Built in Apache Web-Admin hardening - location and apache.conf?
-
- Starting out
- Posts: 14
- Joined: Sat Mar 06, 2021 12:25 am
Built in Apache Web-Admin hardening - location and apache.conf?
I am normally not this bad at this, but QNAP seems to deeply hide its config parts?
I want to add additional restrictions right in the apache.conf (or an .htaccess), but I cannot seem to find the right directory and or conf files
This is on a TS-351 Firmware 4.5.2.1630 (latest as of this post)
As far as I can tell the main config is /etc/config/apache/apache.conf with Includes being loaded: ./extra/apache-default-modules.conf ./extra/apache-ssl.conf ./extra/apache-fastcgi.conf ./extra/apache-musicstation.conf ./extra/apache-photo.conf ./extra/apache-video.conf ./extra/apache-dav-proxy.conf ./extra/apache-http-compress.conf
ps -ef | grep httpd shows http running as httpdusr as such:
/usr/local/sbin/_thttpd_ -p 58080 -nor -nos -u admin -d /home/httpd -c **.* -h 127.0.0.1 -i /var/lock/._thttpd_.pid
/home/httpd/cgi-bin/index.html looks to be the start page of the admin interface
If I put a .htaccess file in that cgi-bin directory
Order Deny,Allow
Deny from all
# Allow from 127.0.0.1 ::1
# Allow from localhost
# Allow from 10
it doesnt do anything. When I provoke an error of the htaccess by wrting "Test." as the first line the login.html seems to load but a few others in the browser like /cgi-bin/loginTheme/theme1/login.css do not load (500 internal server error)
When just accessing login.css as an example I do get the above config to block that file, but not the login.html main file and I do not know why?
Can anybody explain to me how this all fits together?
I want to add additional restrictions right in the apache.conf (or an .htaccess), but I cannot seem to find the right directory and or conf files
This is on a TS-351 Firmware 4.5.2.1630 (latest as of this post)
As far as I can tell the main config is /etc/config/apache/apache.conf with Includes being loaded: ./extra/apache-default-modules.conf ./extra/apache-ssl.conf ./extra/apache-fastcgi.conf ./extra/apache-musicstation.conf ./extra/apache-photo.conf ./extra/apache-video.conf ./extra/apache-dav-proxy.conf ./extra/apache-http-compress.conf
ps -ef | grep httpd shows http running as httpdusr as such:
/usr/local/sbin/_thttpd_ -p 58080 -nor -nos -u admin -d /home/httpd -c **.* -h 127.0.0.1 -i /var/lock/._thttpd_.pid
/home/httpd/cgi-bin/index.html looks to be the start page of the admin interface
If I put a .htaccess file in that cgi-bin directory
Order Deny,Allow
Deny from all
# Allow from 127.0.0.1 ::1
# Allow from localhost
# Allow from 10
it doesnt do anything. When I provoke an error of the htaccess by wrting "Test." as the first line the login.html seems to load but a few others in the browser like /cgi-bin/loginTheme/theme1/login.css do not load (500 internal server error)
When just accessing login.css as an example I do get the above config to block that file, but not the login.html main file and I do not know why?
Can anybody explain to me how this all fits together?
Last edited by micattack on Thu Apr 29, 2021 12:37 am, edited 1 time in total.
--
QLocker survivor; backup enthusiast
TS-351 with 5. + something FW (always up2date)
Celeron J1800/8GB RAM
RAID-5 (2x 256GB Transcent TS256GMTE110S + 3x 6TB Seagate ST6000VN001)
QLocker survivor; backup enthusiast
TS-351 with 5. + something FW (always up2date)
Celeron J1800/8GB RAM
RAID-5 (2x 256GB Transcent TS256GMTE110S + 3x 6TB Seagate ST6000VN001)
- Toxic17
- Ask me anything
- Posts: 6481
- Joined: Tue Jan 25, 2011 11:41 pm
- Location: Planet Earth
- Contact:
Re: Built in Apache Web-Admin hardening - location and apache.conf?
posts merged.
QNAPs apache webserver is no worth the effort tbh as its usually out of date and locked down.
I've never understood why this was never a qpkg package rather than built in with firmware. Same with MySQL.
QNAPs apache webserver is no worth the effort tbh as its usually out of date and locked down.
I've never understood why this was never a qpkg package rather than built in with firmware. Same with MySQL.
Regards Simon
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
- jaysona
- Been there, done that
- Posts: 856
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: Built in Apache Web-Admin hardening - location and apache.conf?
For reason(s) that will probably never be known (given how opaque QNAP is) the included Apache web-server is severely crippled (as are all Linux related things by QNAP) and it is not possible to manage the included Apache webserver as you would in a proper LAMP setup.
The majority of the apache.conf settings are effectively hard coded (QNAP software architecture at its best) are set in /etc/init.d/Qthttpd.sh - just look at the cluster-eff in that file - which writes to the /etc/config/apache/apache.conf file.
If you're really he.ll bent on using your QNAP NAS as a LAMP server, then use Qapache from qnapclub.eu, you'll need to decide which Qapache QPKG best suits your needs.
Qapache typically runs on port 88, but you can change it to 80/443 after you have changed the QNAP built-in Apache server to use any other port that will never be accessed.
Now, here's the really cr.app.y part, every once in a while when the moon and planets align in whatever way QNAP has predetermined, QTS will re-take over the ports you have assigned to Qapache and Qapache will stop working, so be sure to keep copies of the latest config files.
