[HOWTO] How to use .htaccess?

[thorejoha]

Sorry.
I did not see at the first moment that you need a program for Mac.
WinSCP is only for windows i think.

[Moogle Stiltzkin]

How does .htaccess work ???

I use my QNAP 509 Pro to store my personal stuff as well as be my web server.


/share/Qweb/ (my website is located in here )

/share/Qweb/forum/

/share/my personal storage folder/ (contents such as videos )


So where exactly should i be using .htaccess ?

[Moogle Stiltzkin]

I found a very awesome guide ehre

http://www.askapache.com/htaccess/apache-htaccess.html

[jogul]

||====================================================================||
|| QNAP TS-509 Pro Turbo NAS - Apache WEB-server - .htaccess-SECURITY ||
||====================================================================||

In my out-of-the-box default configuration of a "QNAP TS-509 Pro Turbo NAS"
with updated GUI V3 (3.1.0 Build0627 20090628) I realized a security-flaw
respecting the installed Apache WEB-Server, which did not obeye any
".htaccess"-file. But it is very simple to get that extra security, like
the following step-by-step instruction shows. I think, that should be the
default configuration for shipping.

1) Access QNAP as <admin> via WinSCP or a similar Tool with root-access
Go to:
"/root/mnt/HDA_ROOT/.config/apache"

2) Make a backup of "apache.conf", just for the case

3) Edit "apache.conf"
Change the following if necessary (indicated by <<<<<<)
================================================= ======
<Directory "/share/Qweb">
Options FollowSymLinks MultiViews
AllowOverride All <<<<<<
Order allow,deny
Allow from all
</Directory>
================================================= ======
and
================================================= ======
AccessFileName .htaccess <<<<<<
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
================================================= ======

4) Now RESTART the WEB-Server via the
QNAP AdministrationWEB-Interface
under "Network Services|Web Server"

5) After that, any ".htacess"-file in the shared "Qweb"-folder
and its subdirectories will be obeyed and interpreted. You
cant test that by writing any random text into that file
and browse the WEB-page via HTTP. In case of interpretation
of the ".htacess"-file, your browser should display
something like
===========================================================================
Internal Server Error

The server encountered an internal error or misconfiguration and was unable
to complete your request.

Please contact the server administrator, admin@NAS and inform them of the
time the error occurred, and anything you might have done that may have
caused the error.

More information about this error may be available in the server error log.
---------------------------------------------------------------------------
Apache/2.2.6 (Unix) DAV/2 PHP/5.2.9 Server at xxxx.yyyy.zzzz Port 80
===========================================================================

6) Finished.
Enjoy the extra security.

[Tony2]

So on the TS-409, what would be the path to put in the .htaccess file?

[roblee]

Above doesnt seem to work for me. With new firmware all these config settings are already what they should be, yet I cant get any prompts, i.e. every file is visible, regardless of whether there is a .htaccess file in the folder.
Using TS-259 Pro. Is there a more up to date "HowTo"?

[mokahr]

Hi everyone,

I need help with .htaccess files. I want to use a .htaccess to lock the access to the welcome page (black screen with icons). I put a .htaccess with a .htpasswd and linked the .htpasswd to the .htaccess in the .htaccess file and I changed the apache.conf but it doesn't work.

I have 3 apache.conf files and I don't know which one to use:

- /etc/config/apache/apache.conf
./etc/default_config/apache.conf
./mnt/HDA_ROOT/.config/apache/apache.conf

Must I add a line for the directory html in the apache.conf file like this:

Code: Select all

< Directory "/home/httpd/cgi-bin/html/">
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>

?

Another problem, when I add a .php or .html or .htaccess/.htpasswd file in /home/httpd/html/ it is automatically erased after I reboot the NAS (I have a 809-TU-RP). Why ?

Thanks for your support !

[mokahr]

So my problem to sum up is to apply .htaccess to the welcome page (index of the NAS) and not the share directory Qweb (which I succeeded to lock with .htaccess).

[mokahr]

up ^^

[scaver]

I have a TS-439 Pro II+ (Version 3.4.1 build 0315T). I tried all the steps described here, but the .htaccess file still doesn't work.
Do I have a model where I should do something else? Hopefully someone can help me with this problem.

