As everybody probably want to get as good a security as possible, I'll just give a short example of the most commonly recommended methods.
Looking at apache's homepage, there are a few good hints on what to do.
1) BASIC SECURITY
First of you need to make your own config, so that you can quickly disable / enable your own security if something all of the sudden fails.
Connect to the QNAP with SSH (use Putty.exe).
Issue the command:
Code: Select all
# vi /etc/config/apache/apache.conf
Press 'I' (for insert)
Add the line
Code: Select all
include /share/YOURPREFERREDSHARE/customized.conf
Press :w [ENTER] to write the file
Press :q [ENTER] to exit vi
If you use Qweb as your documentroot (the standard confi), you must not place the customized.conf on that share, but place it on another share of your choice, where you can easily modify it with your preferred editor.
Secondly, create your customized.conf file on the share just chosen (leavy putty open).
I would suggest you to use PSPAD, as it's a very good freeware editor. Do NOT use notepad, word, wordpad or any other M$ editor, as M$ does not understand the difference between a 'Carriage Return' and a 'Line Feed'.
The customized.conf should look like this
Code: Select all
ServerName www.site1.com
DocumentRoot "/share/Qweb"
<Directory />
Order Deny,Allow
Deny from all
</Directory>
<Directory "/share/Qweb">
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from All
</Directory>
ServerSignature Off
ServerTokens Prod
UseCanonicalName Off
HostnameLookups Off
The ServerName directive should of course reflect whatever your site is called. It will disable access to the entire server, and then allow access to the Qweb dir, and then it will minimize the info the apache server gives when users try to connect to it.
Now go back to your putty and issue the commands
Code: Select all
#/etc/init.d/Qthttpd.sh stop
#/etc/init.d/Qthttpd.sh start
2) Disabling request methods for the Apache
As the later firmwares also include the 'rewrite' module, we can further enhance the security by elimitating some of the weird http request hackers will send at you (Trace and Track), this method requires a newish firmware where the rewrite module is enabled, so get the latest firmware 3.x.
Add this line to your customized.conf
Code: Select all
TraceEnable Off
Issue the commands (from your PC's CMD, not putty):
Code: Select all
C:> telnet YOURNASIP 80 (enter)
OPTIONS * HTTP/1.0 (enter)(enter)
Code: Select all
HTTP/1.1 200 OK
Date: Wed, 11 Mar 2009 06:31:31 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
Code: Select all
#/etc/init.d/Qthttpd.sh stop
#/etc/init.d/Qthttpd.sh start
Code: Select all
C:> telnet YOURNASIP 80 (enter)
OPTIONS * HTTP/1.0 (enter)(enter)
Code: Select all
HTTP/1.1 200 OK
Date: Wed, 11 Mar 2009 06:35:08 GMT
Server: Apache
Allow: GET,HEAD,POST,OPTIONS
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
These simple steps will give you a good solid apache.
3) Limiting access to specific folders
Now if you want to limit access to specific folders, please do NOT use .htaccess. Use apache.conf directives instead.
.htaccess is only meant for users that can not modify the apache config themselves, ie. if the webserver is hosted on a webhotel.
There are a few simple methods for limiting access, which can be made much more advanced, but for that, look at the apache documentation.
You can for example limit pr. IP, or by a username.
Code: Select all
<Directory "/share/Qweb/secretdir">
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from 192.168.0.0/24
</Directory>
This can be usefull if you add eg. your own LAN-subnet and maybe the public IP from your work (you can have more than one Allow directive).
The second method will ask for a username and password
Code: Select all
<Directory "/share/Qweb/SECRETFOLDER">
AllowOverride All
Allow from All
AuthType Basic
AuthName HEADLINE
AuthUserFile /share/YOURSHARENAME/access
Require user USERNAME
</Directory>
The username password is stored in a file called 'access', and placed on a share of your choice (again not directly on Qweb if your documentroot is placed there, it is placed there in a standard config).
The access file is made via ssh (putty) using the command htpasswd.
Code: Select all
# /usr/local/apache/bin/htpasswd -c /share/YOURSHARENAME/access USERNAME
You will then be prompted for the password for the given user (if you omit the -c, you can add more usernames and passwords to the same file).
Again you should enable this by using putty, and issuing the commands:
Code: Select all
#/etc/init.d/Qthttpd.sh stop
#/etc/init.d/Qthttpd.sh start
Look at httpd.apache.org under documentation for more, on how to set up group access or more advanced methods.