IPaddress:port

  • My OMV server has 2 ethernet interfaces and I want to be able to restrict the webgui to just one of them. I can change the port (and have done so), but the nginx 'Listen' directive can accept IPaddress:port which is exactly what I want. However, the webgui does not allow this type of entry in its port section and if I edit the file directly, it will (eventually) get overwritten by OMV.


    Can anyone explain how to restrict the webgui to a specific address and if for some reason it's not possible, why? Seems an entirely reasonable configuration so can see no reason why OMV would specifically not allow this, but cannot see how to actually set it up.

  • votdev

    Added the Label resolved
  • votdev

    Added the Label OMV 6.x
  • It is not supported because nginx can not be limited to a specifc interface only.

    Why do you say that? A listen directive in a 'server' block can be of the format:-


    listen IPaddress:port


    which specifically restricts nginx to that address and port for that 'server' definition. Whatever other 'server' definitions there are, each can be restricted and since OMV's webgui is simply defined in a 'server' block, I see no reason it cannot be restricted to any specified address (that exists for the actual server of course). The only issue seems to be that the webgui prevents you from entering anything other than just a port number.


    Admittedly I am no nginxpert, but the documentation seems very clear on it being able to restrict a 'server' to a single IPaddress.

  • I could have been clearer. Indeed, nginx cannot bind to any specific 'interface', but each 'server' definition CAN be bound to a specific IP address which is what I am wanting.


    Address and Interface can sometimes get used interchangeably, but in nginx's case, it's an important distinction and as I have just a single address assigned to each interface, in my case they are the same thing, but I understand the difference in nginx.


    However that does not change the question of how to restrict the OMV webgui to a specified IPaddress, which CAN be done in nginx using 'listen address:port', but OMV's webgui prevents this from being entered and as we know, editing the underlying nginx config files would only be temporary until OMV overwrote the file which would remove the IPaddress portion.


    Why can we not allow the entry of 'address:port' in the webgui so that we can actually restrict OMV webgui to a single address?

    • Official Post

    Allowing the user to enter an IP address in the Workbench page does not make sense because IP addresses may change if you use DHCP for example.


    In the above posts you have all necessary information to limit access to a specific interface. Use environment variables to customize the nginx listen directive to the IP you are using or create an iptables rule.


    From the OMV point of view all necessary tools are available to make your requirement happen.

  • Allowing the user to enter an IP address in the Workbench page does not make sense because IP addresses may change if you use DHCP for example.


    In the above posts you have all necessary information to limit access to a specific interface. Use environment variables to customize the nginx listen directive to the IP you are using or create an iptables rule.


    From the OMV point of view all necessary tools are available to make your requirement happen.

    Well I completely disagree. To not allow the user to set the listen address because "it may change" is restricting control for everyone just for the sake of those for whom it may not always work. It should be up to the user to configure it correctly (like a server should have a static address set). You could always display a warning in the webgui if the IP address is included rather than simply not allowing anyone to suitably configure nginx.


    Not only that, but you then go on to explain how it CAN be done (using an unnecessarily convoluted method), hence negating your previous statement that it should not be allowed.


    Nginx provides the EXACT method for doing this and for nonsensical reasons you won't allow it. Yes I know about setting the variable, but that should not be necessary.


    Sorry, OMV is a great product, but this is dumb.

    • Official Post

    but this is dumb.

    OMV has a targeted audience and 99% of its users don't need this. It would unnecessarily complicate the web interface especially for noobs. And it would be a pain in the ass to support for all services. If might be somewhat easy for nginx but it isn't for other things. The environment variable was added as a compromise for people who need to do these things but OMV can't support everything.

    omv 7.4.7-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.14 | compose 7.2.3 | k8s 7.2.0-1 | cputemp 7.0.2 | mergerfs 7.0.5 | scripts 7.0.8


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • I set the environment variable as per the instructions, but didn't work. Still accepts requests on all addresses.


    Is a full restart required?

  • You need to run


    Code
    $ omv-salt stage run prepare
    $ omv-salt deploy run nginx

    Yup, did that.


    Logging in to the address I want to use works fine, but when I try to access it via the other address I am trying to block - OMV web gui opens just as happily.


    OMV_NGINX_SITE_WEBGUI_LISTEN_IPV4_ADDRESS is set to the address I want to use and I've run all the 'salt' commands that seem to be required, but it's still listening on the address I'm trying to block and the nginx config file shows the listen command is not used for this (not been changed), so I don't even know how it's trying to block that IP address. Whatever, it isn't.

  • Yup, did that.


    Logging in to the address I want to use works fine, but when I try to access it via the other address I am trying to block - OMV web gui opens just as happily.


    OMV_NGINX_SITE_WEBGUI_LISTEN_IPV4_ADDRESS is set to the address I want to use and I've run all the 'salt' commands that seem to be required, but it's still listening on the address I'm trying to block and the nginx config file shows the listen command is not used for this (not been changed), so I don't even know how it's trying to block that IP address. Whatever, it isn't.

    Did a reboot do it, or did it never work?

  • nm, I also set the OMV_NGINX_SITE_WEBGUI_LISTEN_IPV4_ADDRESS env var and it's getting ignored.

    I restarted the machine and it's still listening on all interfaces and all IPs

    In my case I have 2 NICs each with it's own ip and still didn't work.


    I wish I had time to debug the source, but I'm out of my depth and don't have time to learn about this. Probably as simple as setting the listen directive in nginx :

    Code
     listen 192.168.1.xx:80;

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!