Built in Apache Web-Admin hardening - location and apache.conf?

Post your questions about Web Server usage and Apache + PHP + MySQL/SQLite web applications.
Post Reply
micattack
Starting out
Posts: 14
Joined: Sat Mar 06, 2021 12:25 am

Built in Apache Web-Admin hardening - location and apache.conf?

Post by micattack »

I am normally not this bad at this, but QNAP seems to deeply hide its config parts?

I want to add additional restrictions right in the apache.conf (or an .htaccess), but I cannot seem to find the right directory and or conf files

This is on a TS-351 Firmware 4.5.2.1630 (latest as of this post)

As far as I can tell the main config is /etc/config/apache/apache.conf with Includes being loaded: ./extra/apache-default-modules.conf ./extra/apache-ssl.conf ./extra/apache-fastcgi.conf ./extra/apache-musicstation.conf ./extra/apache-photo.conf ./extra/apache-video.conf ./extra/apache-dav-proxy.conf ./extra/apache-http-compress.conf

ps -ef | grep httpd shows http running as httpdusr as such:

/usr/local/sbin/_thttpd_ -p 58080 -nor -nos -u admin -d /home/httpd -c **.* -h 127.0.0.1 -i /var/lock/._thttpd_.pid

/home/httpd/cgi-bin/index.html looks to be the start page of the admin interface

If I put a .htaccess file in that cgi-bin directory

Order Deny,Allow
Deny from all
# Allow from 127.0.0.1 ::1
# Allow from localhost
# Allow from 10

it doesnt do anything. When I provoke an error of the htaccess by wrting "Test." as the first line the login.html seems to load but a few others in the browser like /cgi-bin/loginTheme/theme1/login.css do not load (500 internal server error)

When just accessing login.css as an example I do get the above config to block that file, but not the login.html main file and I do not know why?

Can anybody explain to me how this all fits together?
Last edited by micattack on Thu Apr 29, 2021 12:37 am, edited 1 time in total.
--
QLocker survivor; backup enthusiast
TS-351 with 5. + something FW (always up2date)
Celeron J1800/8GB RAM
RAID-5 (2x 256GB Transcent TS256GMTE110S + 3x 6TB Seagate ST6000VN001)
User avatar
Toxic17
Ask me anything
Posts: 6468
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: Built in Apache Web-Admin hardening - location and apache.conf?

Post by Toxic17 »

posts merged.

QNAPs apache webserver is no worth the effort tbh as its usually out of date and locked down.

I've never understood why this was never a qpkg package rather than built in with firmware. Same with MySQL.
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Built in Apache Web-Admin hardening - location and apache.conf?

Post by jaysona »

For reason(s) that will probably never be known (given how opaque QNAP is) the included Apache web-server is severely crippled (as are all Linux related things by QNAP) and it is not possible to manage the included Apache webserver as you would in a proper LAMP setup.

The majority of the apache.conf settings are effectively hard coded (QNAP software architecture at its best) are set in /etc/init.d/Qthttpd.sh - just look at the cluster-eff in that file - which writes to the /etc/config/apache/apache.conf file. :roll: :roll:

If you're really he.ll bent on using your QNAP NAS as a LAMP server, then use Qapache from qnapclub.eu, you'll need to decide which Qapache QPKG best suits your needs.

Qapache typically runs on port 88, but you can change it to 80/443 after you have changed the QNAP built-in Apache server to use any other port that will never be accessed.

Now, here's the really cr.app.y part, every once in a while when the moon and planets align in whatever way QNAP has predetermined, QTS will re-take over the ports you have assigned to Qapache and Qapache will stop working, so be sure to keep copies of the latest config files.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: Built in Apache Web-Admin hardening - location and apache.conf?

Post by oyvindo »

I have made lots of changes to apache.conf and never had any issues with it.
It's correct that QNAP is a bit slow on updating their (L)AMP components, but if that's an issue for you, then just install the most up-to-date-version in Docker.
ImageImageImage
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Built in Apache Web-Admin hardening - location and apache.conf?

