Like some (or many?) of you, I've been having some problems with getting SSL to work properly on my NAS. It started out with my logs flooding with the "Re-launch process [stunnel]" messages, so I turned off SSL login a long time ago to prevent this. I was hoping that upgrading to 3.8.2 might fix it, but alas. So I spent my evening figuring out what the bleep is going wrong.
Also, this works for me so far, but your mileage may vary!
First off: stunnel is broken, and by extension the SSL login/webinterface as well. But no worries, it is fixable, but not for the faint of heart.
Requirements: some experience with *nix / SSH / vim, etc.
Ok, so what's going on in the background?
The webinterface is running from /home/httpd, on port 8080. That way, it won't conflict with the webserver running on port 80. To access the webinterface through SSL (secure connection), a little tool called 'stunnel' is being used. I didn't know it before, but it's quite nifty! It simply does some port forwarding (like in your router/modem) and adds a secure layer to it. Sounds pretty awesome, but alas, it's not working properly. I'm not quite sure why, but there is a lot of crazy stuff going on in the /etc/init.d/stunnel.sh script, which doesn't match up with the uLinux.conf. And in my case, my stunnel.conf was mostly filled with mysql configurations! (Maybe something went horribly wrong with my config at some point, but if y'all have the same issue, QNAP really needs to clean up its act!)
So what's next?
To keep this somewhat short and simple, I'll just go through the all steps to set up SSL for web interface and web server:
- Enable SSL in General Settings with the port you would like to use (must be different than the web server's, in this example I'm using 444)
- Enable SSL in Web Server with the port you would like to use (must be different than the web interface's)
- Paste and upload your certificate and key in Security -> SSL Secure Certificate & Private Key
- Log in to your NAS with SSH or Telnet
- Install stunnel through ipkg:
Code: Select all
ipkg install stunnel
- Edit the /opt/etc/stunnel/stunnel.conf and add/edit the following lines in it:
Code: Select all
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem
setuid = guest
setgid = guest
[https]
accept = 444
connect = 8080
Code: Select all
/opt/etc/init.d/S68stunnel
There's a catch tho!
Any time you reboot your NAS, or alter something in the webinterface that is linked to stunnel (like General Settings -> System Administration, or the Web Server, and possibly many others!), it'll restart the integrated stunnel, and everything breaks down again until you run the stunnel from the ipkg.
Luckily, changes aren't often made, so this should be a reasonable workaround. And for those of you whom are a bit more experienced, I'm pretty sure you already have a nifty autorun script installed. If not, check out this link: http://wiki.qnap.com/wiki/Running_Your_ ... at_Startup
An alternative would be to add the S68stunnel to your crontab, but I'm not sure that's a good solution.
So that's all there's to it. Pretty easy in hindsight! SSL all working, and no more logs flooding with "Re-launch process [stunnel]". Just tested my Qmanager app on Android with SSL as well, without problems!
Hope some of you find this useful