Umbrel for Linux - Change ports 80 and 9050 prior to installation

[stn021]

Hello,

I would like to install umbrel for linux on a computer that already has a running webserver on port 80 and tor on 9050. In that situation the installer (curl -L https://umbrel.sh | bash) fails and complains the ports are already taken.

Is there a way to install umbrel for linux in this case?

[mayankchhabra]

Hey @stn021! Unfortunately you'd need to uninstall Tor, because Umbrel's Tor binds to port 9050 as well. Once you have Umbrel up and running you could use its built in Tor proxy which will also run on 9050 for your use case.

Ideally we recommend running Umbrel on a dedicated machine on which you do not have anything else running for best security and to prevent port collisions. In case that isn't possible for your use case, but you can uninstall Tor from your system while keeping your web server running on port 80, you can run:

export NGINX_PORT=1000 && curl -L https://umbrel.sh/ | bash

That will serve Umbrel's UI on http://<your-machines-URL-and-IP-address:1000. You can replace port 1000 with whichever port you want to run it on. Let us know if that resolves your issue!

[coolaj86]

Security

The problem with the idea that nothing else runs on the machine is that umbrel isn't using caddy (or any alternative), so all of it's web traffic is completely insecure and all passwords are being broadcast in plain text to all devices on the network (unless you have some sort of fancy port-isolating security gateway, which most people don't) and across the internet if you're doing any sort of port forwarding to get to your installation.

For something that's managing smart home devices and crypto currency, that's a non-starter.

You MUST run a secure webserver on port 80 that handles Let's Encrypt / ACME and redirects to 443 or there is NO SECURITY at all.

No other way to change ports?

The only way to change the port is to uninstall and reinstall? Isn't there some sort of config file that can be edited?

I tried to edit docker-compose.yml to use 8080 instead of 80, but it didn't seem to have any effect.

Example caddy file

This is using the old Caddyfile syntax. The new way is to use the JSON API, which allows products like umbrel to automatically update service ports and such in realtime, but I'm not familiar with that yet.

1. Install caddy

   curl https://webinstall.dev/caddy | sh
   source ~/.config/envman/PATH.env
   
   mkdir -p ~/srv/caddy
   touch ~/srv/caddy/Caddyfile
   

2. Configure Caddyfile

   vim ~/srv/caddy/Caddyfile
   

   # Umbrel login
   example.duckdns.org {
       log {
           output stdout
           format console
       }
   
       encode gzip zstd
   
       reverse_proxy localhost:8080
   }
   
   # Home Assistant
   home-assistant.example.duckdns.org {
       log {
           output stdout
           format console
       }
   
       encode gzip zstd
   
       reverse_proxy localhost:8083
   }
   

3. Start the system service

   curl https://webinstall.dev/serviceman
   source ~/.config/envman/PATH.env
   
   sudo env PATH="$PATH" \
       serviceman add --system --username $(whoami) --name caddy -- \
           caddy run --config  ~/srv/caddy/Caddyfile
   

Another problem with this is that I don't see a way to map subdomains to ports, to opening any given app from the dashboard redirects back to the insecure port.

[coolaj86]

Rerunning the install with the port variable changed still fails.

export NGINX_PORT=65080; curl -L https://umbrel.sh/ | bash -s -- --install-path ~/srv/umbrel

/usr/lib/python3/dist-packages/requests/__init__.py:89: RequestsDependencyWarning: urllib3 (1.26.13) or chardet (3.0.4) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({}) doesn't match a supported "
Removing nginx
Starting tor_proxy ... done
Starting dashboard ... done
Recreating manager ... done
Recreating auth    ...
Recreating 5dc88b17a87d_nginx ...
Recreating 5dc88b17a87d_nginx ... error

ERROR: for 5dc88b17a87d_nginx  Cannot start service nginx: driver failed programming external connectivi
Recreating auth               ... done
userland proxy: listen tcp4 0.0.0.0:80: bind: address already in use

ERROR: for nginx  Cannot start service nginx: driver failed programming external connectivity on endpoint nginx (d25076d9a588cafc685089e6025185a5fb3826937578e5aeba0b5b0f7aafc270): Error starting userland proxy: listen tcp4 0.0.0.0:80: bind: address already in use
ERROR: Encountered errors while bringing up the project.
Failed to start containers
Skipping status update when not on Umbrel OS

Looking at other issues about this it seems like there are 3 ENVs and 2 files that are related:

• NGINX_PORT
• UMBREL_LISTEN_PORT
• UMBREL_HTTP_PORT
• .env
• docker-compose.yml

[lukechilds]

Hey @coolaj86, see this issue for previous discussion on SSL: https://github.com/getumbrel/umbrel/issues/546#issuecomment-1161772036

The intended environment for Umbrel to run in is on a local network behind a firewall. We plan to support SSL but it's not trivial to implement due to being unable to use CA signed certs for local devices and self signed certs having poor UX and security footguns. The issue I linked above references some other issues where I go into this in some more detail if you're interested. We do have some pretty interesting ideas on how we can solve this in the future.

[coolaj86]

it's not trivial to implement due to being unable to use CA signed certs for local devices

That's based on old 90s thinking about the problems of SSL, but we're in 2023 with TLS, ACME, and caddy.