The majority of the apache.conf settings are effectively hard coded (QNAP software architecture at its best) are set in /etc/init.d/Qthttpd.sh - just look at the cluster-eff in that file - which writes to the /etc/config/apache/apache.conf file.
If you're really he.ll bent on using your QNAP NAS as a LAMP server, then use Qapache from qnapclub.eu, you'll need to decide which Qapache QPKG best suits your needs.
Qapache typically runs on port 88, but you can change it to 80/443 after you have changed the QNAP built-in Apache server to use any other port that will never be accessed.
Now, here's the really cr.app.y part, every once in a while when the moon and planets align in whatever way QNAP has predetermined, QTS will re-take over the ports you have assigned to Qapache and Qapache will stop working, so be sure to keep copies of the latest config files.
RAID is not a Back-up!
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
- oyvindo
- Experience counts
- Posts: 1399
- Joined: Tue May 19, 2009 2:08 am
- Location: Norway, Oslo
Re: Built in Apache Web-Admin hardening - location and apache.conf?
I have made lots of changes to apache.conf and never had any issues with it.
It's correct that QNAP is a bit slow on updating their (L)AMP components, but if that's an issue for you, then just install the most up-to-date-version in Docker.
It's correct that QNAP is a bit slow on updating their (L)AMP components, but if that's an issue for you, then just install the most up-to-date-version in Docker.
- jaysona
- Been there, done that
- Posts: 856
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: Built in Apache Web-Admin hardening - location and apache.conf?
If you modify any of the apache.conf setting that QNAP has hard coded in the Qthttpd.sh file, then those changes are undone when the NAS is rebooted. I dumped using the built-in apache server because of the TLS version limitations and the ciphers set in the Qthhtd.sh file.
RAID is not a Back-up!
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
-
- Starting out
- Posts: 14
- Joined: Sat Mar 06, 2021 12:25 am
Re: Built in Apache Web-Admin hardening - location and apache.conf?
What I wanted to do is harden the existing web-interface, not by using another package around it but by getting the original apache to deny access outside of the local network. I think this is a worthy effort and the pointer towards /etc/init.d/Qthttpd.sh is already a good start.
But even with the ready generated apache.conf I do not seem to be able to get it to deny access. Even if just between reboots.
Think about it: When we harden the Web-Admin (which will always be running) we remove another avenue for hackers. Of course I am and will be using the Qapache package for the real Webapps I am running
--
QLocker survivor; backup enthusiast
TS-351 with 5. + something FW (always up2date)
Celeron J1800/8GB RAM
RAID-5 (2x 256GB Transcent TS256GMTE110S + 3x 6TB Seagate ST6000VN001)
QLocker survivor; backup enthusiast
TS-351 with 5. + something FW (always up2date)
Celeron J1800/8GB RAM
RAID-5 (2x 256GB Transcent TS256GMTE110S + 3x 6TB Seagate ST6000VN001)
- jaysona
- Been there, done that
- Posts: 856
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: Built in Apache Web-Admin hardening - location and apache.conf?
Are you referring to the QTS Admin webpage that by default runs on tcp 8080/443?
If so, that is handled by /etc/init.d/thttpd.sh and the web pages are served from /home/httpd/
RAID is not a Back-up!
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
- oyvindo
- Experience counts
- Posts: 1399
- Joined: Tue May 19, 2009 2:08 am
- Location: Norway, Oslo
- jaysona
- Been there, done that
- Posts: 856
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: Built in Apache Web-Admin hardening - location and apache.conf?
Take a look at the Qthttpd.sh file, look at the various apache.conf settings that the .sh script write to the apache.conf. Modify one of those settings in the apache.conf file, reboot and see what happens. If you add other config settings that are not part of the .sh script, then yes those should remain.
RAID is not a Back-up!
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
-
- Starting out
- Posts: 14
- Joined: Sat Mar 06, 2021 12:25 am
Re: Built in Apache Web-Admin hardening - location and apache.conf?
So I managed to make the Admin GUI only work locally
Edit apache-sys-proxy.conf around line 26
AND apache-sys-proxy-ssl.conf around line 29
after restarting on the console with
I do still see and am able to access /cgi-bin/login.html from other IPs but the interface will never load. This is good enough for me for now.
change the "Allow from 10" line, if your internal network is not 10.0.0.*
Edit apache-sys-proxy.conf around line 26
Code: Select all
<Directory />
Options FollowSymLinks
AllowOverride Limit
Order Deny,Allow
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 10
Deny from all
Require all denied
</Directory>
Code: Select all
<Directory />
Options FollowSymLinks
AllowOverride All
Order Deny,Allow
Allow from 127.0.0.1 ::1
Allow from localhost
Allow from 10
Deny from all
Require all denied
</Directory>
Code: Select all
/etc/init.d/Qthttpd.sh restart; /etc/init.d/thttpd.sh restart
change the "Allow from 10" line, if your internal network is not 10.0.0.*
--
QLocker survivor; backup enthusiast
TS-351 with 5. + something FW (always up2date)
Celeron J1800/8GB RAM
RAID-5 (2x 256GB Transcent TS256GMTE110S + 3x 6TB Seagate ST6000VN001)
QLocker survivor; backup enthusiast
TS-351 with 5. + something FW (always up2date)
Celeron J1800/8GB RAM
RAID-5 (2x 256GB Transcent TS256GMTE110S + 3x 6TB Seagate ST6000VN001)