugriff aus dem Internet verhindern

      Sorry das ich nicht auf Englisch schreibe, ist ein wenig spät :sleeping:

      Ich hab ein kleines Security Problem, wo ich gerade am grübeln bin wie ich es am besten Lösen könnten. Vielleicht hat ja jemand ein paar Tipps.
      Ich benutze meinen MicroServer mit OMV für ein wenig SelfHosting, hab unter anderen die Dienste Wordpress, PyLoad und Seafile am Laufen welche ich auch aus dem Internet aus erreichen möchte.
      Soweit alles kein Problem,
      - Nat-Forwarding eingerichtet
      - Eigenen DNS-Server eingerichtet wegen dem Nat-Loopback Problem

      So nun kann ich von der Internen wie der Externen IP über eine DynDNS-Adresse auf meine Dienste zuzugreifen.
      Nur ist durch das Nat-Fowarding von Port 80 nun natürlich auch die WebGUI von OMV über das Internet ansprechbar.

      Hab da ein wenig Bauchschmerzen bei der Sache. SSL und Zertifikat sind zwar eingerichtet, trotzdem bleibt ein bitterer Beigeschmack.

      Mein Problem ensteht dabei anscheinend dadurch, das die Websites der anderen Dienste wie Wordpress,Seafile etc als Subdomain vom OMVWebGUI installiert werden.

      Fällt jemand eine Lösung ein wie ich eventuell den Zugriff auf die WebGUI via Internet unterbinden kann, die restlichen Dienste aber durchlassen könnte?


      Segensreiche Nacht
      Gruß Sebastian

      PS: Sorry for the english readers, but it was to late to write in English. If anyone is interested on a Translation if a Solution was found i will do it

      The post was edited 2 times, last by Vertax ().

    • Did you try the openmediavault-nginx plugin? This would allow you to separate the OMV web interface from these other services.
      omv 4.0.5 arrakis | 64 bit | 4.12 backports kernel | omvextrasorg 4.0.4
      omv-extras.org plugins source code and issue tracker - github.com/OpenMediaVault-Plugin-Developers

      Please don't PM for support... Too many PMs!
    • run the other services on a different port (=! 80) and setup portforwarding for this ports. Make sure you don't setup portforwarding for your OMV-port (80).
      "Glowing days. Don't cry because they are over. Smile because they happened." - Confucius

      Server: 1x 32GB SSD (system) - 5x 2TB Data - 1x 2TB Snapraid-Parity - latest OMV 1.x
      No Support through PM
      Tutorials --- Howto install OMV-Extras --- Upgrade/Update-Problems --- If autoshutdown doesn' -work
    • Solo0815 wrote:

      run the other services on a different port (=! 80) and setup portforwarding for this ports. Make sure you don't setup portforwarding for your OMV-port (80).


      Indeed this was the Plan, but my problem was that i used omv's nginx, so it was not possible to switch the port of wordpress without changing omv's-webgui on same time.

      ryecoaaron did the thing, i havent see the nginx plugin in the omv-extras. Today it's a little late but tomorrow i will take a try.

      Certainly I will need help because I can better deal with the CLI as with the WebGUI.

      For the prepare tomorrow it would be nice if someone can answer me some questions:
      Is the nginx plugin a seperat instance of nginx ?
      Where is it located on the System ?
      Where is the www root ?

      Thanks for your help
    • openmediavault-nginx is in the regular omv-extras repo. Did you check the second page of plugins?

      The plugin is the equivalent of virtual hosts on apache. It does not install another nginx package. You create "servers" for each host you need. You can also create php pools that can be shared or one for each server. Very flexible.

      It is located in the shared folder you pick for each "server".

      I think the answers will make more sense once you have it installed.
      omv 4.0.5 arrakis | 64 bit | 4.12 backports kernel | omvextrasorg 4.0.4
      omv-extras.org plugins source code and issue tracker - github.com/OpenMediaVault-Plugin-Developers

      Please don't PM for support... Too many PMs!
    • Hey Guys, so i currently have some time for my Problem :D
      Had to do something for my Study.

