[HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post your questions about Web Server usage and Apache + PHP + MySQL/SQLite web applications.
SimonEvieux
New here
Posts: 6
Joined: Sun Apr 22, 2012 4:01 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by SimonEvieux »

Thanks for this really nice how to !!

I have one question remaining though... Let’s assume I want to configure this reverse proxy on a NAS that would be on a different subnet behind my router/firewall I. Order to access my applications on a different NAS.

How should the config file look like ?

Thanks
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo »

SimonEvieux wrote: Fri Apr 17, 2020 1:48 am Let’s assume I want to configure this reverse proxy on a NAS that would be on a different subnet behind my router/firewall in order to access my applications on a different NAS.
How should the config file look like ?
As long as the Proxy server can reach you NAS, it does not require any special configuration.
However, setting up a subnet structure on a LAN require some advanced routing tables to be built. Most SOHO edge routers (firewalls) do not support such type of routing to be made.
So for that case, you's have to buy an advanced router (i.e. Cisco) and insert it between your internet router and your LAN.
Long story short; If your Proxy can find your NAS, it doesn't matter which subnet it is in.
ImageImageImage
SimonEvieux
New here
Posts: 6
Joined: Sun Apr 22, 2012 4:01 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by SimonEvieux »

Thanks for your answer

Even though I actually have a Cisco router in between my internet router and my LAN, I think I'll go for the simple implementation (RProxy on a NAS in my main LAN).

I also thought about mounting this RProxy on a Raspberry Pi in a DMZ, but as the NAS I want to access would be in my main LAN anyway, I wonder if it makes sense (as I would have to open the communications between this RProxy and the NAS in my main network...)
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo »

Placing the RProxy in a DMZ further enhances security and is highly recommended - if you know how to do it.
ImageImageImage
SimonEvieux
New here
Posts: 6
Joined: Sun Apr 22, 2012 4:01 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by SimonEvieux »

The thing is as I will have to open the communication to the NAS in the main LAN, I don't really see how it enhance the security... If I was to place the whole NAS in the DMZ, I would understand, but this is not what I want to do.

Or I completely misunderstand something in how I should place this RProxy in the DMZ...
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo »

Just Google "reverse proxy in dmz" and you will find hundreds of articles and forum posts on the issue.
ImageImageImage
SimonEvieux
New here
Posts: 6
Joined: Sun Apr 22, 2012 4:01 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by SimonEvieux »

simonwilkins wrote: Wed Feb 19, 2020 5:17 am
oyvindo wrote: Thu Feb 13, 2020 3:54 am I'm not familiar with OwnCloud.
One of the main purposes of implementing access through a Reverse Proxy, is to achieve a secure connection (SSL) through a single access point for any number of web based applications, especially for web apps which does not have naitive support for SSL.
My understanding of OwnCloud is that it's main purpose is to provide a cloud ecosystem for external users (?) As such, I would be very surprised if OwnCloud doesn't offer extensive mechanisms in place to secure safe, encrypted access methods (?) You can of course choose to route incoming connection requests through your own reverse Proxy with SSL support, but you must have a domain registered (Dyn-DNS). MyQNAPCloud relies on QNAP certificates. These are default included with every QNAP NAS for free, using self signed CERT. You can buy valid certificates from QNAP, and you can replace them with your own CERTs. But my advise in not to use myQNAPCloud as you Dyn_DNS. Instead, st up your own domain name and follow the security advises recommended in the OwnCloud documentation.
Even if I attempt to reverseproxy transmission via my local IP address, it still doesn't display transmission properly as seen on the image below

Thanks in advance.

Image
Where you able to fix this ?

I have the same sort of problem... I am trying to reverse proxy to my QNAP FileStation very basic so far...
It is done through an Nginx
I listen on port 80 from server mydomain.duckdns.org
And for location /, I proxy_pass to http://xxx.xxx.xxx.xxx:8080/filestation

I reach it, but it is displayed exactly as your transmission here above...

If I directly go to http://xxx.xxx.xxx.xxx:8080/filestation, I reach the normal login page of the file station.
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo »

It is impossible to reach any of the native QNAP apps through a reverse proxy, such as File Station, Browser Station etc. These are Ajax apps and not native HTML apps and they are accessed through port 8080 which is reserved for httpd (the internal Apache Web server handling the QTS frontend).
ImageImageImage
SimonEvieux
New here
Posts: 6
Joined: Sun Apr 22, 2012 4:01 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by SimonEvieux »

Thank you for that answer !! Then I don't need to search any more.
Is it still true if my reverse proxy is not using the embedded Apache (but an Nginx somewhere else than on the NAS) ?
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo »

Yes, that is irrelevant.
ImageImageImage
SimonEvieux
New here
Posts: 6
Joined: Sun Apr 22, 2012 4:01 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by SimonEvieux »

OK, thanks
charliebgood
New here
Posts: 5
Joined: Mon Jan 01, 2018 2:25 am

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by charliebgood »

I think I am close to success with the first part of your (great) guide (RP without certificates). But I could use some help getting to 100%. Not worried about certificates just yet.

Goal: get a Wordpress site on Docker in QNAP Container Station to be accessed by world.

