Access FreeNAS GUI from Web Proxy

siconic

Explorer
Joined
Oct 12, 2016
Messages
95
Ok, I know everyone freaks out every single time this is brought up. Yes, this is a home setup, and yes I have gone overboard with it, but I am a tech geek and love the challenge and automation all of this has brought me. I also know the risks, I have mitigated them by using several different layers of web authentication, and locking down anything that can be, I am using unpublished subdomains, and a redirect to a "Under Construction" page should someone not type in the subdomain EXACTLY, or just try to access anything through the IP directly. Additionally, I disable my FreeNAS Apache Proxy when I do not intend to use it, so it is NOT facing the internet at all times. FreeNAS is also behind a Firewall with an IDS, which I am alerted to any suspicious activity. I DO use VPN 99% of the time, but sometimes I find VPN does not work while working remotely. I would like to be able to access the GUI from the web if need be, since 100% of the time (unless the network admins are using Whitelist rules) I can access my web servers, and enable the FreeNAS Proxy on the fly.

So, with my preface out of the way, In the old version 11.1U6, I was able to access the GUI using my web proxy. I am using Apache, and here is part of my config, where 10.0.0.2 is my FreeNAS instance (IP's changed, and sensitive information hidden):

Code:
ServerName example.test.com
ProxyPreserveHost ON
<Proxy *>
AuthType Basic
AuthName "Password Protected - All Attempts Logged"
AuthUserFile "Hidden from post"
AuthBasicProvider file
require valid-user
</Proxy>
ProxyPass / http://10.0.0.2/
ProxyPassReverse / http://10.0.0.2/


Please, no comments on how insecure AuthType Basic is, I know, its stateless, I am not using SSH, blah blah blah... Its not my first layer of security, and I am just looking for a solution to get to the new GUI in 11.2 to work with my proxy.

Here is my new config, but all I get is the error "Connecting to NAS... Make sure the NAS system is powered on and connected to the network.":

Code:
ServerName example.test.com
ProxyPreserveHost ON

<Proxy *>
    AuthType Basic
    AuthName "Password Protected - All Attempts Logged"
    AuthUserFile "Hidden from post"
    AuthBasicProvider file
    require valid-user
</Proxy>

ProxyPass /api/docs http://10.0.0.2:6000/api/docs/
ProxyPassReverse /api/docs http://http://10.0.0.2:6000/api/docs/

ProxyPass /websocket http://10.0.0.2:6000/websocket/
ProxyPassReverse /websocket http://10.0.0.2:6000/websocket/

ProxyPass /websocket/shell http://10.0.0.2:6000/_shell/
ProxyPassReverse /websocket/shell http://10.0.0.2:6000/_shell/

ProxyPass /api/v2.0 http://10.0.0.2:6000/api/v2.0/
ProxyPassReverse /api/v2.0 http://10.0.0.2:6000/api/v2.0/

ProxyPass /_download http://10.0.0.2:6000/
ProxyPassReverse /_download http://10.0.0.2:6000/

ProxyPass /_upload http://10.0.0.2:6000/
ProxyPassReverse /_upload http://10.0.0.2:6000/

ProxyPass / http://10.0.0.2/
ProxyPassReverse / http://10.0.0.2/

AllowConnect 8084
AllowConnect 6000
AllowConnect 80
AllowConnect 9042


At this point, I understand if no one wants to post a solution publicly, since someone who is not careful will likely take this and run with it. If you do know what I am doing wrong, I would appreciate either a private message, or a post here.

Thanks guys! Love FreeNAS, and been using it for years now!
 
Last edited:

Chris Moore

Hall of Famer
Joined
May 2, 2015
Messages
10,080
Ok, I know everyone freaks out every single time this is brought up.
Not so much a freakout... More of a stern warning, but it looks like you have done some work on it.
 

siconic

Explorer
Joined
Oct 12, 2016
Messages
95
Ok, fair enough. :smile:

Do you have any thoughts on how to accomplish my task?
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Hey Siconic,

Here is my own config and feel free to copy it / adapt it to your own needs.

My frontend firewall is pfSense. On it, I have configured a PKI, the ACME agent and HAProxy. The ACME agent go get a wildcard certificates from Lets Encrypt. pfSense manages certificates for the servers inside the LAN. It includes CRLs. I also have user certificates from that PKI.

