[HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support
-
- New here
- Posts: 6
- Joined: Sun Apr 22, 2012 4:01 pm
Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support
Thanks for this really nice how to !!
I have one question remaining though... Let’s assume I want to configure this reverse proxy on a NAS that would be on a different subnet behind my router/firewall I. Order to access my applications on a different NAS.
How should the config file look like ?
Thanks
I have one question remaining though... Let’s assume I want to configure this reverse proxy on a NAS that would be on a different subnet behind my router/firewall I. Order to access my applications on a different NAS.
How should the config file look like ?
Thanks
- oyvindo
- Experience counts
- Posts: 1399
- Joined: Tue May 19, 2009 2:08 am
- Location: Norway, Oslo
Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support
As long as the Proxy server can reach you NAS, it does not require any special configuration.SimonEvieux wrote: ↑Fri Apr 17, 2020 1:48 am Let’s assume I want to configure this reverse proxy on a NAS that would be on a different subnet behind my router/firewall in order to access my applications on a different NAS.
How should the config file look like ?
However, setting up a subnet structure on a LAN require some advanced routing tables to be built. Most SOHO edge routers (firewalls) do not support such type of routing to be made.
So for that case, you's have to buy an advanced router (i.e. Cisco) and insert it between your internet router and your LAN.
Long story short; If your Proxy can find your NAS, it doesn't matter which subnet it is in.
-
- New here
- Posts: 6
- Joined: Sun Apr 22, 2012 4:01 pm
Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support
Thanks for your answer
Even though I actually have a Cisco router in between my internet router and my LAN, I think I'll go for the simple implementation (RProxy on a NAS in my main LAN).
I also thought about mounting this RProxy on a Raspberry Pi in a DMZ, but as the NAS I want to access would be in my main LAN anyway, I wonder if it makes sense (as I would have to open the communications between this RProxy and the NAS in my main network...)
Even though I actually have a Cisco router in between my internet router and my LAN, I think I'll go for the simple implementation (RProxy on a NAS in my main LAN).
I also thought about mounting this RProxy on a Raspberry Pi in a DMZ, but as the NAS I want to access would be in my main LAN anyway, I wonder if it makes sense (as I would have to open the communications between this RProxy and the NAS in my main network...)
- oyvindo
- Experience counts
- Posts: 1399
- Joined: Tue May 19, 2009 2:08 am
- Location: Norway, Oslo
Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support
Placing the RProxy in a DMZ further enhances security and is highly recommended - if you know how to do it.
-
- New here
- Posts: 6
- Joined: Sun Apr 22, 2012 4:01 pm
Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support
The thing is as I will have to open the communication to the NAS in the main LAN, I don't really see how it enhance the security... If I was to place the whole NAS in the DMZ, I would understand, but this is not what I want to do.
Or I completely misunderstand something in how I should place this RProxy in the DMZ...
Or I completely misunderstand something in how I should place this RProxy in the DMZ...
- oyvindo
- Experience counts
- Posts: 1399
- Joined: Tue May 19, 2009 2:08 am
- Location: Norway, Oslo
Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support
Just Google "reverse proxy in dmz" and you will find hundreds of articles and forum posts on the issue.
-
- New here
- Posts: 6
- Joined: Sun Apr 22, 2012 4:01 pm
Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support
Where you able to fix this ?simonwilkins wrote: ↑Wed Feb 19, 2020 5:17 amEven if I attempt to reverseproxy transmission via my local IP address, it still doesn't display transmission properly as seen on the image belowoyvindo wrote: ↑Thu Feb 13, 2020 3:54 am I'm not familiar with OwnCloud.
One of the main purposes of implementing access through a Reverse Proxy, is to achieve a secure connection (SSL) through a single access point for any number of web based applications, especially for web apps which does not have naitive support for SSL.
My understanding of OwnCloud is that it's main purpose is to provide a cloud ecosystem for external users (?) As such, I would be very surprised if OwnCloud doesn't offer extensive mechanisms in place to secure safe, encrypted access methods (?) You can of course choose to route incoming connection requests through your own reverse Proxy with SSL support, but you must have a domain registered (Dyn-DNS). MyQNAPCloud relies on QNAP certificates. These are default included with every QNAP NAS for free, using self signed CERT. You can buy valid certificates from QNAP, and you can replace them with your own CERTs. But my advise in not to use myQNAPCloud as you Dyn_DNS. Instead, st up your own domain name and follow the security advises recommended in the OwnCloud documentation.
Thanks in advance.
I have the same sort of problem... I am trying to reverse proxy to my QNAP FileStation very basic so far...
It is done through an Nginx
I listen on port 80 from server mydomain.duckdns.org
And for location /, I proxy_pass to http://xxx.xxx.xxx.xxx:8080/filestation
I reach it, but it is displayed exactly as your transmission here above...
If I directly go to http://xxx.xxx.xxx.xxx:8080/filestation, I reach the normal login page of the file station.
