HTTP Unsecure Connection + General Beginner Help

Server noob here.

  1. I have just got TrueNAS Scale working, but my browser says my connection is not secure. From what I read I think I need to assign my server a static IP, but my package from my ISP does not allow static IP’s. Is it necessary to have an HTTPS connection? How should I go about fixing this?

  2. As a beginner, I’m quite overwhelmed and not entirely sure where to start. Along with making sure everything is secure, here is what I want to be able to do with my server:
    a. Backup files from my main PC. I want to be able to access these files from anywhere on any device.
    b. Run game servers (Minecraft, Arma 3, DCS). I am aware that there is a Minecraft application built in to TNS, but are there any other steps I need to take beforehand to make sure it will work?
    Thanks for the help in advance, and sorry if anything I said doesn’t make sense. I really do not know much.

That’s normal these days with HTTP.

Static vs. dynamic IP has nothing at all to do with this.

Nope.

There’s nothing to fix. If you want HTTPS, just browse to https://ip_of_nas. You’ll get a different warning (because you’ll be using a self-signed certificate), but it’ll be HTTPS.

Thanks for your reply. If I wanted to have a secure connection, how would I do that? Is there any point?
Also, any suggestions for my original second question?

To have a connection that your browser will call secure, you’d need to be using HTTPS with a trusted certificate. In order to do that (relatively) easily, you’d need to own a domain (starts around $10/yr from Cloudflare–and that’s where I’d buy it), and then you can get a certificate through TrueNAS directly.

Once you have the domain and the cert, you’d need you set up your local DNS in such a way that, e.g., truenas.yourdomain points to the local IP address of your NAS. If your router isn’t brain-dead, you can do this there. If it is, Pi-Hole is a popular choice for local DNS and will let you do this.

How much do you trust the other devices on your network? Including the Alexa devices, the smart thermostats, the sprinkler controllers, the Roku, etc.? Remember, the S in IOT (“Internet of Things”) is for security.

“Back up files” and “make them available anywhere” are two very different requirements. For the first, well, any backup software that can back up to a SMB share will work–Veeam seems pretty popular, and it’s free for this purpose. Edit: or Urbackup is available as an app and would do the trick.

The latter is much more complicated. Nextcloud is probably the way to do it, and use Tailscale on the NAS and the remote devices to let them access it.

2 Likes

I’m also looking to remove the https warning from self-signed cert. I can set up the certs, etc. in TrueNAS. But, I’m stuck at the step you describe here.

I tried entering the IP address. But, get an error. From there, I’m not sure how to create a name that points to the IP address. I realize it may be different for everyone’s router/DNS setup. But, maybe it would help to know the steps/changes in your context? Or, maybe within the pi-hole context (I’m using that but couldnt find the answer)?

From there, I assume that the local DNS name has to include the domain name registered with cloudflare too? So, if it’s “myDomain.com” the local DNS name will have to be something like “truenas.myDomain”?

Of course, it’s very important to NOT expose the server to the internet. Ironically, I already know how to do that via reverse proxy and cloudflare, etc. :slight_smile:

Where?

What error?

My apologies. I jumped in from a second post you made (The dreaded Not secure/Cert question | TrueNAS Community)

I entered the IP address as the “Subject Alternative Name” in the Certificate Signing Request wizard.

After doing that, the error appears when I try to generate a Certificate from that CSR. It doesn’t finish correctly and an error pops up complaining that the IP address isn’t a valid DNS entry.

You won’t be able to get a trusted cert with an IP address in the SAN. I’m not sure what you saw in this thread or the one you link that suggested otherwise.

I may have misunderstood others questions. But, I read them as very close or the same as mine.

A) I only want to access the TrueNAS server locally. Other than apps going through the reverse proxy, I don’t want it to be reachable via internet.

B) That said, I would still like to have a trusted cert for the server so that the browser doesn’t panic over the GUI and every other local-access app.

Assuming you have a domain, and the DNS for that domain is hosted at Cloudflare, these instructions will do the job:

But that certificate is for a name, and that means you need to use that name to access your NAS.

That’s the part I’m not clear on.

I know how to use a domain name to access the NAS from the internet.

But, is there a way to use it locally without having internet access also? (Maybe there isn’t and that’s my misunderstanding here.)

You can add the DNS records to your LAN DNS server (typically your router).

Alternatively, you can also add the domain name on your hosts file and it would pretty much resolve the name without needing any internet access or any complicated network setup. This is quick and simple if you only need it to work on one machine. On Windows, I think that file is located under C:\Windows\system32\drivers\etc\hosts and on *nix, it’s typically under /etc/hosts; you will need administrator access to change it on either system.

Of course there is, using local DNS resolution. How you’d do that depends on what you have serving DNS for your LAN. Ordinarily it’d be your router, and in OPNsense you’d set it up as a DNS host override. pfSense, it’d be the same. OpenWRT, I expect it’d be the same. In Pi-Hole 6, you’d go to Settings → Local DNS Records, and enter it like this:

Thank you.

Does the local machine host file get applied even if I’m using an external DNS server? And is it persistent (doesnt get wiped out by a dnscache clear etc)?

Thank you.

Easy enough. Before I make that edit though, would this meet my goals? ie. will the cloudflare cert apply to it correctly?

There is no “cloudflare cert;” there’s a Let’s Encrypt cert you’ve obtained on your NAS. If you’ve correctly obtained that, set TrueNAS to use that cert for its UI, and used local DNS to point a hostname that matches (one of) the name(s) on the cert to the IP of your NAS, it should work.

Ok. Great. Thank you. Will try that.

The local DNS file takes precedence over any other DNS server whether it’s local to your machine or on the network somewhere.

Got it. Good to know. Thank you.

@dan @Whattteva

It worked! I had to use both solutions you provided (because I have different machines using different DNS on different VLANs).

I appreciate the help. Has been a little blip I wanted to fix for a long time.

1 Like