      Now I have installed the nginx Plugin , but it confused me a little bit.
      Some help would be nice. First I will explain it how I've done it so far

      I´ve downloaded the latest Seafile.gzip file and extracted it in the /var/www root.
      Installed the dependecy per CLI and configured seafile how it´s explained on the website:

      manual.seafile.com/deploy/depl…b_at_Non-root_domain.html
      manual.seafile.com/deploy/deploy_Seafile_behind_NAT.html
      http://manual.seafile.com/deploy/deploy_with_nginx.html

      So i had to configure the nginx, this was my first Problem i´ve solved it after checking the github Page of OMV where i found the location of /etc/nginx/openmediavault-webgui.d

      So far i´ve created my own openmediavault-seafile-site.conf with following content:

      Source Code

      1. location /seafile {
      2. fastcgi_pass 127.0.0.1:8000;
      3. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      4. fastcgi_param PATH_INFO $fastcgi_script_name;
      5. fastcgi_param SERVER_PROTOCOL $server_protocol;
      6. fastcgi_param QUERY_STRING $query_string;
      7. fastcgi_param REQUEST_METHOD $request_method;
      8. fastcgi_param CONTENT_TYPE $content_type;
      9. fastcgi_param CONTENT_LENGTH $content_length;
      10. fastcgi_param SERVER_ADDR $server_addr;
      11. fastcgi_param SERVER_PORT $server_port;
      12. fastcgi_param SERVER_NAME $server_name;
      13. # fastcgi_param HTTPS on; # enable this line only if https is used
      14. access_log /var/log/nginx/seahub.access.log;
      15. error_log /var/log/nginx/seahub.error.log;
      16. }
      17. location /seafhttp {
      18. rewrite ^/seafhttp(.*)$ $1 break;
      19. proxy_pass http://127.0.0.1:8082;
      20. client_max_body_size 0;
      21. }
      22. location /seafmedia {
      23. rewrite ^/seafmedia(.*)$ /media$1 break;
      24. root /var/www/seafile/seafile-server-latest/seahub;
      25. }
      Display All


      After this i was able to start and use seafile with:

      Source Code

      1. /var/www/seafile/seafile-server-latest/./seafile.sh start
      2. /var/www/seafile/seafile-server-latest/./seahub.sh start-fastcgi


      But with the nginx Plugin i really don't know what i have to do ^^
      I would be happy about some help

      Edit: I play arround with the openmediavault-seafile-site.conf
      The original seafile config looks like:

      Source Code

      1. ​server {
      2. listen 80;
      3. server_name www.myseafile.com;
      4. location / {
      5. fastcgi_pass 127.0.0.1:8000;
      6. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      7. fastcgi_param PATH_INFO $fastcgi_script_name;
      8. fastcgi_param SERVER_PROTOCOL $server_protocol;
      9. fastcgi_param QUERY_STRING $query_string;
      10. fastcgi_param REQUEST_METHOD $request_method;
      11. fastcgi_param CONTENT_TYPE $content_type;
      12. fastcgi_param CONTENT_LENGTH $content_length;
      13. fastcgi_param SERVER_ADDR $server_addr;
      14. fastcgi_param SERVER_PORT $server_port;
      15. fastcgi_param SERVER_NAME $server_name;
      16. fastcgi_param REMOTE_ADDR $remote_addr;
      17. access_log /var/log/nginx/seahub.access.log;
      18. error_log /var/log/nginx/seahub.error.log;
      19. }
      Display All


      So i tried to set in my openmediavault-seafile-site.conf a line with listen 80901 as a other Port. But still with no effect.

      Greetings
      Vertax

      The post was edited 1 time, last by Vertax ().

    • Hey guys,

      I am confronted with the exact same problem, but I don't know how to use the nginx plugin.
      I configured OMV with a seafile server, both SSL secured.

      Obviously I like to access seafile via the internet, but - as Vertex - , I do not want to access to WebGUI of OMV over the Internet.

      Can someone help me in this / or should I open a new thread?

      Thanks a lot.

      ... this forum was already helping me a lot, THANKS for that too ...
      OMV 2.x stoneburner | Banana PI | Kernel 3.4.108+ | | Seafile Server | FTP | SMB | Kodi DB
      OMV 3.x erasmus | ShuttlePC SH55J2 | intel i3 3.2 GHZ | Kernel 3.16.0-0.bpo.4-amd64