Secure connection and domain name confusion

  • I'm confused about how to proceed setting up security with my OMV NAS and hope some of you can help me.


    What's Happened Until Now


    A Netgear ReadyNAS at home is being retired and replaced with a DYI NAS running OMV 3.x. The OMV NAS is up and running, and now I'm configuring security. The current step is making it require secure connections only.


    My router is a Linksys WRT1900ACS. Eventually I plan to change it over to Open WRT, but not until the OMV NAS is completely stable. I'm not going to start messing with the router until I'm finished setting up the NAS.


    Initially I created a self-signed certificate in OMV and then set the system to require secure connections only. This didn't work because browsers like Chrome and Firefox would not connect because the certificate did not come from a recognized source.


    So I installed the LetsEncrypt plugin and tried to make a recognized certificate. This didn't work because the domain name is illegitimate. When I originally configured OMV, I used the default domain name, "local", both because it is the default and because I mainly use Apple computers, which also use "local" as the default domain.


    My Confusion


    I'm confused about what domain name to use and how to use it. Technically, I think we should be calling these things "resource names" because an address like "foo.bar.bas" is really a subdomain of "bar.bas". But both names are interchangeably called "domain names," and part of my confusion is what the documentation is referring to when it says "domain name."


    Another part of my confusion is which domain name to use: internal or external. Every device inside my home could easily be in a domain with names like OMVNAS.local, computer1.local, etc. These names can work perfectly well within the network administered by the router. But then again, maybe the domain name needs to be the "external" name used to reach devices from beyond the router. Which one is it?


    The router natively supports "external" domain names from either of two DDNS providers: No-IP.com or Dyn.com. Presently, the ReadyNAS can be reached by using one of two names provided by No-IP.com. To reinforce my earlier point, both end in two-part higher-level domain names over which I have no choice. E.g., foo.ddns.net. I can only choose the first part (foo), and my current plan allows at most 3 fully qualified domain names. Moreover, the ReadyNAS takes up to two Ethernet wires and therefore is already configured to use the two names I'm using. And perhaps more important, the router already maps ports 80 and 443 to these two connections.


    I can't use the two existing names because they're already taken by the ReadyNAS. I can't add a third name because OMV wants port 80. So what's the best way to proceed to make the OMV NAS require secure (SSL/TLS/HTTPS) connections?

    • Offizieller Beitrag

    So what's the best way to proceed to make the OMV NAS require secure (SSL/TLS/HTTPS) connections?


    Just create a ssl certificate in the section (make sure is 1024 or higher), the general settings select the certificate force it to use only SSL/TLS. Chrome will give a warning and a button to proceed, firefox you can add an exception. This can be used to be accessed from outside or inside (LAN) but you'll get the red padlock. Obviously if you're outside you cannot use myserver.lan or nas.localdomain to access, unless you're using a VPN.
    The letsencrypt certificate will not give any warnings if the certificate matches the fully qualified domain name (FQDN)
    I am pretty sure letsencrypt doesn't give certificates for those dyndns or noip domains, you can purchase cheap domains these days for 5 dollars a year that will work with letsencrypt.

    • Offizieller Beitrag

    But even if I bought a cheap domain, wouldn't I still have to pass Port 80 to the OMV NAS?

    Yes and no. You can use a reverse proxy that can redirect depending on the URL either to omv or ready nas. The reverse proxy can be running at omv or readynas (i think is debian also). Anyway just a tip on security you shouldn't be doing this. You should use either SSH tunnel or VPN. Those web services are suppose to be used in local LAN only, otherwise you have a login prompt there open for anyone to start bruteforce.

  • Thanks. You bring up several subjects with which I have limited familiarity. Furthermore, I thought I'd have my server completely configured and running by devoting the entire weekend to the project. This turned out to be wishful thinking, and going forward I'm going to have to tackle one task at a time. So I'll probably get back with more questions and results, but this will not be immediately.

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!