Remotely Accessing GUI - Nginx 502, Connection Refused

Status
Not open for further replies.

ReadyPlayGo

Dabbler
Joined
Mar 2, 2016
Messages
15
I'm running FreeNAS at 192.168.1.66. Here are my general system settings (all default).

I'm attempting to access the web GUI at my subdomain freenas.domain.com. I have an SSL cert from Letsencrypt, and the subdomain is reverse proxied to 192.168.1.66. For some reason, FreeNAS is refusing the connection to nginx.

Is there a setting in FreeNAS I'm missing that would affect how reachable/connectable it is?

I have plenty of other service running behind a reverse proxy, so it's not port 80/433 on my router.

nginx block:

Code:
server {
	#HTTP Config
	listen 80;
	server_name freenas.domain.com;

	root /var/www/freenas;
	index index.php index.html index.htm index.nginx-debian.html;



	location / {
		proxy_pass https://192.168.1.66;
	}

	listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/freenas.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/freenas.domain.com/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot


	# Redirect non-https traffic to https
	# if ($scheme != "https") {
	#	 return 301 https://$host$request_uri;
	# } # managed by Certbot

}
 

SweetAndLow

Sweet'NASty
Joined
Nov 6, 2013
Messages
6,421
I can't help solve your problem but I'll give you fair warning that you should absolutely not do what you are doing. Exposing the GUI to the internet is just asking to get hacked.

Sent from my Nexus 5X using Tapatalk
 

Stux

MVP
Joined
Jun 2, 2016
Messages
4,358
I can't help solve your problem but I'll give you fair warning that you should absolutely not do what you are doing. Exposing the GUI to the internet is just asking to get hacked.

Sent from my Nexus 5X using Tapatalk

And the right way is to use an SSH tunnel to the GUI/server *or* setup a VPN into your network.
 

ReadyPlayGo

Dabbler
Joined
Mar 2, 2016
Messages
15
I can't help solve your problem but I'll give you fair warning that you should absolutely not do what you are doing. Exposing the GUI to the internet is just asking to get hacked.

Sent from my Nexus 5X using Tapatalk
It's reverse proxied so it can't be port scanned. The page (once setup) will also have additional auth's through nginx. And that's just to get the login page to load.

So I'm not really concerned about getting hacked. Even if I did, my NAS contains 0 personal data. It's entirely a collection of commercially available media.

Sent from my SM-G950U using Tapatalk
 

ReadyPlayGo

Dabbler
Joined
Mar 2, 2016
Messages
15
And the right way is to use an SSH tunnel to the GUI/server *or* setup a VPN into your network.
I've seen this done for cli to the server, but never to the web gui. Do you know of a guide?

Sent from my SM-G950U using Tapatalk
 

Stux

MVP
Joined
Jun 2, 2016
Messages
4,358

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
@ReadyPlayGo As others have mentioned, the FreeNAS box should never be exposed directly to WAN, as FreeNAS is meant to be ran behind a router firewall. As @Stux mentioned, if the only thing one requires is accessing the WebUI from WAN, tunneling access to the GUI over SSH would be the best route to go. If you also need access to shares, then a SSL VPN would be preferred.

As to Nginx, a couple of things:
  • If it's only you, and/or a select group of people accessing the WebUI, Let's Encrypt is not the way to go for a variety of reasons (unless things have changed recently). Use an openssl.cnf to generate a self-signed CA, then use that CA to sign an OpenSSL generated CSR. I have a pre-built openssl.cnf in my signature which provides all instructions and commands at the bottom of the config (about halfway down).
  • The Nginx config in your OP is not secure, and I'd recommend something similar to:
    Code:
    
    	##::[[---  FreeBSD 11 Nginx ownCloud Config ---]]::##
    
    
    	# Options #
    #---------------------------------------
    worker_processes			  8;
    
    events						{ worker_connections 1024; }
    
    
    	# Web Server #
    #---------------------------------------
    http {
      include					 mime.types;
      Default_type				application/octet-stream;
      sendfile					off;
      keepalive_timeout		   65;
    
      ssl_protocols			   TLSv1.2;
      ssl_ciphers				 ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4;
    
      ssl_session_cache		   shared:SSL:10m;
      ssl_session_timeout		 10m;
      ssl_prefer_server_ciphers   on;
    
