[ QApache 2.4.39 + PHP 7.2.29 ] WebServer with PHP and PECL

[raidforsaving]

I appreciate Stephane's work in packaging up apache and PHP for our use. But I'm wondering if anyone else here has extensive apache knowledge and can help explain something about the Qapache install.

I have never managed an apache instance, except this one on a QNAP NAS. And that just means using what is provided. I have no idea what it looks like on a typical implementation.

But I wanted to understand why Qapache was 1.3GB in size, when the direct apache download is in MB. And smaller yet for a linux OS like Ubuntu (https://packages.ubuntu.com/xenial-updates/web/apache2 )

So I took a look at the install location for Qapache and I notice all the (extracted) content in there. In the bin directory alone there are tons of executables, which seem odd to have to duplicate there, instead of using what the OS provides. Some of which are security concerns like rlogin, rsh , mysql , and others.

I also notice that a lot of the files are datestamped Dec 2016, so I assume they aren't being updated. Maybe they have no update since then. Just seems odd.

[~] # ls -lt /opt/Qapache/bin/
total 1528340

Can anyone please help me understand why these files are all necessary to be included here, as opposed to be used from the OS (or if they are even needed)? I could imagine the need for SOME content, but this seems excessive and risky.

[Toxic17]

the package is self contained so it doesnt use QNAPS own files (which maybe more outdated than Qapache)

Excessive and risky? please explain.....

its a package that is self contained, and relies on its own compiled sources from Apache(2.4.x), PHP(7.1.x) and PECL.

something that QNAPs own built in apache server, PHP does not do. so I find your comments about being "excessive and risky" not quite correct.

[QNAP_Stephane]

to be clear...

the binaries are all cross compiled with my toolchain and dynamically link with the Libs from Qapache to not interact with Qnap OS or have unexpected behavior in case of change, i could indeed remove headers files (from include on install) but it is necessary on my side for the future update..

I tried to do the most complete package all inspired from Linux From Scratch Website, with the all depencies and sub depencies and sub sub dependencies.. some mod also require also additional binaries and libs which need to be compiled.. (mod_perl --> perl , mod.mono --> mono , mod.pyhton/ mod_uswgi --> Python , etc...)

it is an hardwork... the whole compilation if i had to restart all will take at least 2 days... for one architecture

I

[raidforsaving]

Thanks for both your responses. I can understand the effort put into building out the packages Stephane. And the efforts Simon puts in helping folks here.

I'm not a linux security expert, but when I see things like the mysql client accessible from the web server account, it just makes me think of commonly configured local access (loopback) rules for mysql which bypass typical requirements for authentication. Not saying that it a known risk here, but I have seen that as common deployment practice elsewhere. I have no idea what other executables might have local execution abuse risks. That is my take on this.

It does SEEM excessive and risky. I'm not saying it IS. I'm asking for experts to chime in on it, is all. I do understand that QNAP doesn't update every binary for security vulnerabilities every month also. (same for Stephane) But they are also considering the risk of how THEY deploy it. I have no idea if the risk of access to binaries is mitigated if Qapache just uses the versions that the OS has. If my QNAP based web server is pwned over the internet, it would be nice if it didn't lead to full NAS compromise, is all I'm getting at.

I have no idea why the specific binaries must be included here. If there are typical, legit reasons, that is fine. But finding copies of binaries often used for remote administration and running/hosting insecure services, makes me concerned enough to ask. No one has indicated Qapache is chrooted, which seems like a standard way to isolate apache. In addition Qapache runs as admin, who has a shell. Sounds like removing the Qapache process owners shell is a wise move, but no clue what the ramifications are as Qapache is configured/used.

This is a reason why I've asked previously for (help about) changing the user that Qapache runs as. I do not want to have it running as root/admin. That is very dangerous if you are going to be providing internet access to it. Not everything is useful if a VPN is required for access. But changing that user has some bigger ramifications related to content access, so I've not yet implemented it. Nor do I know what the impact would be for future Qapache/app installs. I simply haven't had the time to sit down and figure out all the related concerns.

So I think my concerns are very reasonable, albeit without raising specific issues. Not trying to be alarmist, just asking questions about configurations that seems concerning.

I'll probably be investigating switching to a Qapache service account who lacks a shell, and try to grant access to all the files it will require. The Qapache bundle including binaries may be helpful for this AFAIK.

This discussion is the ultimately about the most reasonable way for me to mitigate the risks I have when using Qapache. Thanks again!

[Toxic17]

raidforsaving - here's a thought, you could create your own Apache package and thus not rely on anyone else's vulnerabilities as you would be in charge of its security and no one else.

Stephane looks after 20-50 QPKGs (at a guess - https://www.forum-nas.fr/viewforum.php?f=21 ) in his own free time. I doubt he has the time nor the will to lock down the app in the way you want without impacting on his lifestyle, or lack of it... after all he is doing this for free.

[raidforsaving]

raidforsaving - here's a thought, you could create your own Apache package.

toxic, thanks but that is not something I'm interested in doing. Also, I never asked for Stephane to do anything here. the exact opposite actually.

Anyone else in the community able to speak to the nature of apache and the included content/binaries? Or brainstorm ways to mitigate any possible related risks?

[Toxic17]

Stephane, Apache 2.4.28 released.

[QNAP_Stephane]

Thanks.. will be update asap

[Toxic17]

Thanks.. will be update asap

Thanks.

[QNAP_Stephane]

updated x64 version

[eric90066]

Are there any instructions on how to use ssl cert with qapache. I assume its bound to port 448, but where does one place the certs and how does one check to see if it is working?

[Toxic17]

I have posted in this thread (I think)on how to do it just scroll through the thread. If not the php documentation and Google are your friends...

Port 448 is the default port but you can use any other though 443 maybe in use or blocked on your ISP I guess. Certs can be placed anywhere you point the SSL certs to their location withing the config file.

I'm away from my main pc or I would give you full instructions but I have limited internet access today.

Sent from my ONEPLUS A3003 using Tapatalk

[eric90066]

Thanks Toxic.

That's pretty much all I needed to know. I assume ""placed anywhere" would include a folder within the qapache dir or the htdocs dir.

[Toxic17]

Yep think I put mine under the SSL folder. Remember when upgrading Qapache backup your php.ini hosts.conf and any other conf file you have edited along with your cert locations. It then a matter of uninstall Qapache, install new version, stop the Qapache application and copy back in your backed up files, and then start Qapache...

PS it is worth making sure you use logging to fix any issues.

Sent from my ONEPLUS A3003 using Tapatalk

[eric90066]

Yep think I put mine under the SSL folder. Remember when upgrading Qapache backup your php.ini hosts.conf and any other conf file you have edited along with your cert locations. It then a matter of uninstall Qapache, install new version, stop the Qapache application and copy back in your backed up files, and then start Qapache...

PS it is worth making sure you use logging to fix any issues.

Sent from my ONEPLUS A3003 using Tapatalk

Hi Toxic,

Wondering why some programs work with this and others don't. For instance, Nextcloud works without issue, but I am trying to use Mylar, adding files to htdocs and I am only getting a directory tree (which I guess means apache is not working properly). I'm also wondering if sonarr would run as well. Any thoughts?