HAProxy listens the WAN interface with the wildcard cert and asks everyone for an SSL client certificate. Using ACLs, I then create 3 scenarios :
--Those without a certif has only access to my cloud interface or the default backend which is just an HTTP DENY error code
--Those with a user certificate from my own PKI can also access the document editing service
--Should the browser present MY certificate, then the session is allowed to any of the web interface configured, including FreeNAS

HAProxy validates all certificates (clients and servers) against the local CA and local CRLs.

Should I wish to log from one of my devices, my certificate is already installed and I just connect to what I need.
Should I wish to log from somewhere else, I first log in the cloud and retrieve a "temporary" client certificate I made for that.
I install that certificate in the computer and can access my stuff after that.

Once done, I can revoke the certificate if required or just uninstall it from the browser.

Have fun with your own setup,
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,702
I use Guacamole (on a docker DMZ system) with a pFsense FW directing to it via HAProxy.

Then I have my FreeNAS systems set as SSH connections in the Guacamole GUI (mostly all I need) and a VNC to another docker DMZ linux jump host for the GUI.
 

siconic

Explorer
Joined
Oct 12, 2016
Messages
95
@Heracles I like that solution, very secure, until someone gets your temporary client cert and you don't realize it. I have stored raw cert data in Keypass before, that is pretty secure and at least adds a barrier between and attacker and your cert.

Thanks for all the input, maybe I should go that route, its a little more secure than my method. That still does not answer my question from the standard Apache proxy aspect, and even with your setup, how are you forwarding all the required ports/files?

--Should the browser present MY certificate, then the session is allowed to any of the web interface configured, including FreeNAS

Does your certificate and ACL essentially "DMZ" traffic to your browser?
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Hi Siconic,

Happy to see that my setup may help you to design and deploy your own solution.

As for someone copying my temp certificate, that risk is well managed by :
--Having 2 factor authentication on the cloud (TOTP) to get access to the certificate
--The certificate itself is password protected
--Once HAProxy accepted the certificate and forwarded the socket, the user still need the FreeNAS password
--Should the computer be high risk (public or shared by many), I revoke the certificate once done and so HAProxy will not accept it anymore
--All my access are logged and monitored, so any use of that certificate is flagged

To have the certificate in KeePass or similar is an option. As for me, the password on the certificate serves that purpose well enough.

As for the port forwarding, here is the details of my HAProxy config. I am confident that Apache can do something similar :
--Receives the TLS request
--Asks for a certif but accepts if the client has none
--Handshake the TLS session with or without a client certif and using its own wildcard certif
--Once TLS is established, the client send its HTTP request over it
--HAProxy looks at the hosts in the requests
--If the Host matches "hostA.domain.org", HAProxy will use its backend "To_HostA"
--if the Host matches "hostB.domain.org" and a valid certif has been presented, HAProxy will use its backend "To_HostB"
--if the Host matches "hostC.domain.org" and the client presented MY certificate, then HAProxy will use its backend "To_HostC"
--Should no rule be satisfied (HostD ; no certificate ; not MY certificate or any other problem), use the default backend which is not even an HTTP server and just an automatic reply of HTTP Deny to anything and everything

Each backend points directly to the corresponding server (IP and Port). Here, my FreeNAS is in a situation like HostC, just like many other web consoles I have.

Because HAProxy already authenticated the socket and filtered the HTTP protocol, I do not consider as a benefit to route the session through another system that would act like an extra DMZ. The concept of DMZ is enforced by HAProxy itself : anyone is allowed to ask HAProxy for whatever they want. HAProxy will require the proper authentication level to everyone and sanitize the protocol layer. Once that is done, the request is ready to be received by the server.

Have fun with your setup,
 

siconic

Explorer
Joined
Oct 12, 2016
Messages
95
@Heracles What version of Freenas are you on?

The reason I ask is that my problem did not start until 11.2-RELEASE-U1. I had Proxy working fine. If you are on 11.2, did you have to make any changes to get the GUI to work?
 

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
Hi again,

I am running the latest version : 11.2 Release U1 and did not need to change anything in the FreeNAS server for that. The difference between your setup and mine is that I route the HTTP requests based on the Host field in the request, without any consideration for the path. In your config, you have a lot of different paths that are Proxy / ReverseProxy between the proxy and the server.

The second big difference between your config and mine is that I do HTTPS on both sides. Once HAProxy decrypted the TLS from outside, it handshakes a new TLS session with the FreeNAS server. For that, the FreeNAS server is using a home made certificate and HAProxy validates it using its local copy of that home made CA.

On your side, because FreeNAS received the request over HTTP, it surely replies with HTTP links while the client needs HTTPS links.

Good luck troubleshooting your setup,
 
Top