I'm still a novice at this kind of stuff, but it's my understanding that you can set up certificates in such a way that both the client and server need certificates set up in order to connect. I'm pretty shy about just having a login page out on the internet for people to hammer on, so I'd like implement something like that. Can anyone point me to any guides? Is this supported on TrueNAS Scale? I'm I misunderstanding how this works?
-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Any advice for CBA? (Certificate Based Authentication)
- Thread starter Eragon615
- Start date
- Joined
- Jan 1, 2016
- Messages
- 9,700
There are many security concerns that would come before the one you have raised...
TrueNAS is not a hardened appliance and is not designed to face the Internet directly, rather it should be protected by a firewall and/or a properly configured reverse proxy for the services that will be made available to the Internet.
If you don't care about that and enjoy risking the security of your device, you could simply enable 2FA (under the Credentials section) and be done with it.
If you must make your administration GUI available over the Internet, you can do that via Traefik, adding an auth middleware like Authentik to it to provide a proper amount of protection.
TrueNAS is not a hardened appliance and is not designed to face the Internet directly, rather it should be protected by a firewall and/or a properly configured reverse proxy for the services that will be made available to the Internet.
If you don't care about that and enjoy risking the security of your device, you could simply enable 2FA (under the Credentials section) and be done with it.
If you must make your administration GUI available over the Internet, you can do that via Traefik, adding an auth middleware like Authentik to it to provide a proper amount of protection.
jgreco
Resident Grinch
- Joined
- May 29, 2011
- Messages
- 18,680
You are definitely NOT supposed to have the NAS web user interface accessible from the Internet. The webUI is not considered to be secure.
The general strategy is to enable SSLVerifyClient and then supply the valid CA roots against which a certificate can be issued. The general process for nginx should look something like:
Tutorial to configure Nginx client-side SSL certificates.
Tutorial to configure Nginx client-side SSL certificates. - nginx-config-auth-cert-ssl.md
gist.github.com