    
    	  # HTTP #
      #------------------------------------
      server {
    	listen					80;
    	server_name			   192.168.1.66;
    	return					301 https://$server_name$request_uri;
    
    	add_header				X-Frame-Options "SAMEORIGIN";
      }
    
    
    	  # HTTPS #
      #------------------------------------
      server {
    	listen					443 ssl;
    	server_name			   192.168.1.66;
    
    	ssl_dhparam			   /usr/local/etc/nginx/ownCloud-dh2048.pem;
    	ssl_certificate		   /usr/local/etc/nginx/ownCloud.NAS.crt;
    	ssl_certificate_key	   /usr/local/etc/nginx/ownCloud.NAS.key;
    
    	add_header				Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;";
    	add_header				X-Content-Type-Options nosniff;
    	add_header				X-Frame-Options "SAMEORIGIN";
    	add_header				X-XSS-Protection "1; mode=block";
    	add_header				X-Robots-Tag none;
    	add_header				X-Download-Options noopen;
    	add_header				X-Permitted-Cross-Domain-Policies none;
    
    	root					  /usr/local/www/owncloud;
    
    	location =				/robots.txt { allow all; access_log off; log_not_found off; }
    
    	client_max_body_size	  5120M;
    	fastcgi_buffers		   64 4K;
    
    	gzip					  off;
    	access_log				/var/log/nginx-host.access.log;
    
    	error_page				403 /core/templates/403.php;
    	error_page				404 /core/templates/404.php;
    	error_page				500 502 503 504 /50x.html;
    
    		# Index #
    	#----------------------------------
    	location				  / { rewrite ^ /index.php$uri; }
    
    		# Data #
    	#----------------------------------
    	location ~				^/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; }
    
    		# Databases #
    	#----------------------------------
    	location ~				^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; }
    
    		# FastCGI #
    	#----------------------------------
    	location ~				^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
    	  include					 fastcgi_params;
    
    	  fastcgi_split_path_info	 ^(.+\.php)(/.+)$;
    
    	  fastcgi_param			   SCRIPT_FILENAME $document_root$fastcgi_script_name;
    	  fastcgi_param			   PATH_INFO $fastcgi_path_info;
    	  fastcgi_param			   HTTPS on;
    	  fastcgi_param			   modHeadersAvailable true;
    	  fastcgi_param			   front_controller_active true;
    
    	  fastcgi_pass				unix:/var/run/php-fpm.sock;
    
    	  fastcgi_intercept_errors	on;
    	  fastcgi_request_buffering   off;
    	}
    
    
    		# CSS/JS #
    	#----------------------------------
    	location ~*			   \.(?:css|js)$ {
    	  try_files				   $uri /index.php$uri$is_args$args;
    
    	  add_header				  Cache-Control "public, max-age=7200";
    	  add_header				  Strict-Transport-Security "max-age=15768000; includeSubdomains; preload;";
    	  add_header				  X-Content-Type-Options nosniff;
    	  add_header				  X-Frame-Options "SAMEORIGIN";
    	  add_header				  X-XSS-Protection "1; mode=block";
    	  add_header				  X-Robots-Tag none;
    	  add_header				  X-Download-Options noopen;
    	  add_header				  X-Permitted-Cross-Domain-Policies none;
    
    	  access_log				  off;
    	}
    
    		# Media Types #
    	#----------------------------------
    	location ~*			   \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
    	  try_files				   $uri /index.php$uri$is_args$args;
    	  access_log				  off;
    	}
      }
    }
    
    
    • When it comes to web servers, best practice is to take the time and research the options available for the web server config and read the man page while building the config.
 
Last edited:

Cheejyg

Dabbler
Joined
Dec 11, 2016
Messages
31
I've seen this done for cli to the server, but never to the web gui. Do you know of a guide?

Sent from my SM-G950U using Tapatalk
Just encountered this exact same issue and I managed to solve this… but I hope you have clones of your Boot.

Basically I had a clone of my boot before I switched to the invalid certificate, rendering the same issue you faced, so I restarted the server and switched over to the cloned boot configuration and deleted the broken boot config.
 
Status
Not open for further replies.
Top