(SOLVED) TS-209 Apache Basic Password Authentication

[pakoistinen]

Here's a howto for setting up TS-209 apache to require password authentication from Internet but not from Intranet. I find this very useful because I have many web apps on the machine that I don't want to offer openly to the Internet without authenticating the users. From intranet I like some openness so I allow the traffic to the box from there. Please notice that .htaccess files should be used to control access only in exceptional cases when more reliable apache authentication can't be used.

Okay, let's get started!

Requirements:
-NAT enabled on the edge of the network, the example internal network is in the 192 range
-Port 80 forwarded to the NAS box
-SSH connection to the NAS box

First, create the user password file:
/usr/local/apache/bin/htpasswd -c /etc/config/password.txt bob
(enter the password for the user)

If you like to add another user, leave out the -c option because it -creates a new password file overwriting the existing one! Like so:
/usr/local/apache/bin/htpasswd /etc/config/password.txt alice

Now edit the apache configuration:
# vi /etc/config/apache/apache.conf

Now, you see the /share/Qweb directory that you need to edit as follows:
<Directory "/share/Qweb">
Options FollowSymLinks MultiViews
AllowOverride All
AuthName "Protected"
AuthType Basic
AuthUserFile /etc/config/password.txt
Require valid-user
Order deny,allow
Allow from 192.168.
Satisfy any
</Directory>

Then restart the apache and you are done:
/etc/init.d/Qthttpd.sh restart

NOTE1: There is no visible authentication from the intranet (192.268.x.x) so comment out the following line in the example above if you need to be sure that the basic auth is working.
Allow from 192.168.

NOTE2: You need to close your web browser when testing basic authentication! This means you must close the browser *every* time you test the configuration after restarting the apache. Browsers don't time out the sessions after authentication. This sometimes messes up things for even the experienced people since it's so easy to forget in practice

[louisli]

In TS-109 pro firmware 2.1.0
when I execute htpasswd command, it shows "command not found" error.

Any clues?

[pakoistinen]

Yep, I have a clue: I should've remembered to add that the htpasswd binary is not in the path so you need to use it directly. It's here with other apache binaries:

/usr/local/apache/bin/htpasswd

By the way, this should be sufficient for the access.conf (or you could put it also in apache.conf if you like). I have this in my apache.conf:

<Directory "/share/Qweb">
Options FollowSymLinks MultiViews
AllowOverride All
AuthName "Protected"
AuthType Basic
AuthUserFile /etc/config/password.txt
require valid-user
</Directory>

[8ball]

Hi,

I could use some help with this one. I modified the /etc/config/apache/apache.conf as instructed in the first post.

<Directory "/share/Qweb">
Options FollowSymLinks MultiViews
AllowOverride All
AuthName "Protected"
AuthType Basic
AuthUserFile /etc/config/password.txt
Require valid-user
Order deny,allow
Allow from 192.168.
Satisfy any
</Directory>

But it did not ask for a password when i open the website internally or from the internet. It always asks for a passwork when i leave the last three lines out.

What am i missing? It would be really nice if i didnt ask for a password when i access the site internally only when accessed from the internet. Is there something else i can try or do i just hafty accept that it will always ask for a password?

[Willo]

I'm not a guru but I think the "Satisfy Any" line in the code...

[Moogle Stiltzkin]

Hi.

This is exactly what i needed for my Qnap setup ! Would this work on the Qnap 509 Pro ?

How does this affect the other root folders outside of Qweb located in the root of the QNAP Nas ? Will they just follow the Nas own privilege settings set in administrator webinterface ?



I was also confused by what you had mean't by the following.

Code: Select all

/usr/local/apache/bin/htpasswd -c /etc/config/password.txt bob

Where do you type this ? And what should it look like inside the password.txt file ? I have very basic computer skills and i don't have any prior experience with setting up .htaccess files



Anyway this is the thread i setup with what folder directories i have and how i wanted access to be configured for them.

http://forum.qnap.com/viewtopic.php?f=3 ... 93&start=0

[jaeger2000]

Hello,
I got it working by placing the following in a .htaccess file in the directory I wanted to password.

AuthName "Please Log In"
AuthType Basic
require valid-user''

kind regards,

Ian Gregory, Sydney.

[Don]

Great info. I assume that this can be done on a per website basis? In other words if I have multiple virtual hosts I can protect some but not others?

Thanks

[pakoistinen]

Great info. I assume that this can be done on a per website basis? In other words if I have multiple virtual hosts I can protect some but not others?
Thanks

Yes, definitely this is possible. Each virtualhost requires their respective definitions. You simply need to put the basic auth things inside the virtualhost tags in the configuration of each virtual host. In fact, you can have each virtual host using completely different authentication setups. One could be completely open, the other using basic auth and a third using digest auth and SSL. I used to have that kind of a setup on my previous linux server with apache 1.3xxx. So, for each virtualhost you would have a <virtualhost> container looking something like this (in /etc/config/apache/apache.conf):

<VirtualHost *>
ServerAdmin webmaster@example.com
ServerName http://www.example.com
ServerAlias example.com
DirectoryIndex index.html index.php index.htm
DocumentRoot /var/www/www.example.com/
Options FollowSymLinks MultiViews
AllowOverride All
AuthName "Protected"
AuthType Basic
AuthUserFile /etc/config/password.txt
Require valid-user
Order deny,allow
</VirtualHost>

.. and then repeat that for each virtualhost and documentroot that you want to have. Just change a different password.txt file for each site if they don't have the same users on them. I haven't got a testing box but I'm quite sure that configuring SSL/TLS isn't too difficult either. (note: apache basic auth transfers the passwords in clear text over public networks. It isn't too secure.) Disclaimer: I didn't test the above configuration before writing this reply so please make backups of your config files prior to doing anything too drastic. Basically this *should* work out of the box but I'm known to make mistakes often.

Here is a decent overall guide for apache2 virtualhost configuration:
http://httpd.apache.org/docs/1.3/mod/co ... irtualhost