Here is my: /etc/config/apache/apache.conf

Code: Select all

#ServerType standalone
ServerRoot "/usr/local/apache"
#LockFile /usr/local/apache/logs/apache.lock
#PidFile /usr/local/apache/logs/apache.pid
#ScoreBoardFile /usr/local/apache/logs/apache.scoreboard
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 50
MaxRequestsPerChild 0
LoadModule php5_module modules/libphp5.so
Listen 80
User httpdusr
Group everyone
ServerAdmin admin@NAS
#ServerName NAS
TraceEnable off
ServerTokens Prod
DocumentRoot "/share/Web"
<Directory />
	Options FollowSymLinks
	AllowOverride All
	AuthName "Protected"
        AuthType Basic
        AuthUserFile /share/Web/.htpasswd
        Require valid-user
        Order deny,allow
	Allow from 192.168.
        Satisfy any
</Directory>
<Directory "/share/Web">
	Options FollowSymLinks MultiViews
	AllowOverride All
        AuthName "Protected"
        AuthType Basic
        AuthUserFile /share/Web/.htpasswd
        Require valid-user
       	Order deny,allow
	Allow from 192.168.
        Satisfy any
</Directory>

<IfModule dir_module>
		DirectoryIndex index.html index.htm index.php
</IfModule>

AccessFileName .htaccess
<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

UseCanonicalName Off
HostnameLookups Off

<Directory "/usr/local/apache/cgi-bin">
    AllowOverride All
    Options None
    Order allow,deny
    Allow from all
</Directory>

DefaultType text/plain

ErrorLog logs/error_log
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
		LogFormat "%{Referer}i -> %U" referer
		LogFormat "%{User-agent}i" agent

    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog logs/access_log common
    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    #CustomLog logs/access_log combined
</IfModule>

ServerSignature On

#
# Aliases: Add here as many aliases as you need (with no limit). The format is 
# Alias fakename realname
#
<IfModule alias_module>
		Alias /v3_menu/ "/home/httpd/v3_menu/"
		<Directory "/home/httpd/v3_menu">
				AllowOverride All
				Order allow,deny
				Allow from all
		</Directory>
</IfModule>

<IfModule autoindex_module>
		AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

		AddIconByType (TXT,/icons/text.gif) text/*
		AddIconByType (IMG,/icons/image2.gif) image/*
		AddIconByType (SND,/icons/sound2.gif) audio/*
		AddIconByType (VID,/icons/movie.gif) video/*

		AddIcon /icons/binary.gif .bin .exe
		AddIcon /icons/binhex.gif .hqx
		AddIcon /icons/tar.gif .tar
		AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
		AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
		AddIcon /icons/a.gif .ps .ai .eps
		AddIcon /icons/layout.gif .html .shtml .htm .pdf
		AddIcon /icons/text.gif .txt
		AddIcon /icons/c.gif .c
		AddIcon /icons/p.gif .pl .py
		AddIcon /icons/f.gif .for
		AddIcon /icons/dvi.gif .dvi
		AddIcon /icons/uuencoded.gif .uu
		AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
		AddIcon /icons/tex.gif .tex
		AddIcon /icons/bomb.gif core

		AddIcon /icons/back.gif ..
		AddIcon /icons/hand.right.gif README
		AddIcon /icons/folder.gif ^^DIRECTORY^^
		AddIcon /icons/blank.gif ^^BLANKICON^^
		DefaultIcon /icons/unknown.gif

