frame forwarding

Post your questions about myQNAPcloud service here.
hitman666
Starting out
Posts: 32
Joined: Wed Oct 21, 2015 1:49 am

frame forwarding

Post by hitman666 » Tue Jul 17, 2018 11:45 pm

Hi,

does QTS 4.3.4.0644 has got an equivalent to this somewhere?
dsmff.jpg

source
You do not have the required permissions to view the files attached to this post.

dolbyman
Guru
Posts: 11001
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: frame forwading

Post by dolbyman » Tue Jul 17, 2018 11:47 pm

do you want to prevent it or allow it ?

hitman666
Starting out
Posts: 32
Joined: Wed Oct 21, 2015 1:49 am

Re: frame forwarding

Post by hitman666 » Tue Jul 17, 2018 11:55 pm

I'd like to allow it but having configured everything properly in my opinion I'm getting this browser message (wording may varies depending on the used browser):

ffwd.jpg

By clicking on "Open this content in a new window" I'll be forwarded to my destination.
Using another browser will also lead in getting just a complete blank page without any error messages.
Any advice concerning my question mentioned above?
You do not have the required permissions to view the files attached to this post.

hitman666
Starting out
Posts: 32
Joined: Wed Oct 21, 2015 1:49 am

Re: frame forwarding

Post by hitman666 » Mon Jul 23, 2018 8:21 pm

Unfortunately this problem is still unsolved for me. No one in this forum with an appropriate hint?

Mousetick
Easy as a breeze
Posts: 352
Joined: Thu Aug 24, 2017 10:28 pm

Re: frame forwarding

Post by Mousetick » Mon Jul 23, 2018 8:50 pm

I think it would be easier if we just ignored the DSM feature and you tell us exactly what you want to achieve with your QNAP.

The option you refer to in DSM prevents the DSM web UI to be embedded into an iFrame for enhanced security. It relies on the X-Frame-Options HTTP header https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo

Whatever you did on QNAP to reproduce this behavior is working as expected. It's blocking the use of a frame to embed the UI. So I don't know what problem you're still having and needs solving.

Please spell out precisely what you want and don't make us guess. Thanks.

hitman666
Starting out
Posts: 32
Joined: Wed Oct 21, 2015 1:49 am

Re: frame forwarding

Post by hitman666 » Mon Jul 23, 2018 9:02 pm

Thanks for replying. I'd like to embed https://mynas.myqnapcloud.com in https://my.domain.com
So if I visit https://my.domain.com, I should be forwarded to https://mynas.myqnapcloud.com in the background but without a visible change of the url. That's what I'd call frame forwarding. Agreed on this so far? Or am I already wrong?
But obviously this seems to be impossible due to the error message mentioned above.

Mousetick wrote:It relies on the X-Frame-Options HTTP header https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#xfo

This is what I want to do:
ff.jpg

So how could I achieve the desired behaviour when visiting https://my.domain.com? What do I have to do?

Btw: Normal forwarding with a visible change of the url works without any problems.
You do not have the required permissions to view the files attached to this post.

dolbyman
Guru
Posts: 11001
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: frame forwarding

Post by dolbyman » Mon Jul 23, 2018 9:27 pm

so you actually want to expose your qts interface? or some sort of station (photo .. video..etc)

hitman666
Starting out
Posts: 32
Joined: Wed Oct 21, 2015 1:49 am

Re: frame forwarding

Post by hitman666 » Mon Jul 23, 2018 9:34 pm

Correct (and please no excursions on safety topics).

Mousetick
Easy as a breeze
Posts: 352
Joined: Thu Aug 24, 2017 10:28 pm

Re: frame forwarding

Post by Mousetick » Mon Jul 23, 2018 9:41 pm

Thanks for explaining, it's pretty clear now :)

Forgive me for not addressing your issue of "frame forwarding" directly, but I'd like to suggest another, simpler IMHO, approach.

Is 'my.domain.com' under your control, do you have control of the DNS settings for 'my.domain.com'? If you have, you can create a DNS alias (called a CNAME record) in the DNS settings of your domain name. The procedure to create such a record vary depending on DNS hosting providers, so I can't tell you exactly how to do it, but in a nutshell you need to create a DNS record like this:

Code: Select all

my.domain.com. CNAME mynas.myqnapcloud.com.

Then you wait a few hours for the change to propagate through the Internet DNS servers, and you can access your qnap cloud by visiting https://my.domain.com.

That's actually what I'm doing with my own domain name and my qnap cloud domain name, and it works perfectly. The benefit is that there are zero changes on the NAS, so less chance of breakage with firmware updates and whatnot, and it doesn't use frames or any other HTML hack.

Beware that if you use HTTPS the server certificate you install on your NAS must be valid for my.domain.com, not mynas.myqnapcloud.com (or you can have a certificate valid for both domains if your certificate provider allows it).

If DNS configuration is not an option for you then we'll need to consider other options.

Mousetick
Easy as a breeze
Posts: 352
Joined: Thu Aug 24, 2017 10:28 pm

Re: frame forwarding

Post by Mousetick » Mon Jul 23, 2018 9:49 pm

I need to add that the DNS setup above works fine for me because I only use QNAP cloud for DDNS. If you use the other features of QNAP cloud (besides DDNS and UPNP firewall port-forwarding) things may not work as well...

