Secure dashboard (HTTPS and password ?)

Would there be a way to make the dashboard exposable to the Internet, without having to go through the trouble of setting up an SSH tunnel like described in:

?

I mean could the dashboard implement some sort of security by itself, so we can expose it to the Internet and access it by using a password or something?

I see the matter has been discussed already, but the answer is usually to use an SSH tunnel or to install a reverse proxy in front of the node, as described here for instance:

But what I’m wondering is if the Node software could be improved to handle HTTPS and some sort of authentication by itself, without any third party software?

https is not quite as simple, you need a certificate.
One option is to use services like letsencrypt but to get a certificate, you need to have port 80 open, not sure that’s an option for everyone but if it is, that would work.
The only other option means storjlabs would need to be a CA authority and give storagenodes certificates signed by it. But browser would need to accept those certificates which won’t be easy.
(Well the 3rd option is self-signed certificates but that’s not really a good option since you get a security warning accessing it…)

So yeah, the easiest option to implement and use is an openvpn server which can be easily deployed using docker. Then it’s just a few simple clicks on your phone and you’re in your local lan.
Or an ssh tunnel, similarily easy with a few apps.

[As a side-note: I don’t see a benefit in exposing the dashboard, especially if you use multiple nodes -> exposing multiple dashboards on multiple ports… Use grafana and expose it to the internet with your own certificate :smiley: ]

2 Likes

Another more involved method to scale exposure would be to run a reverse proxy that uses something like LetsEncrypt and exposes a login, then once authenticated exposes the internal dashboards to your session. One would likely use this with K8S or possibly some Docker setup. If you’re putting this much work in I would suggest adding the Grafana dashboard as well.

I do this. I used the below guide to set up my Traefik stack with Authelia.

Once set up, I just add a few extra lines in the labels: section of my docker-compose.yml for my nodes:

  storj01:
    ...
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.storj01.entrypoints=https"
      - "traefik.http.routers.storj01.rule=Host(`storj01.example.com`)"
      ## Middlewares
      - "traefik.http.routers.storj01.middlewares=chain-authelia@file"
      ## HTTP Services
      - "traefik.http.services.storj01.loadbalancer.server.port=14002"

I can provide a minimal configuration for this in the SNO forum section if anyone is interested.

Does traefik support proxying into subdirectories? Like domain.com/node1, domain.com/node2
Because if not, it won’t be of use for me. I use nginx reverse proxy in docker and can do the same thing with a few environmental variables/labels. Not sure what’s the benefit/disadvantage of either approach, just happy the nginx proxy approach with letsencrypt works fine :smiley:

Yes, it does. In the router definition, you can include a StripPrefix after the domain, and it’ll strip that path prior to proxying to the backend node dashboard service.

EDIT: I’ve heard good things about nginx proxy manager. I like Traefik for its service discovery and now that I understand it, I can attach middleware auth like Authelia, Google Auth, or even Office 365.

1 Like

Nice, thanks for the answer. Maybe I’ll take a look at it if my other projects are done :smiley:

Also https://grafana.com/products/cloud/ offer a free account with authentication and https with valid cert out of the box. Probably easiest option to setup.

1 Like

On Synology via “Reverse Proxy” is the easiest way I think…

1 Like

Honestly best solution is to have a VPN setup for safe and secure remote management.
An alternative is to use Grafana with Prometheus storj exporter it works very well. I only connect to node to do manual upgrade.

HTTPS is super hard to set up as you need a Certificate authority and that requires multiple public IP`s and is super complicated. Additionally usually comes at a cost but would be technically possible free with the help of some third party services that establish secure connection between your node and their server and you would use their certificate.(CloudFlare)

1 Like

The main cost in my opinion is a domain name. With your own domain name, you can use LetsEncrypt with the dns-01 challenge, and a single reverse proxy service listening on a single IPv4 address with only port 443 exposed to the outside world.

4 Likes

Yes I just want to say one thing be careful what ports you open

My network speed is fast at my house and I host for friends VM`s and some other small projects. As there are some special ports opened I have attracted interests of some not so white hackers. Lets say may firewall is constantly spitting issues. The log file gets deleted very often due to this. I was already breached. For those using VNC don’t use it. I was breached in past the best solution for all of this is a firewall based VPN. I’m integrating it over the summer. No management ports will be opened and the VPN requires password and a Certificate that both sides have.

Since the last attack I took extra precautions and not advice leaving pointlessly unopened ports

2 Likes

Don’t overstress it.

Just expose HTTP port to the Internet. There is no security issues with it.
There are tons of reputable sites on the Internet, which are HTTP and they still works.

To prove: here is my dashboard: http://proxy.slavikf.com:28966/
It exposed for about a year now. No issues.

A lot of people in this thread, who write that it’s not safe, hacker will do bad things to you… To all these people: use the link above, go ahead try to hack my system and if you succeed - I’ll send you $100 in StorJ tokens. Just don’t DOS it.

Only because nobody has hacked you yet, doesn’t mean you should be careless. However, that doesn’t have anything to do with http or https, the dashboard could be hacked in either scenario. HTTPS only offers an advantage if you actually send/receive sensitive data but accessing your dashboard it’ll always show the same data.

There is nothing careless about exposing dashboard via HTTP.

the dashboard could be hacked

Anything can be hacked. Why haven’t you stopped using Internet? You can be hacked just by visiting sites…

That’s why you limit your exposure by not exposing everything to the internet that doesn’t need to be exposed. Just use a vpn if you want to access your dashboards.

That’s not reasonable.
There are a lot of scenarios when VPN is not practical.

This is why I asked: why haven’t you stopped using the Internet? You can be hacked.

Why not to use VPN with dashboard? Well, because I’m using free monitoring service for my node and it will not work with VPN. Because I’m collecting data from dashboard and collecting agents will not work via VPN.

So, no reason to be paranoid

Well if you are careless/“not paranoid”, at least don’t instruct others to ignore possible dangers.

2 Likes

Well if you are paranoid, at least don’t instruct others to make their life hard with unnecessary troubles

Will you call these guys “careless”:

http://apache.org/ (no HTTPS by default)
http://www.gnu.org/ (no HTTPS by default)

As I said, it’s not a matter of HTTP or HTTPS if you can get hacked.

And as mentioned the “careless” is only about exposing things to the internet that don’t need to be on the internet, like a dashboard.