[HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post your questions about Web Server usage and Apache + PHP + MySQL/SQLite web applications.
Post Reply
stefaanbolle
Getting the hang of things
Posts: 65
Joined: Thu May 03, 2018 7:56 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by stefaanbolle »

Maybe my config can help others. This is how I actually have done it and all works well:

Code: Select all

LoadModule  proxy_module         modules/mod_proxy.so
LoadModule  proxy_http_module    modules/mod_proxy_http.so
LoadModule  proxy_ftp_module     modules/mod_proxy_ftp.so
LoadModule  proxy_connect_module modules/mod_proxy_connect.so

<VirtualHost *:443 *:8081>
        ServerName my.domain.com

		ProxyRequests Off
		ProxyVia Off
		ProxyPreserveHost On

		<Proxy *>
				Order deny,allow
				Allow from all
				Authtype Basic
				Authname "Password Required"
				AuthUserFile /some/path/.htpasswd
				Require valid-user
		</Proxy>

        ProxyPass / http://my.domain.com:PORT/
        ProxyPassReverse / http://my.domain.com:PORT/

	SSLEngine On
	SSLProxyEngine On
	ProxyRequests Off
	SSLCertificateKeyFile /some/path/key.key
        SSLCertificateFile /some/path/cert.crt

        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

	RequestHeader set X-Forwarded-Proto "https"
	RequestHeader set X-Forwarded-Port "8081"

</VirtualHost>


<VirtualHost *:80>
       ServerName my.domain.com
       Redirect / https://my.domain.com/
</VirtualHost>
User avatar
GTunney
Been there, done that
Posts: 737
Joined: Tue Oct 14, 2014 4:16 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by GTunney »

How could I use this in conjunction with something like couchpotato.

For example I'd like to access couchpotato via https://home.mydomain.com/couchpotato

Couch is currently running on port 5000. I have my own domain and also have my own SSL cert.
Model: TS-653B 8GB
Disks: 3 x 4TB Western Digital WD40EFRX - RAID 5
Total Storage: 7.2TB
Applications: Plex MS | Watcher3 | QSabnzbd+ | QSickrage | Home Assistant | Kodi v18.4 MySQL
Other Devices: Netgear D7000 AC1900 VDSL Router | FTTC - 80/20 | Netgear GS108 Gigabit Switch
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo »

GTunney wrote:How could I use this in conjunction with something like couchpotato.
For example I'd like to access couchpotato via https://home.mydomain.com/couchpotato
Couch is currently running on port 5000. I have my own domain and also have my own SSL cert.
You can use this technique with any server software that has a web interface. Just follow the cookbook. If you run into problems, post a thorough and detailed description here, and people will assist you.
ImageImageImage
carl1234
New here
Posts: 2
Joined: Fri Nov 18, 2016 11:07 am

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by carl1234 »

This is a great write up! Only one thing keeping me from implementing.
How can we make the changes to apache.conf, ie "/share/Web/custom.conf", survive a NAS reboot?
I don't want to have to go in and add this manually every time I reboot.
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo »

I have found that the change I made to apache.conf making it point to custom.conf, actually does survive a NAS reboot.
I'm not sure when this behavior changed. Perhaps in a recent QTS update, or perhaps my assumptions were wrong all along.
Just try this, and see for yourself what happens. Don't assume trouble before it actually hits you. :-)
ImageImageImage
phillipmcmahon
New here
Posts: 2
Joined: Sun Nov 18, 2018 4:28 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by phillipmcmahon »

Thanks for the great guide. Sadly for me, it's not working and I was hoping I'd get some help.

I basically want to achieve all access to my QNAP and running apps through app.domainname.com where app changes depending on the functionality I'm trying to access.

I've set a cert with all the SANs in there so that's good.

I found I had to open both 80 and 443 on my firewall and forward that to my internal QNAP. Is that expected as it isn't explicitly covered in the guide to open 443?

Starting simply I want to test access to the default admin pages and Plex running on port 32400 internally.