		ReadmeName README.html
		HeaderName HEADER.html

		IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
</IfModule>

#
# Document types.
#
<IfModule mime_module>
		TypesConfig /etc/config/apache/mime.types
		AddLanguage da .dk
		AddLanguage nl .nl
		AddLanguage en .en
		AddLanguage et .ee
		AddLanguage fr .fr
		AddLanguage de .de
		AddLanguage el .el
		AddLanguage he .he
		AddCharset ISO-8859-8 .iso8859-8
		AddLanguage it .it
		AddLanguage ja .ja
		AddCharset ISO-2022-JP .jis
		AddLanguage kr .kr
		AddCharset ISO-2022-KR .iso-kr
		AddLanguage nn .nn
		AddLanguage no .no
		AddLanguage pl .po
		AddCharset ISO-8859-2 .iso-pl
		AddLanguage pt .pt
		AddLanguage pt-br .pt-br
		AddLanguage ltz .lu
		AddLanguage ca .ca
		AddLanguage es .es
		AddLanguage sv .sv
		AddLanguage cs .cz .cs
		AddLanguage ru .ru
		AddLanguage zh-TW .zh-tw
		AddCharset Big5				 .Big5		.big5
		AddCharset WINDOWS-1251 .cp-1251
		AddCharset CP866				.cp866
		AddCharset ISO-8859-5   .iso-ru
		AddCharset KOI8-R		   .koi8-r
		AddCharset UCS-2				.ucs2
		AddCharset UCS-4				.ucs4
		AddCharset UTF-8				.utf8
		<IfModule negotiation_module>
				LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ru ltz ca es sv tw
		</IfModule>
		AddType application/x-tar .tgz
		AddEncoding x-compress .Z
		AddEncoding x-gzip .gz .tgz
		AddType application/x-compress .Z
		AddType application/x-gzip .gz .tgz
		AddType application/x-httpd-php .php .php4 .php3 .phtml
		AddType application/x-httpd-php-source .phps
		AddHandler cgi-script .cgi
		AddType text/html .shtml
		AddHandler server-parsed .shtml
		AddHandler send-as-is asis
		AddHandler imap-file map
		AddHandler type-map var
</IfModule>

<IfModule mime_magic_module>
		MIMEMagicFile /etc/config/apache/magic
</IfModule>

<IfModule setenvif_module>
		BrowserMatch "Mozilla/2" nokeepalive
		BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
		BrowserMatch "RealPlayer 4\.0" force-response-1.0
		BrowserMatch "Java/1\.0" force-response-1.0
		BrowserMatch "JDK/1\.0" force-response-1.0
</IfModule>

<IfModule ssl_module>
	SSLRandomSeed startup builtin
	SSLRandomSeed connect builtin
</IfModule>

Include /etc/config/apache/extra/httpd-vhosts-user.conf

Include /etc/config/apache/extra/apache-msv2.conf
Include /etc/config/apache/extra/apache-ssl.conf
Include /etc/config/apache/extra/httpd-ssl-vhosts-user.conf

[internaut19]

I didn't had to change anything in the apache.conf ... I only added a file, named .htaccess in the directory that I wanted to be protected, containing the following:

Code: Select all

AuthName "Private Space: Admin Access Only"
AuthType Basic
AuthUserFile /mnt/HDA_ROOT/.config/shadow
AuthGroupFile /dev/null
<limit GET POST>
require user admin
</Limit>

Then only the NAS admin can login to that "space".

If you need to give access to more users, I used a combination between a .htaccess and another file where the user and passwords are stored:
.htaccess file content:

Code: Select all

AuthName "Private Web Space"
AuthType Basic
AuthUserFile /a/location/outside/the/WEB/folder/.htpasswd
AuthGroupFile /dev/null
<limit GET POST>
require valid-user
</Limit>

For the content of the .htpasswd file use this SITE to generate the passwords for the desired usernames. Basically the file will look like this:

Code: Select all

chris:A59WXrrfFw9u6
cristian:Z0wp7joKSQWV6

The above code will translate like this, username->chris:qnap<-password and same for the other username->cristian:computer<-password.

Hope this will help.

Cristian.

[scaver]

I didn't had to change anything in the apache.conf ... I only added a file, named .htaccess in the directory that I wanted to be protected, containing the following:

Code: Select all

AuthName "Private Space: Admin Access Only"
AuthType Basic
AuthUserFile /mnt/HDA_ROOT/.config/shadow
AuthGroupFile /dev/null
<limit GET POST>
require user admin
</Limit>

Then only the NAS admin can login to that "space".

If you need to give access to more users, I used a combination between a .htaccess and another file where the user and passwords are stored:
.htaccess file content:

Code: Select all

AuthName "Private Web Space"
AuthType Basic
AuthUserFile /a/location/outside/the/WEB/folder/.htpasswd
AuthGroupFile /dev/null
<limit GET POST>
require valid-user
</Limit>

For the content of the .htpasswd file use this SITE to generate the passwords for the desired usernames. Basically the file will look like this:

Code: Select all

chris:A59WXrrfFw9u6
cristian:Z0wp7joKSQWV6

The above code will translate like this, username->chris:qnap<-password and same for the other username->cristian:computer<-password.

Hope this will help.

Cristian.

I allready tried to put a .htaccess file in the directory I want to protect, but that still doesn't work.