- oyvindo
- Experience counts
- Posts: 1399
- Joined: Tue May 19, 2009 2:08 am
- Location: Norway, Oslo
Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support
It is impossible to reach any of the native QNAP apps through a reverse proxy, such as File Station, Browser Station etc. These are Ajax apps and not native HTML apps and they are accessed through port 8080 which is reserved for httpd (the internal Apache Web server handling the QTS frontend).
-
- New here
- Posts: 6
- Joined: Sun Apr 22, 2012 4:01 pm
Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support
Thank you for that answer !! Then I don't need to search any more.
Is it still true if my reverse proxy is not using the embedded Apache (but an Nginx somewhere else than on the NAS) ?
Is it still true if my reverse proxy is not using the embedded Apache (but an Nginx somewhere else than on the NAS) ?
- oyvindo
- Experience counts
- Posts: 1399
- Joined: Tue May 19, 2009 2:08 am
- Location: Norway, Oslo
Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support
Yes, that is irrelevant.
-
- New here
- Posts: 6
- Joined: Sun Apr 22, 2012 4:01 pm
-
- New here
- Posts: 5
- Joined: Mon Jan 01, 2018 2:25 am
Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support
I think I am close to success with the first part of your (great) guide (RP without certificates). But I could use some help getting to 100%. Not worried about certificates just yet.
Goal: get a Wordpress site on Docker in QNAP Container Station to be accessed by world.
1. Domain name is pointing to my home/router IP address - confirmed
2. Router is port forwarding 80, 443 and 8081 to NAS - confirmed
3. Container Stations is up and I have a compose file that launches Wordpress, MariaDB and PHPMyAdmin - confirmed
4. Installed Wordpress at http://192.168.1.11:8088/wp-admin/install.php (port 8088 defined in compose file) - confirmed
5. Added "Include /share/CACHEDEV1_DATA/Web/custom_qnap_apache.conf" line to apache.conf
6. Edited custom_qnap_apache.conf per:
7. Restarted Apache via /usr/local/apache/bin/apachectl restart
8. In Wordpress, in settings, changed my Site URL to www.mydomain.com, save...
Result = This site can't be reached at http://www.mydomain.com
Anything obvious?
Goal: get a Wordpress site on Docker in QNAP Container Station to be accessed by world.
1. Domain name is pointing to my home/router IP address - confirmed
2. Router is port forwarding 80, 443 and 8081 to NAS - confirmed
3. Container Stations is up and I have a compose file that launches Wordpress, MariaDB and PHPMyAdmin - confirmed
Code: Select all
wordpress:
depends_on:
- db
image: wordpress:5.6
ports:
- "8088:80"
restart: always
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: wordpress
WORDPRESS_DB_PASSWORD: password
WORDPRESS_DB_NAME: wordpress
5. Added "Include /share/CACHEDEV1_DATA/Web/custom_qnap_apache.conf" line to apache.conf
6. Edited custom_qnap_apache.conf per:
Code: Select all
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
<VirtualHost *:443 *8081>
ServerName www.mydomain.com
ProxyPass / http://192.168.1.11:8088/
ProxyPassReverse / http://192.168.1.11:8088/
SSLEngine on
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
<VirtualHost *:80>
ServerName www.mydomain.com
Redirect / https://www.mydomain.com/
</VirtualHost>
Code: Select all
[Mon Dec 14 21:59:19.780194 2020] [so:warn] [pid 7812:tid 140570075662208] AH01574: module proxy_module is already loaded, skipping
Result = This site can't be reached at http://www.mydomain.com
Anything obvious?
- oyvindo
- Experience counts
- Posts: 1399
- Joined: Tue May 19, 2009 2:08 am
- Location: Norway, Oslo
Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support
Why did you forward 8081 ?
You only ned to forward 80 and 443
Can you successfully run Wordpress using only : http://192.168.1.11:8088 from within you LAN (exactly as typed) ?
Also, your indentations don't look quite right, but I'm not sure if that's important. I would write it like this (and in that order):
You only ned to forward 80 and 443
Can you successfully run Wordpress using only : http://192.168.1.11:8088 from within you LAN (exactly as typed) ?
Also, your indentations don't look quite right, but I'm not sure if that's important. I would write it like this (and in that order):
Code: Select all
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
<VirtualHost *:443 *8081>
ServerName www.mydomain.com
SSLEngine on
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
ProxyPass / http://192.168.1.11:8088/
ProxyPassReverse / http://192.168.1.11:8088/
</VirtualHost>
<VirtualHost *:80>
ServerName www.mydomain.com
Redirect / https://www.mydomain.com/
</VirtualHost>
-
- New here
- Posts: 5
- Joined: Mon Jan 01, 2018 2:25 am
Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support
> Why did you forward 8081 ?