My conf is as follows;

Code: Select all



LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

<VirtualHost *:80>
ServerName homestorage.phillipmcmahon.com
Redirect / https://homestorage.phillipmcmahon.com
</VirtualHost>

<VirtualHost *:443 *:8081>
ServerName homestorage.phillipmcmahon.com
ProxyPass / http://192.168.1.28:8080/
ProxyPassReverse / http://192.168.1.28:8080/
SSLEngine on
SSLCertificateKeyFile /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/key
SSLCertificateFile /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert
</VirtualHost>

<VirtualHost *:80>
ServerName plex.phillipmcmahon.com
Redirect / https://plex.phillipmcmahon.com
</VirtualHost>

<VirtualHost *:443 *:32400>
ServerName plex.phillipmcmahon.com
ProxyPass / http://192.168.1.28:32400/
ProxyPassReverse / http://192.168.1.28:32400/
SSLEngine on
SSLCertificateKeyFile /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/key
SSLCertificateFile /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert
</VirtualHost>
My web server settings on the QNAP are as follows
HTTP : 80
HTTPS : 8081
SSL enabled, forced SSL not enabled

My QNAP web admin pages are set up as follows
HTTP : 8080
HTTPS: 443
SSL enabled, forced SSL not enabled

I figured a correct RP setup would mean I don't need to force SSL.

However, accessing the plex.phillipmcmahon.com URL just kicks me to the QNAP admin pages. Any help on getting this sorted would be greatly appreciated.

Thanks in advance,

Phill
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo »

phillipmcmahon wrote: Sun Nov 25, 2018 4:20 pm I found I had to open both 80 and 443 on my firewall and forward that to my internal QNAP. Is that expected as it isn't explicitly covered in the guide to open 443?
You are right, I forgot to mention that also port 433 has to be forwarded. Thanks for pointing that out. I have edited the guide accordingly now.

As to your problem, it seems you want to access your NAS main Web i/f directly through port 80 from the internet (?) and at the same time access any/all other apps also through port 80 (with or without redirection to 443) ?
If that is correctly understood by me, than I must ask ; Why do you want to expose your main NAS i/f to the internet? That's not a good strategy. You should not do that. Use instead the myQNAPcloud service provided by QNAP. It's free, it's safe and very reliable. Alternatively you could use a VPN, but then none of this RP stuff is needed at all. A VPN gives you all the security you need, but is of course less visitor friendly.

In order to develop a working RP setup, start with port 80, and only when everything works perfectly, then you add rerouting to port 443. And remove this section completely:

Code: Select all

<VirtualHost *:80>
ServerName homestorage.phillipmcmahon.com
Redirect / https://homestorage.phillipmcmahon.com
</VirtualHost>
The above is what causes your problems.

Rgds
Viking
ImageImageImage
phillipmcmahon
New here
Posts: 2
Joined: Sun Nov 18, 2018 4:28 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by phillipmcmahon »

Fair point with regards to not exposing the QNAP admin UI to the Intranet, I have the following simplified example and it is still pushing me to the QNAP web admin GUI. Apologies if I am missing the blindingly obvious... :/

Code: Select all


<VirtualHost *:80>
ServerName torrents.phillipmcmahon.com
Redirect / https://torrents.phillipmcmahon.com
</VirtualHost>

<VirtualHost *:443 *:6564>
ServerName torrents.phillipmcmahon.com
ProxyPass / http://192.168.1.28:6564/
ProxyPassReverse / http://192.168.1.28:6564/
SSLEngine on
SSLCertificateKeyFile /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/key
SSLCertificateFile /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert
</VirtualHost>
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo »

He he, as always, Philippe is of course right (but his explanations aren't always easy to follow) :lol:
Let me follow up by a few questions:

1. Assuming that the name "torrents.phillipmcmahon.com" is fake (for security purpose - I tried it, and it doesn't work), obviously you have a 'real' name that you are sure is actually being converted to the correct IP (redirected by your domain) ?

2. You're using port 6564 - which in itself is ok, as long as you are sure that port isn't being used by any other service. The fact that your are forwarding traffic to the same port indicates that you have a port collision. Your should not use the app port as your RP port. That will not work. Try to use 8081 instead, or at least a port # which is different from your app port.

Philippe's point is that if you want to access your QTS web i/f from the internet, there are a few things you need to worry about.
As a general advice, never try to achieve more then one step at a time. Only when your simples step is successful, then move on to the next step.

Rgds
Viking
ImageImageImage
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo »

father_mande wrote: Mon Nov 26, 2018 4:13 pm So I will suppress my previous post (to don't mix with your approach)
Apologize ...
Philippe.
Hi Philippe,
No need to apologize. Your comments are always welcome, so please stay with us.