I'll guess there is something in the apache.conf which disables the .htaccess to work. But I can't figure out what!

[internaut19]

Maybe this will help you make a comparison between my configuration (TS-219 - 3.4.0 fw) and yours. Mine looks a bit different when it comes to .htaccess

Code: Select all

#ServerType standalone
ServerRoot "/usr/local/apache"
#LockFile /usr/local/apache/logs/apache.lock
#PidFile /usr/local/apache/logs/apache.pid
#ScoreBoardFile /usr/local/apache/logs/apache.scoreboard
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 2
MaxSpareServers 5
StartServers 2
MaxClients 10
MaxRequestsPerChild 30
LoadModule php5_module modules/libphp5.so
Listen 80
User httpdusr
Group everyone
ServerAdmin admin@NAS
#ServerName NAS
ServerTokens Prod
TraceEnable off
ServerTokens Prod
TraceEnable off
ServerTokens Prod
TraceEnable off
ServerTokens Prod
TraceEnable off
ServerTokens Prod
TraceEnable off
DocumentRoot "/share/Qweb"
<Directory />
	Options FollowSymLinks
	AllowOverride None
	Order deny,allow
	Deny from all
</Directory>
<Directory "/share/Qweb">
	Options FollowSymLinks MultiViews
	AllowOverride All
	Order allow,deny
	Allow from all
</Directory>

<IfModule userdir_module>
</IfModule>
<IfModule dir_module>
		DirectoryIndex index.html index.htm index.php
</IfModule>

AccessFileName .htaccess
<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

UseCanonicalName Off
HostnameLookups Off

<Directory "/usr/local/apache/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

DefaultType text/plain

.....

Cristian

[scaver]

Ah, it's drives me nuts....
I modified my apache.conf (/etc/config/apache.conf) so it basicly looks like yours.

Code: Select all

#ServerType standalone
ServerRoot "/usr/local/apache"
#LockFile /usr/local/apache/logs/apache.lock
#PidFile /usr/local/apache/logs/apache.pid
#ScoreBoardFile /usr/local/apache/logs/apache.scoreboard
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 50
MaxRequestsPerChild 0
LoadModule php5_module modules/libphp5.so
Listen 80
User httpdusr
Group everyone
ServerAdmin admin@NAS
#ServerName NAS
ServerTokens Prod
TraceEnable off
DocumentRoot "/share/Web"
<Directory />
   Options FollowSymLinks
   AllowOverride None
   Order deny,allow
   Deny from all
</Directory>
<Directory "/share/Web">
   Options FollowSymLinks MultiViews
   AllowOverride All
   Order allow,deny
   Allow from all
</Directory>

<IfModule userdir_module>
</IfModule>
<IfModule dir_module>
      DirectoryIndex index.html index.htm index.php
</IfModule>

AccessFileName .htaccess
<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

UseCanonicalName Off
HostnameLookups Off

<Directory "/usr/local/apache/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

DefaultType text/plain

ErrorLog logs/error_log
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
      LogFormat "%{Referer}i -> %U" referer
      LogFormat "%{User-agent}i" agent

    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog logs/access_log common
    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    #CustomLog logs/access_log combined
</IfModule>

ServerSignature On

#
# Aliases: Add here as many aliases as you need (with no limit). The format is
# Alias fakename realname
#
<IfModule alias_module>
      Alias /v3_menu/ "/home/httpd/v3_menu/"
      <Directory "/home/httpd/v3_menu">
            AllowOverride All
            Order allow,deny
            Allow from all
      </Directory>
</IfModule>

<IfModule autoindex_module>
      AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

      AddIconByType (TXT,/icons/text.gif) text/*
      AddIconByType (IMG,/icons/image2.gif) image/*
      AddIconByType (SND,/icons/sound2.gif) audio/*
      AddIconByType (VID,/icons/movie.gif) video/*

      AddIcon /icons/binary.gif .bin .exe
      AddIcon /icons/binhex.gif .hqx
      AddIcon /icons/tar.gif .tar
      AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
      AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
      AddIcon /icons/a.gif .ps .ai .eps
      AddIcon /icons/layout.gif .html .shtml .htm .pdf
      AddIcon /icons/text.gif .txt
      AddIcon /icons/c.gif .c
      AddIcon /icons/p.gif .pl .py
      AddIcon /icons/f.gif .for
      AddIcon /icons/dvi.gif .dvi
      AddIcon /icons/uuencoded.gif .uu
      AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
      AddIcon /icons/tex.gif .tex
      AddIcon /icons/bomb.gif core