Mousetick
Easy as a breeze
Posts: 352
Joined: Thu Aug 24, 2017 10:28 pm

Re: frame forwarding

Post by Mousetick » Mon Jul 23, 2018 10:01 pm

If Toxic17 or another forum mod is reading this, could you please move this thread to 'my QNAPcloud service' - thanks.

hitman666
Starting out
Posts: 32
Joined: Wed Oct 21, 2015 1:49 am

Re: frame forwarding

Post by hitman666 » Mon Jul 23, 2018 10:27 pm

Mousetick wrote:Is 'my.domain.com' under your control, do you have control of the DNS settings for 'my.domain.com'?

Yes, domain and DNS settings is under my control.
Mousetick wrote:If you have, you can create a DNS alias (called a CNAME record) in the DNS settings of your domain name. The procedure to create such a record vary depending on DNS hosting providers, so I can't tell you exactly how to do it, but in a nutshell you need to create a DNS record like this:

Code: Select all

my.domain.com. CNAME mynas.myqnapcloud.com.

Already tried that out last week. It'll lead in getting the error message (or a complete blank page depending on the used browser) I've already mentioned above.
Mousetick wrote:Beware that if you use HTTPS the server certificate you install on your NAS must be valid for my.domain.com, not mynas.myqnapcloud.com (or you can have a certificate valid for both domains if your certificate provider allows it).

I know. Got it.
Mousetick wrote:If DNS configuration is not an option for you then we'll need to consider other options.

So what are the other options?
Mousetick wrote:I need to add that the DNS setup above works fine for me because I only use QNAP cloud for DDNS. If you use the other features of QNAP cloud (besides DDNS and UPNP firewall port-forwarding) things may not work as well...

I'm using only QNAP cloud for DDNS, too.
Last edited by hitman666 on Mon Jul 23, 2018 11:21 pm, edited 1 time in total.

dolbyman
Guru
Posts: 11001
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: frame forwarding

Post by dolbyman » Mon Jul 23, 2018 11:04 pm

try it via reverse proxy (reverse proxy acting as a "local lan computer" forwarding requests to an external target)

otherwise .. qnap is constantly trying to fix cross site scripting vulnerabilities, so if you find a way to do it, that might not work after the next update

Mousetick
Easy as a breeze
Posts: 352
Joined: Thu Aug 24, 2017 10:28 pm

Re: frame forwarding

Post by Mousetick » Mon Jul 23, 2018 11:29 pm

hitman666 wrote:
Mousetick wrote:Is 'my.domain.com' under your control, do you have control of the DNS settings for 'my.domain.com'?

Yes, it is.
Mousetick wrote:If you have, you can create a DNS alias (called a CNAME record) in the DNS settings of your domain name. The procedure to create such a record vary depending on DNS hosting providers, so I can't tell you exactly how to do it, but in a nutshell you need to create a DNS record like this:

Code: Select all

my.domain.com. CNAME mynas.myqnapcloud.com.

Already tried that out last week. It'll lead in getting the error message (or a complete blank page depending on the used browser) I've already mentioned above.

That doesn't make sense, and I don't believe you, as the QTS web UI doesn't care what hostname it is served at. You can use any hostname, as long as it resolves to the NAS IP address (or its NAT router IP address). Are you sure you used a DNS CNAME? Are you sure you didn't enable your DNS or hosting provider's "stealth forwarding" (aka "forwarding with masking") instead? Stealth forwarding is completely unrelated to DNS and does use frames instead: it would produce exactly the kind of results you got!

Another benefit of using DNS CNAME is that it can also work with other protocols, not just HTTP/S.

hitman666 wrote:
Mousetick wrote:If DNS configuration is not an option for you then we'll need to consider other options.

So what are the other options?

I was going to give you some pointers but on second thought I realized it would allow a hacker to weaken the security of the NAS. And you might be a hacker, I don't know. Sorry. Or you could set up a reverse HTTP proxy as dolbyman suggested above.

You should be able to make the DNS CNAME work. To verify you configured correctly:

Code: Select all

nslookup my.domain.com
Server:         192.168.1.1
Address:        192.168.1.1#53

Non-authoritative answer:
my.domain.com        canonical name = mynas.myqnapcloud.com.
Name:   mynas.myqnapcloud.com
Address: my.ip.v4.address
Name:   mynas.myqnapcloud.com
Address: my:ip:v6:address

hitman666
Starting out
Posts: 32
Joined: Wed Oct 21, 2015 1:49 am

Re: frame forwarding

Post by hitman666 » Tue Jul 24, 2018 1:06 am

Mousetick wrote:Are you sure you didn't enable your DNS or hosting provider's "stealth forwarding" (aka "forwarding with masking") instead? Stealth forwarding is completely unrelated to DNS and does use frames instead: it would produce exactly the kind of results you got!

You're right, indeed. On the hosting provider's side it was enabled (called different by my provider). Disabling it did the trick.

Mousetick wrote:I was going to give you some pointers but on second thought I realized it would allow a hacker to weaken the security of the NAS. And you might be a hacker, I don't know. Sorry.

If I'd be a (good) hacker, I wouldn't ask questions like this. LOL
Thanks anyway for your support!

Post Reply

Return to “myQNAPcloud service”