Have a nice day. :)

Rgds
Oyvind
ImageImageImage
nasnoob
Getting the hang of things
Posts: 74
Joined: Sun Jun 21, 2009 4:31 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by nasnoob »

Many thanks for this guide, I followed your steps and used a mash up of other guise to get the reverse proxy working with location switches (e.g. /sonarr, /couchpotato etc) instead of subdomains and it works well

I have also allowed access to my QTS login page which I can login to and use fine remotely.

However I have had a couple hickups with some QTS screens and settings not working or changing properly when I try remotely. It works fine over LAN just not 100% remotely over the reverse proxy. For example I cannot get BroswerStation or any app that utilises VNC to work through the QTS portal, i dont fully understand how this traffic is routed, so any ideas on how I can get this to work properly?

Below is my config file:

For anyone looking to use the same config, replace the remoteip, lanip:port and port1,2,3, accordingly



LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_http_module modules/mod_proxy_http.so

<VirtualHost *:443>

ServerName remoteip

ProxyPass / http://lanip:port/

ProxyPassReverse / http://lanip:port/

SSLEngine On

ProxyPreserveHost On

ProxyRequests Off

ProxyVia Off

SSLCertificateKeyFile /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/key

SSLCertificateFile /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

<Location /sonarr>

Order deny,allow

ProxyPass http://127.0.0.1:port1/sonarr

ProxyPassReverse http://127.0.0.1:port1/sonarr

</Location>

<Location /couchpotato>

Order deny,allow

ProxyPass http://127.0.0.1:port2/couchpotato

ProxyPassReverse http://127.0.0.1:port2/couchpotato

</Location>

<Location /transmission>

Order deny,allow

ProxyPass http://127.0.0.1:port3/transmission

ProxyPassReverse http://127.0.0.1:port3/transmission

</Location>

</VirtualHost>

<VirtualHost *:80>

ServerName remoteip

Redirect / https://remoteip/

</VirtualHost>
MasterFuba
New here
Posts: 3
Joined: Fri Aug 11, 2017 3:14 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by MasterFuba »

Hi all,

On my Qnap i can't edit the apache.conf!?
chmod u+w apache.conf didn't change anything and my linux and ssh knowledge is very limited.
Was this different in past or do i something wrong? I use putty for my ssh connection.
Is winscp more powerful?
I fear it is qnap blocking me doing any change in apache.conf.
What alternatives we have to get a reverse proxy running without editing apache.conf?

Kr Daniel

Gesendet von meinem ONEPLUS A3003 mit Tapatalk

User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by Toxic17 »

MasterFuba wrote: Mon Mar 11, 2019 3:20 pm What alternatives we have to get a reverse proxy running without editing apache.conf?

Kr Daniel

Gesendet von meinem ONEPLUS A3003 mit Tapatalk
https://www.qnapclub.eu/fr/qpkg/642
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
Fiser
First post
Posts: 1
Joined: Tue Apr 16, 2019 1:29 am

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by Fiser »

Hi

I use this system for put my public domain with the nas, my withlab and other things. I use this structure.
nas.mydomain.com
gitlab.mydomain.com
portainer.mydomain.com

In nas.mydomain.com i have a reverse proxy to the port 8443 of my NAS that expone the webadmin of the qnap, but I cannot edit my VM because websockets dont work.

This is my virtualhost, can any help me?
<VirtualHost *:443>
ServerName xxx.com

SSLEngine on
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/xxx.key
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/xxx.cert

ErrorLog /var/log/fisernas-error.log
CustomLog /var/log/fisernas-access.log combined

ProxyPass / https://192.168.1.10:8443/
ProxyPassReverse / https://192.168.1.10:8443/
ProxyPass "/qvs/" wss://192.168.1.14:8443/qvs/
</VirtualHost>
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo »

Of course, accessing your NAS from the the internet using VPN is the other method - and the preferred one when it comes to security, many would say - and I agree. It's only less flexible since it requires you to have the VPN client installed on all devices you plan to use. With reverse Proxy, you can use any internet connected device, as is. Even from an internet café in Indonesia! But is it safe enough for you? That's for you to decide.
I use 2FA to logon to all my server apps and a self signed SSL, and I find that to be enough.
ImageImageImage
Post Reply

Return to “Web Server & Applications (Apache + PHP + MySQL / SQLite)”