1. Domain name is pointing to my home/router IP address - confirmed
2. Router is port forwarding 80, 443 and 8081 to NAS - confirmed
3. Container Stations is up and I have a compose file that launches Wordpress, MariaDB and PHPMyAdmin - confirmed

Code: Select all

wordpress:
     depends_on:
       - db
     image: wordpress:5.6
     ports:
       - "8088:80"
     restart: always
     environment:
       WORDPRESS_DB_HOST: db:3306
       WORDPRESS_DB_USER: wordpress
       WORDPRESS_DB_PASSWORD: password
       WORDPRESS_DB_NAME: wordpress
4. Installed Wordpress at http://192.168.1.11:8088/wp-admin/install.php (port 8088 defined in compose file) - confirmed
5. Added "Include /share/CACHEDEV1_DATA/Web/custom_qnap_apache.conf" line to apache.conf
6. Edited custom_qnap_apache.conf per:

Code: Select all

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
<VirtualHost *:443 *8081>
       ServerName www.mydomain.com
        ProxyPass / http://192.168.1.11:8088/
        ProxyPassReverse / http://192.168.1.11:8088/
           SSLEngine on
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
<VirtualHost *:80>
        ServerName www.mydomain.com
        Redirect / https://www.mydomain.com/
</VirtualHost>
7. Restarted Apache via /usr/local/apache/bin/apachectl restart

Code: Select all

[Mon Dec 14 21:59:19.780194 2020] [so:warn] [pid 7812:tid 140570075662208] AH01574: module proxy_module is already loaded, skipping
8. In Wordpress, in settings, changed my Site URL to www.mydomain.com, save...

Result = This site can't be reached at http://www.mydomain.com

Anything obvious?
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo »

Why did you forward 8081 ?
You only ned to forward 80 and 443
Can you successfully run Wordpress using only : http://192.168.1.11:8088 from within you LAN (exactly as typed) ?

Also, your indentations don't look quite right, but I'm not sure if that's important. I would write it like this (and in that order):

Code: Select all

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
<VirtualHost *:443 *8081>
    ServerName www.mydomain.com
    SSLEngine on
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
        ProxyPass / http://192.168.1.11:8088/
    ProxyPassReverse / http://192.168.1.11:8088/
</VirtualHost>

<VirtualHost *:80>
    ServerName www.mydomain.com
    Redirect / https://www.mydomain.com/
</VirtualHost>
ImageImageImage
charliebgood
New here
Posts: 5
Joined: Mon Jan 01, 2018 2:25 am

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by charliebgood »

> Why did you forward 8081 ?
I added *:8081 because you did in your step 5 one page 1 of this post. (I note I have a typo on the *:8081 above, but that is fixed now. And in any case I removed *:8081.)

> Can you successfully run Wordpress using only : http://192.168.1.11:8088 from within you LAN (exactly as typed) ?
Yes! That was my Step 4 above. I can and did have a functioning Wordpress site, but I could not access it by the domain name. Just via the IP:8081.

Tonight's testing:
9. Edited my 'custom_qnap_apache.conf' with the clean-ups you suggest. I took out *:8081 to see if that makes a difference.
10. /share/CACHEDEV1_DATA/Web] # /usr/local/apache/bin/apachectl restart
Here's the result:

Code: Select all

[Tue Dec 15 19:26:38.136395 2020] [so:warn] [pid 30787:tid 140376248686464] AH01574: module proxy_module is already loaded, skipping
AH00558: apache: Could not reliably determine the server's fully qualified domain name, using 172.29.4.1. Set the 'ServerName' directive globally to suppress this message
httpd not running, trying to start
11. in QNAP Container Station, stopped and deleted containers - success
12. Ran my docker compose again - success
13. Installed Wordpress - success
14. Created a new Wordpress post - success http://192.168.1.11:8081/2020/12/16/welcome/

15. Tried accessing from outside... Opera browser with built-in VPN.... Pointing to www.example.ca - NO, NOT WORKING, "www.example.ca’s server IP address could not be found."
16. When I use https://ipinfo.info/html/ip_checker.php I double checked that www.example.ca ...yes, is indeed pointing to my home/router IP
17. When I check my router, Port Forwarding ...yes, is set up to pipe port 80 to NAS port 80.
Any suggestions for what I could try?

18. Ah-ha, something changed! www.example.ca now being piped to my QTS login! That's not what I want!
charliebgood
New here
Posts: 5
Joined: Mon Jan 01, 2018 2:25 am

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by charliebgood »

Ah, this is interesting.
19. I put http:my-router-IP:8081 into Chrome (no VPN) and it shows my Wordpress site.
20. I put http:my-router-IP:8081 into Opera (with VPN) and it shows my Wordpress site, too.
21. I went into Wordpress settings and changed 'Wordpress Address (URL)' to my domain name http://www.example.ca and the same for 'Site Address (URL)'

Ok, that killed it.

22. Interestingly, I checked again and it is https://www.example.ca is still going to my QTS login.
But http://example.ca results in "This site can’t be reached www.example.ca took too long to respond."

23. Let's try my domain name but with the port... http://www.example.ca:8081 ... nope that did not work. Hrumph :-(

I did look at my router again, and I did have a port forwarding rule in place which should not have been there: router:8081 to NAS:8081. Perhaps that explains #19 and #20 above.
Post Reply

Return to “Web Server & Applications (Apache + PHP + MySQL / SQLite)”