A new trueNAS user here. I already have a Synology DS1513+ running for many years. Now, I am trying to add another trueNAS into the same LAN with the DS. I have already downloaded the latest trueNAS SCALE and installed successfully. And I can access it through the internal IP. However, I got a problem while trying to access it remotely. Here is my setup:
I have a web server running on my DS on a domain. This web site can be accessed externally. (Can’t put more links here as it’s not allowed for new users)
I have some other web servers running in Docker containers on the same DS. They can be accessed externally through Reverse Proxy.
Now, I am trying to do the same to create a reverse proxy for the trueNAS, so I can access it externally. However, it always stuck at the signin screen with a message saying “Connecting to TrueNAS … Make sure the TrueNAS system is powered on and connected to the network.” I am pretty sure the reverse proxy is working since when I typed in the url: http://truenas.leosdomain.com, it did redirected to truenas.leosdomain.com/ui/sessions/signin page. Where could be the problem?
Certainly they don’t officially support it, but it ought to work. Just about anyone who uses or has used TrueCharts has run their NAS behind a Traefik reverse proxy. SCALE runs just fine behind Caddy as well, without any special arrangements or configuration settings. No idea what’s going on with Synology’s reverse proxy, but it definitely isn’t a simple matter of “TrueNAS doesn’t work behind a RP.” A common issue I’d see cited is support for websockets, so OP should make sure that’s enabled.
Now, whether this is a good idea is another question–and I suspect it is not. But it should work.
You are the man! As soon as I created the WebSocket for the Reverse Proxy on the DS, it started to work right away! Although, I still don’t under the logic here.
BTW, why it’s not a good idea running the trueNAS behind a RP? Please forgive me, I am a newbie in the trueNAS world.
It’s not so much running it behind a RP that’s a bad idea, it’s exposing the GUI to the Internet, because it just isn’t designed for that. A good RP can mitigate this, if it’s properly configured for security, but it’s generally something we recommended against.
Thanks again for you reply, dan! Since I enabled https with certificates for all the sites exposed to the public, including the trueNAS UI, I guess the security isn’t too much of an issue?
Leo
HTTPS protects against an attacker snooping on your conversation, but does nothing to protect against, e.g., brute-force attacks, or potential security flaws in the TrueNAS UI[1]. It’s a good thing (I’d say an essential thing), but it’s not the only issue.
I don’t know of any, but I also don’t know there aren’t any, and logic suggests there probably are some ↩︎
The TrueNAS UI was not implemented with a “security first” approach and with the intent to be exposed to the Internet. Even iX confirmed as much multiple times.
You should never - HTTPS or not - expose the TrueNAS UI to the public Internet.
You need to place a $something with a secure design and strong authentication in front of it. This can be a VPN connection. It can also be a reverse proxy. If you configure your proxy so you have to authenticate to the proxy first - with a reasonably strong password or even 2FA - then I don’t see a problem.
But opening your TN UI to the world - please just don’t.
I was just trying to be lazy. Reverse Proxy is the quick solution for me to play around with the trueNAS while I am not at home. I guess I will follow the best practise and go for the VPN solution as everyone has suggested.
Thanks again,
Leo
Reverse Proxy is the quick solution for me to play around with the trueNAS while I am not at home. I guess I will follow the best practise and go for the VPN solution as everyone has suggested.