Post by jaysona »

oyvindo wrote: Thu Apr 29, 2021 12:28 am I have made lots of changes to apache.conf and never had any issues with it.
It's correct that QNAP is a bit slow on updating their (L)AMP components, but if that's an issue for you, then just install the most up-to-date-version in Docker.
If you modify any of the apache.conf setting that QNAP has hard coded in the Qthttpd.sh file, then those changes are undone when the NAS is rebooted. I dumped using the built-in apache server because of the TLS version limitations and the ciphers set in the Qthhtd.sh file.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
micattack
Starting out
Posts: 14
Joined: Sat Mar 06, 2021 12:25 am

Re: Built in Apache Web-Admin hardening - location and apache.conf?

Post by micattack »

Toxic17 wrote: Wed Apr 28, 2021 11:09 pm posts merged.

QNAPs apache webserver is no worth the effort tbh as its usually out of date and locked down.
What I wanted to do is harden the existing web-interface, not by using another package around it but by getting the original apache to deny access outside of the local network. I think this is a worthy effort and the pointer towards /etc/init.d/Qthttpd.sh is already a good start.

But even with the ready generated apache.conf I do not seem to be able to get it to deny access. Even if just between reboots.

Think about it: When we harden the Web-Admin (which will always be running) we remove another avenue for hackers. Of course I am and will be using the Qapache package for the real Webapps I am running
--
QLocker survivor; backup enthusiast
TS-351 with 5. + something FW (always up2date)
Celeron J1800/8GB RAM
RAID-5 (2x 256GB Transcent TS256GMTE110S + 3x 6TB Seagate ST6000VN001)
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Built in Apache Web-Admin hardening - location and apache.conf?

Post by jaysona »

micattack wrote: Thu Apr 29, 2021 12:48 am ....
Think about it: When we harden the Web-Admin (which will always be running) we remove another avenue for hackers. Of course I am and will be using the Qapache package for the real Webapps I am running
Are you referring to the QTS Admin webpage that by default runs on tcp 8080/443?

If so, that is handled by /etc/init.d/thttpd.sh and the web pages are served from /home/httpd/
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: Built in Apache Web-Admin hardening - location and apache.conf?

Post by oyvindo »

jaysona wrote: Thu Apr 29, 2021 12:35 am If you modify any of the apache.conf setting that QNAP has hard coded .......
I'm not sure what exactly you mean. I never "modified" any of the existing settings in apache.conf, but I added many of my own, and thy certainly survives a reboot.
ImageImageImage
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Built in Apache Web-Admin hardening - location and apache.conf?

Post by jaysona »

Take a look at the Qthttpd.sh file, look at the various apache.conf settings that the .sh script write to the apache.conf. Modify one of those settings in the apache.conf file, reboot and see what happens. If you add other config settings that are not part of the .sh script, then yes those should remain.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
micattack
Starting out
Posts: 14
Joined: Sat Mar 06, 2021 12:25 am

Re: Built in Apache Web-Admin hardening - location and apache.conf?

Post by micattack »

So I managed to make the Admin GUI only work locally

Edit apache-sys-proxy.conf around line 26

Code: Select all

<Directory />
	Options FollowSymLinks
	AllowOverride Limit
	Order Deny,Allow
	Allow from 127.0.0.1 ::1
	Allow from localhost
	Allow from 10
	Deny from all
	Require all denied
</Directory>
AND apache-sys-proxy-ssl.conf around line 29

Code: Select all

<Directory />
	Options FollowSymLinks
	AllowOverride All
	Order Deny,Allow
	Allow from 127.0.0.1 ::1
	Allow from localhost
	Allow from 10
	Deny from all
	Require all denied
</Directory>
after restarting on the console with

Code: Select all

/etc/init.d/Qthttpd.sh restart; /etc/init.d/thttpd.sh restart
I do still see and am able to access /cgi-bin/login.html from other IPs but the interface will never load. This is good enough for me for now.

change the "Allow from 10" line, if your internal network is not 10.0.0.*
--
QLocker survivor; backup enthusiast
TS-351 with 5. + something FW (always up2date)
Celeron J1800/8GB RAM
RAID-5 (2x 256GB Transcent TS256GMTE110S + 3x 6TB Seagate ST6000VN001)
Post Reply

Return to “Web Server & Applications (Apache + PHP + MySQL / SQLite)”