A new trueNAS user here. I already have a Synology DS1513+ running for many years. Now, I am trying to add another trueNAS into the same LAN with the DS. I have already downloaded the latest trueNAS SCALE and installed successfully. And I can access it through the internal IP. However, I got a problem while trying to access it remotely. Here is my setup:
I have a web server running on my DS on a domain. This web site can be accessed externally. (Can’t put more links here as it’s not allowed for new users)
I have some other web servers running in Docker containers on the same DS. They can be accessed externally through Reverse Proxy.
Now, I am trying to do the same to create a reverse proxy for the trueNAS, so I can access it externally. However, it always stuck at the signin screen with a message saying “Connecting to TrueNAS … Make sure the TrueNAS system is powered on and connected to the network.” I am pretty sure the reverse proxy is working since when I typed in the url: http://truenas.leosdomain.com, it did redirected to truenas.leosdomain.com/ui/sessions/signin page. Where could be the problem?
Certainly they don’t officially support it, but it ought to work. Just about anyone who uses or has used TrueCharts has run their NAS behind a Traefik reverse proxy. SCALE runs just fine behind Caddy as well, without any special arrangements or configuration settings. No idea what’s going on with Synology’s reverse proxy, but it definitely isn’t a simple matter of “TrueNAS doesn’t work behind a RP.” A common issue I’d see cited is support for websockets, so OP should make sure that’s enabled.
Now, whether this is a good idea is another question–and I suspect it is not. But it should work.
You are the man! As soon as I created the WebSocket for the Reverse Proxy on the DS, it started to work right away! Although, I still don’t under the logic here.
BTW, why it’s not a good idea running the trueNAS behind a RP? Please forgive me, I am a newbie in the trueNAS world.
It’s not so much running it behind a RP that’s a bad idea, it’s exposing the GUI to the Internet, because it just isn’t designed for that. A good RP can mitigate this, if it’s properly configured for security, but it’s generally something we recommended against.
Thanks again for you reply, dan! Since I enabled https with certificates for all the sites exposed to the public, including the trueNAS UI, I guess the security isn’t too much of an issue?
Leo
HTTPS protects against an attacker snooping on your conversation, but does nothing to protect against, e.g., brute-force attacks, or potential security flaws in the TrueNAS UI[1]. It’s a good thing (I’d say an essential thing), but it’s not the only issue.
I don’t know of any, but I also don’t know there aren’t any, and logic suggests there probably are some ↩︎
The TrueNAS UI was not implemented with a “security first” approach and with the intent to be exposed to the Internet. Even iX confirmed as much multiple times.
You should never - HTTPS or not - expose the TrueNAS UI to the public Internet.
You need to place a $something with a secure design and strong authentication in front of it. This can be a VPN connection. It can also be a reverse proxy. If you configure your proxy so you have to authenticate to the proxy first - with a reasonably strong password or even 2FA - then I don’t see a problem.
But opening your TN UI to the world - please just don’t.
I was just trying to be lazy. Reverse Proxy is the quick solution for me to play around with the trueNAS while I am not at home. I guess I will follow the best practise and go for the VPN solution as everyone has suggested.
Thanks again,
Leo
The ideal stack, avoiding vpn, is an authenticator, then your reverse proxy, then your app. Throw cloudflare into the mix and they also add https and proxying so attackers never see real ip’s of your apps. I was set up like this before, with a few static public ip’s.
Outside in: cloudflare ip, pointed at an app in nginx proxy manager, which required passing authelia first. Add 2fa or passkeys in authelia and it’s even better. The cloudflare ip was never mine and could change because you’d use dns to get to those apps. They load balance so the ip in public would frequently change. So many moving parts, it was hard to deal with if something broke. But, the solution worked most of the time.
Since then I quit paying 30 bucks a month for public ip’s and just use a VPN. Some of the WordPress stuff I was doing was just dog slow compared to hosted with a free CDN, so I put the 30 bucks there instead. Fast and public with no connection to my homelab.
Reverse Proxy is the quick solution for me to play around with the trueNAS while I am not at home. I guess I will follow the best practise and go for the VPN solution as everyone has suggested.