      AddIcon /icons/back.gif ..
      AddIcon /icons/hand.right.gif README
      AddIcon /icons/folder.gif ^^DIRECTORY^^
      AddIcon /icons/blank.gif ^^BLANKICON^^
      DefaultIcon /icons/unknown.gif

      ReadmeName README.html
      HeaderName HEADER.html

      IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
</IfModule>

#
# Document types.
#
<IfModule mime_module>
      TypesConfig /etc/config/apache/mime.types
      AddLanguage da .dk
      AddLanguage nl .nl
      AddLanguage en .en
      AddLanguage et .ee
      AddLanguage fr .fr
      AddLanguage de .de
      AddLanguage el .el
      AddLanguage he .he
      AddCharset ISO-8859-8 .iso8859-8
      AddLanguage it .it
      AddLanguage ja .ja
      AddCharset ISO-2022-JP .jis
      AddLanguage kr .kr
      AddCharset ISO-2022-KR .iso-kr
      AddLanguage nn .nn
      AddLanguage no .no
      AddLanguage pl .po
      AddCharset ISO-8859-2 .iso-pl
      AddLanguage pt .pt
      AddLanguage pt-br .pt-br
      AddLanguage ltz .lu
      AddLanguage ca .ca
      AddLanguage es .es
      AddLanguage sv .sv
      AddLanguage cs .cz .cs
      AddLanguage ru .ru
      AddLanguage zh-TW .zh-tw
      AddCharset Big5             .Big5      .big5
      AddCharset WINDOWS-1251 .cp-1251
      AddCharset CP866            .cp866
      AddCharset ISO-8859-5   .iso-ru
      AddCharset KOI8-R         .koi8-r
      AddCharset UCS-2            .ucs2
      AddCharset UCS-4            .ucs4
      AddCharset UTF-8            .utf8
      <IfModule negotiation_module>
            LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ru ltz ca es sv tw
      </IfModule>
      AddType application/x-tar .tgz
      AddEncoding x-compress .Z
      AddEncoding x-gzip .gz .tgz
      AddType application/x-compress .Z
      AddType application/x-gzip .gz .tgz
      AddType application/x-httpd-php .php .php4 .php3 .phtml
      AddType application/x-httpd-php-source .phps
      AddHandler cgi-script .cgi
      AddType text/html .shtml
      AddHandler server-parsed .shtml
      AddHandler send-as-is asis
      AddHandler imap-file map
      AddHandler type-map var
</IfModule>

<IfModule mime_magic_module>
      MIMEMagicFile /etc/config/apache/magic
</IfModule>

<IfModule setenvif_module>
      BrowserMatch "Mozilla/2" nokeepalive
      BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
      BrowserMatch "RealPlayer 4\.0" force-response-1.0
      BrowserMatch "Java/1\.0" force-response-1.0
      BrowserMatch "JDK/1\.0" force-response-1.0
</IfModule>

<IfModule ssl_module>
   SSLRandomSeed startup builtin
   SSLRandomSeed connect builtin
</IfModule>

Include /etc/config/apache/extra/httpd-vhosts-user.conf

Include /etc/config/apache/extra/apache-msv2.conf
Include /etc/config/apache/extra/apache-ssl.conf
Include /etc/config/apache/extra/httpd-ssl-vhosts-user.conf

The .htaccess and the .htpassword are also correct. Apperently there is something else different between yours and mine. But I'm out of options.

[Moogle Stiltzkin]

It seems that the webserver ignored .htaccess files

Yes, webserver will ignore .htaccess until you edit
/etc/config/apache/apache.conf

Edit settings in section
(Directory "/share/Qweb")
...
AllowOverride AuthConfig (original: AllowOverride None)
...
(/Directory)

When I look at my apache.conf, it contains

Code: Select all

DocumentRoot "/share/Qweb"
<Directory />
		Options FollowSymLinks
		AllowOverride None
</Directory>
<Directory "/share/Qweb">
		Options FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		Allow from all
</Directory>

Is it one of these "AllowOverride" which should be changed? Which one?

Would it be possible to use a GUI tool such as DirectoryPass instead to manage user access to web directories?

Is it true both should be changed ?