Disabling the Web server?

[p-p-s]

The Security Counselor app advises "Disable Web Server if not required to enhance system security and mitigate cyber attacks." Am I not locking my own admin access out when disabling the Web server? I know there is also SSH, but even if possible, it does not feel realistic to do all administration on the command line.

Clicking the security check result "Web Server is enabled" in Security Counselor opens Control Panel > Applications > Web Server, where indeed "Enable Web Server" is checked. The Web server functionality which I am using is the QNAP admin interface and rarely File Station and Linux Station. Are these unaffected when I uncheck "Enable Web Server"?

[p-p-s]

No, after disabling you are no longer able to run a website from the NAS.

Hi Paul,
Thanks for your fast response!
Not sure I understand your answer. And probably this is my fault, because I put two questions instead of one and also used double negation in the query. So, my bad, the "No" is not clear to me and I am not sure whether "a website" includes the built-in admin Web site. Please can you rephrase?
-Peter

[dosborne]

In other words.....

The Admin GUI is not tied to the Web Server per se. It is a separate function.

[OneCD]

Are these unaffected when I uncheck "Enable Web Server"?

Correct.

QTS actually has two distinct and separate web-servers: the first manages the web UI so you can administer your NAS, the second is for those who want to create a local website and serve web pages from their NAS. Most people will probably never use the second one. And the first can't be disabled.

Whenever QNAP mention "web server", they're always talking about the second integrated web-server.

[jaysona]

....
Not sure I understand your answer. And probably this is my fault, because I put two questions instead of one and also used double negation in the query. So, my bad, the "No" is not clear to me and I am not sure whether "a website" includes the built-in admin Web site. Please can you rephrase?
-Peter

QNAP's QTS has two distinct "web servers" that serve (pun partially intended) two very distinct purposes;

The first web server is:

• thttpd (tiny/turbo/throttling HTTP server)

This is the webserver that is used for the QTS Admin webpage, and all of the QNAP (crap) apps (which have been consistency exploited for the past 6+ years) which are typically accessible via tcp port 8080 and tcp 443 (via stunnel).

For the curious here, the thttpd server is managed by the .sh file /etc/init.d/thttpd.sh and the .cgi-bin binaries it serves are listed in /etc/thttpd.conf


The second web server is:

• Apache

This is the "web server" that the QNAP Security Counselor is referring to. This server is also lower risk for gaining unauthorized access to the NAS. There are security risks with this Apache server as well though. QNAP has utterly decimated the Apache confirmation and security model, which means websites (Wordpress, Drupal, etc) can be easily exploited which could make certain website files and possibly some other NAS system directories accessible.

For the curious here, the Apache server is managed by the .sh file /etc/init.d/Qthttpd.sh and the config files (mostly overwritten on re-boot) are located in /etc/config/apache/

The TLS connections actually are not handled by either httpd server, TLS connections are manged and handled by stunnel (another one of QNAPs stunningly stupid security moves) which is managed by /etc/init.d/stunnel.sh and the config files are in /etc/config/stunnel/


That said, the biggest risk for any QNAP system is making tcp 8080/433 accessible from the Internet. If the QTS Admin webpage is accessible from the Internet, the NAS will eventually be compromised and there will be tears.

[p-p-s]

Thanks @dosborne and @OneCD . Now it is clear. I probably started the user workload Web server (the Apache HTTP server) once for some testing and forgot (or my sons did). I turned it off.

@QNAP: if you are reading this, it would be worth putting a small hint at Control Panel > Applications > Web Server close to the "Enable Web Server" checkbox saying that by unchecking the checkbox here, the system Web server for administration, File Station, Linux Station and the other QNAP apps will not be affected. There is already an info "i" at that spot. When clicked, it displays "You can refer to the following instructions to check the version and information..." Put the comment that admin UI and QNAP apps will not be affected by closing this user workload Web server in front of it.

Topic closed.

@Jaysona, thanks for the detailed remarks on the two httpd and the stunnel.sh. Indeed raising questions. Being tiny, i.e. functions greatly limited to the needed ones, being completely separate from the user workload Web server and not being a mainstream product, are three aspects which are good for security and the throttling is good for limiting the resource footprint. But if thttpd is not done well in itself and not patched fast enough when vulnerabilties become known... Anyway, you are probably right that the admin UI should never be exposed directly to the Internet. If the Apache httpd needs to be accessible from the Internet, working with dedicated low priviledge users is key as well as working with the virtual switches to completely separate the access from the Internet on an IP of its own - and in addition a perimeter firewall.

[dosborne]

As far as I am aware, QNAP never references the admin console / GUI as having anything to do with the Web Server (Apache) and as it runs completely separate, I'd actually think it would make it more confusing for less knowledgeable people to be warned about something that doesn't really apply As the web server is disabled by default, most people would actually be using the GUI to enable it and the list of affected functions would be huge. I've seen a combined system like that in 30 years, and for good reason, it would be impossible to manage.

A huge warning notice would be in order if both functions (admin and user web services) were tied to the same process as any configuration change to one system would affect both. Restarts, maintenance etc.but, they aren't so no issue.

Not trying to cut down your ideas (and no, this is not a QNAP reporting forum, just a community of users), but personally, don't think it necessary these days.

[jaysona]

....
@QNAP: if you are reading this, it would be worth putting a small hint at Control Panel > Applications > Web Server close to the "Enable Web Server" checkbox saying that by unchecking the checkbox here, the system Web server for administration, File Station, Linux Station and the other QNAP apps will not be affected.
....

QNAP is not reading this, anyone that has any input and oversight of product design is not reading this.

This is what you need to do to contact QNAP:
viewtopic.php?f=24&t=161411