It's absolutely easy both to use CA signed certs for local devices (dns-based authentication rather than IP-based) as well as to use custom non-CA certs (simple user popup to add an authority). Caddy can do either and it's baked in to do The Right Thing™ by default.

cc/ @mholt

[lukechilds]

In case it wasn't clear I'm referring to issues with clients, not the provisioning of the certificates. I'm a huge fan of Caddy, it certainly makes the provisioning side a breeze, but it doesn't help the issues we face with with clients.

Umbrel is accessed via a web browser, we don't have a native client where we can transparently grab and pin self signed certs. Users get faced with scary SSL warnings that are intimidating to them. It's a major security footgun to encourage users who don't understand the implications to blindly click past browser cert warnings. Also if they ever do get MITMd in the future they'll see the same warning they saw before and assume it's safe to click through, undoing the protection that SSL was there to provide in the first place. Not to mention the very poor UX this provides.

Re DNS, most of our users do not have a public domain they can use, and if we provide them with a subdomain they're just trusting us not to MITM them in the future. Not to mention poor UX again when they have what looks like a publicly accessible domain that only works when they're connected to a certain network.

As mentioned above we do have some pretty creative ideas on how to solve these problems.

If you read through the issues I linked you'll find lots of previous discussion on this.

[stn021]

I would like to test export NGINX_PORT=1000 && curl -L https://umbrel.sh/ | bash

I just tried and it did not work. I cannot really say why. My problem right now is, that I do not know how to completely remove umbrel from linux before I try again.

Are there official instructions for that? So far I manually stop docker, manually remove every image after first removing every container. Then I remove the folder ~/umbrel. But even then I have had some images and the folder ~/umbrel reappear after a minute or so. Really lots of work.

[stn021]

A bit later: install failed again. Not sure if this is related to the NGINX_PORT=xxx It is the same error I had on the last attempt, errormessage see below.

I removed umbrel best I could, as described earlier and then ran export NGINX_PORT=1000 && curl -L https://umbrel.sh/ | bash

ERROR: for manager Cannot create container for service manager: Conflict. The container name "/manager" is already in use by container "9c05fde59a5c886fa5b5c07936b54ab6a4229afb54b26cb252945e8b218931e5". You have to remove (or rename) that container to be able to reuse that name. ERROR: Encountered errors while bringing up the project. Failed to start containers Skipping status update when not on Umbrel OS

[nevets963]

@stn021 This sounds like the previous manager container was left behind from your previous install.

If you run docker ps -a it will show all containers under Docker (docker ps only shows the containers that are running). You can then remove these by running docker rm {container_id} e.g. docker rm 5e3830d4a937

[stn021]

Now I can't get rid of them at all. I delete all containers but they just pop up again 30 seconds later. Seriously, how do I remove umbrel completely?

[stn021]

Much later: somehow I got rid of umbrel for linux.

And installed again. This time I got the same result as mentioned earlier in this thread: the environment-variable NGINX_PORT=... does not solve the problem. Umbrel does not start. Error-message see below.

Really helpful for before installation of umbrel on linux would be:

• set listening webserver-port, for example NGINX_PORT=...
• set torports 9050 and 9051 to different numbers, for example TOR_PROXY=... and TOR_CONTROL=...
• choose which interfaces to bind, for example 127.0.0.1 or 0.0.0.0

This is necessary for setting up an umbrel in the local LAN on an existing linux computer.

Error-message export NGINX_PORT=1000 && curl -L https://umbrel.sh/ | bash ERROR: for nginx Cannot start service nginx: driver failed programming external connectivity on endpoint nginx (04b942e91654f56d6157635a18e5da53fb47386ff5a25954024708a8c0db00b2): Error starting userland proxy: listen tcp4 0.0.0.0:80: bind: address already in use

ERROR: for nginx Cannot start service nginx: driver failed programming external connectivity on endpoint nginx (04b942e91654f56d6157635a18e5da53fb47386ff5a25954024708a8c0db00b2): Error starting userland proxy: listen tcp4 0.0.0.0:80: bind: address already in use ERROR: Encountered errors while bringing up the project. Failed to start containers Skipping status update when not on Umbrel OS

[501021096]

I had this same issue when trying to install Umbrel on a Zimaboard. The Zimaboard comes with Casaos and it includes a web interface.
To fix the issue, I logged into the Casaos web interface, and under settings there is an option to change the WebUI port. I changed it from port 80 to something unique, and then was able to successfully install Umbrel.

[stn021]

Hello,

as requested in the telegram-group here a short post. Thank you for looking into the matter. I think I get a notification on any new post in this thread, so if there are new developments just post here. Also I have re-joined the telegram-group.

I would like to add one comment: It would IMHO be helpful if it were possible to connect umbrel to an external BTC-node (LAN, internet or some other installation on localhost) instead of the one included. That way a lot of diskspace could be saved, it would become possible to run umbrel on a rented server without having to book a quite expensive extra TB of disk, and also it is a bit redunant if someone already owns a bitcoin-node and it would save days up to weeks that are otherwise needed for sync.