Security Notice

Security is a core pillar of RaidMan. Because the plugin provides powerful access to your Unraid server—from container management to full terminal access—it is built with a defense-in-depth approach. This document explains the security architecture deeply to help you understand how your server is protected.

Security Architecture

The RaidMan plugin is designed to minimize attack surface while providing robust functionality.

1. Localhost Binding

The core raidman binary binds only to 127.0.0.1 (localhost) on port 9876. It does not listen on any public or specific network interface (like br0 or eth0).

• Implication: The API cannot be accessed directly from the network, even if the port is open on your firewall.
• Protection: Access is strictly gated through Unraid's Nginx web server, which acts as a reverse proxy.

2. Nginx Reverse Proxy

All external traffic flows through Unraid's built-in Nginx server via a dedicated location block (/raidman/).

• TLS/SSL: RaidMan inherits the SSL certificate and HTTPS configuration of your Unraid server. If you access Unraid via HTTPS, all RaidMan traffic is encrypted.
• Header Sanitization: Nginx proxies the connection and passes specific headers (x-api-key, Upgrade, Connection) to the backend.

Authentication & Authorization

Authentication is enforced at the application level by the raidman binary.

API Configuration

The plugin relies on API Keys for authentication. These keys are defined in your Unraid server and granted specific permissions.

• Header: x-api-key
• Cookie: x-api-key

Permissions System

RaidMan implements a granular permission system. Every API endpoint enforces a minimum required security level.

Resource	Action	Required Permission
Docker	Read Stats/Logs	docker:read or docker:*
Docker	Start/Stop/Pause	docker:update or docker:*
VM	Read Info/Logs	vm:read or vm:*
VM	VNC Access	vm:update or vm:*
Array	Read Status	array:read or array:*
System	Reboot/Shutdown	ADMIN Role
Terminal	Host Access	ADMIN Role

Note: The ADMIN role is a superuser privilege that bypasses granular permission checks for most resources, but is strictly required for sensitive operations like System Actions and Host Terminal access.

Configuration Options

You can configure security settings directly from the Unraid Web UI: Settings > Utilities > RaidMan.

1. Host Terminal Access

• Default: Enabled
• Control: You can completely disable the ability to spawn a host shell.
• Auditing: When enabled, every terminal session start is logged to the system log (/var/log/raidman.log) with the authenticated API key (masked).

2. API Key Restriction (Whitelist)

By default, RaidMan allows any valid Unraid API key to connect, provided it has the necessary permissions. You can restrict this further:

• Restrict API Keys: Identify specific API keys that are allowed to connect.
• Behavior: If enabled, even a valid API key with ADMIN role will be rejected if it is not in the allowed list. This is highly recommended for auditing access.

Data Privacy

• No Telemetry: RaidMan does not collect or send usage data, crash reports, or analytics to any external server.
• Local Processing: All data processing (parsing logs, calculating parity speed) happens locally on your Unraid server.
• Direct Connection: The RaidMan mobile app connects directly to your Unraid server (or via your configured VPN/Proxy). Traffic never passes through a third-party cloud service.

Best Practices

1. Use a VPN: For remote access, always use a VPN (WireGuard, Tailscale) rather than exposing the Unraid WebUI to the internet.
2. Least Privilege: Create specific API keys for RaidMan clients with only the permissions they need
3. Audit Logs: Regularly check /var/log/raidman.log for unauthorized access attempts or unexpected activity.
4. Restrict Keys: Use the "API Key Restriction" feature to ensure only your specific mobile device's key can access the plugin.
5. Disable Host Terminal Access: If you don't need it, disable it to enhance security.