I added *:8081 because you did in your step 5 one page 1 of this post. (I note I have a typo on the *:8081 above, but that is fixed now. And in any case I removed *:8081.)
> Can you successfully run Wordpress using only : http://192.168.1.11:8088 from within you LAN (exactly as typed) ?
Yes! That was my Step 4 above. I can and did have a functioning Wordpress site, but I could not access it by the domain name. Just via the IP:8081.
Tonight's testing:
9. Edited my 'custom_qnap_apache.conf' with the clean-ups you suggest. I took out *:8081 to see if that makes a difference.
10. /share/CACHEDEV1_DATA/Web] # /usr/local/apache/bin/apachectl restart
Here's the result:
11. in QNAP Container Station, stopped and deleted containers - success
12. Ran my docker compose again - success
13. Installed Wordpress - success
14. Created a new Wordpress post - success http://192.168.1.11:8081/2020/12/16/welcome/
15. Tried accessing from outside... Opera browser with built-in VPN.... Pointing to www.example.ca - NO, NOT WORKING, "www.example.ca’s server IP address could not be found."
16. When I use https://ipinfo.info/html/ip_checker.php I double checked that www.example.ca ...yes, is indeed pointing to my home/router IP
17. When I check my router, Port Forwarding ...yes, is set up to pipe port 80 to NAS port 80.
Any suggestions for what I could try?
18. Ah-ha, something changed! www.example.ca now being piped to my QTS login! That's not what I want!
I added *:8081 because you did in your step 5 one page 1 of this post. (I note I have a typo on the *:8081 above, but that is fixed now. And in any case I removed *:8081.)
> Can you successfully run Wordpress using only : http://192.168.1.11:8088 from within you LAN (exactly as typed) ?
Yes! That was my Step 4 above. I can and did have a functioning Wordpress site, but I could not access it by the domain name. Just via the IP:8081.
Tonight's testing:
9. Edited my 'custom_qnap_apache.conf' with the clean-ups you suggest. I took out *:8081 to see if that makes a difference.
10. /share/CACHEDEV1_DATA/Web] # /usr/local/apache/bin/apachectl restart
Here's the result:
Code: Select all
[Tue Dec 15 19:26:38.136395 2020] [so:warn] [pid 30787:tid 140376248686464] AH01574: module proxy_module is already loaded, skipping
AH00558: apache: Could not reliably determine the server's fully qualified domain name, using 172.29.4.1. Set the 'ServerName' directive globally to suppress this message
httpd not running, trying to start
12. Ran my docker compose again - success
13. Installed Wordpress - success
14. Created a new Wordpress post - success http://192.168.1.11:8081/2020/12/16/welcome/
15. Tried accessing from outside... Opera browser with built-in VPN.... Pointing to www.example.ca - NO, NOT WORKING, "www.example.ca’s server IP address could not be found."
16. When I use https://ipinfo.info/html/ip_checker.php I double checked that www.example.ca ...yes, is indeed pointing to my home/router IP
17. When I check my router, Port Forwarding ...yes, is set up to pipe port 80 to NAS port 80.
Any suggestions for what I could try?
18. Ah-ha, something changed! www.example.ca now being piped to my QTS login! That's not what I want!
-
- New here
- Posts: 5
- Joined: Mon Jan 01, 2018 2:25 am
Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support
Ah, this is interesting.
19. I put http:my-router-IP:8081 into Chrome (no VPN) and it shows my Wordpress site.
20. I put http:my-router-IP:8081 into Opera (with VPN) and it shows my Wordpress site, too.
21. I went into Wordpress settings and changed 'Wordpress Address (URL)' to my domain name http://www.example.ca and the same for 'Site Address (URL)'
Ok, that killed it.
22. Interestingly, I checked again and it is https://www.example.ca is still going to my QTS login.
But http://example.ca results in "This site can’t be reached www.example.ca took too long to respond."
23. Let's try my domain name but with the port... http://www.example.ca:8081 ... nope that did not work. Hrumph
I did look at my router again, and I did have a port forwarding rule in place which should not have been there: router:8081 to NAS:8081. Perhaps that explains #19 and #20 above.
19. I put http:my-router-IP:8081 into Chrome (no VPN) and it shows my Wordpress site.
20. I put http:my-router-IP:8081 into Opera (with VPN) and it shows my Wordpress site, too.
21. I went into Wordpress settings and changed 'Wordpress Address (URL)' to my domain name http://www.example.ca and the same for 'Site Address (URL)'
Ok, that killed it.
22. Interestingly, I checked again and it is https://www.example.ca is still going to my QTS login.
But http://example.ca results in "This site can’t be reached www.example.ca took too long to respond."
23. Let's try my domain name but with the port... http://www.example.ca:8081 ... nope that did not work. Hrumph
I did look at my router again, and I did have a port forwarding rule in place which should not have been there: router:8081 to NAS:8081. Perhaps that explains #19 and #20 above.