[HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post your questions about Web Server usage and Apache + PHP + MySQL/SQLite web applications.
stefaanbolle
Getting the hang of things
Posts: 63
Joined: Thu May 03, 2018 7:56 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by stefaanbolle » Fri Jun 01, 2018 3:48 pm

Maybe my config can help others. This is how I actually have done it and all works well:

Code: Select all

LoadModule  proxy_module         modules/mod_proxy.so
LoadModule  proxy_http_module    modules/mod_proxy_http.so
LoadModule  proxy_ftp_module     modules/mod_proxy_ftp.so
LoadModule  proxy_connect_module modules/mod_proxy_connect.so

<VirtualHost *:443 *:8081>
        ServerName my.domain.com

      ProxyRequests Off
      ProxyVia Off
      ProxyPreserveHost On

      <Proxy *>
            Order deny,allow
            Allow from all
            Authtype Basic
            Authname "Password Required"
            AuthUserFile /some/path/.htpasswd
            Require valid-user
      </Proxy>

        ProxyPass / http://my.domain.com:PORT/
        ProxyPassReverse / http://my.domain.com:PORT/

   SSLEngine On
   SSLProxyEngine On
   ProxyRequests Off
   SSLCertificateKeyFile /some/path/key.key
        SSLCertificateFile /some/path/cert.crt

        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

   RequestHeader set X-Forwarded-Proto "https"
   RequestHeader set X-Forwarded-Port "8081"

</VirtualHost>


<VirtualHost *:80>
       ServerName my.domain.com
       Redirect / https://my.domain.com/
</VirtualHost>

User avatar
GTunney
Been there, done that
Posts: 599
Joined: Tue Oct 14, 2014 4:16 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by GTunney » Fri Jul 20, 2018 8:49 pm

How could I use this in conjunction with something like couchpotato.

For example I'd like to access couchpotato via https://home.mydomain.com/couchpotato

Couch is currently running on port 5000. I have my own domain and also have my own SSL cert.
Model: TS-653B 8GB
FW: 4.4.1.1031 Build: 20190816
Disks: 3 x 4TB Western Digital WD40EFRX - RAID 5
Total Storage: 7.2TB
Applications: Plex MS | QCouchPotato | QSabnzbd+ | QSickrage | QHeadphones | HTPC Manager | Kodi v18.4 MySQL
Other Devices: Netgear D7000 AC1900 VDSL Router | FTTC - 80/20 | Netgear GS108 Gigabit Switch

User avatar
oyvindo
Experience counts
Posts: 1060
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo » Sat Jul 21, 2018 3:45 am

GTunney wrote:How could I use this in conjunction with something like couchpotato.
For example I'd like to access couchpotato via https://home.mydomain.com/couchpotato
Couch is currently running on port 5000. I have my own domain and also have my own SSL cert.

You can use this technique with any server software that has a web interface. Just follow the cookbook. If you run into problems, post a thorough and detailed description here, and people will assist you.
NAS:
QNAP TS-453Be 16Gb
4x3TB RAID5
QTS 4.3.6 (after surrendering 4.4.1)
Docker installations of:
Logitech Media Server, Pi-Hole, Home-Assistant, Mosquitto

QNAP TS-251B 4Gb
2x3TB WD Red Raid 1
QTS 4.4.1 (still runnning stable)
Docker installation of:
Madsonic 7.0 and Bastillion 3.09

QNAP HS-251 2G
2x2TB RAID0
QTS 4.3.6
Kodi, Rainloop, Guacamole, L2TP
Docker installation of: deCONZ

QNAP TS-119
Single Disk 1Tb
QTS 4.3.3
Used mainly as Reverse Proxy

carl1234
New here
Posts: 2
Joined: Fri Nov 18, 2016 11:07 am

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by carl1234 » Tue Oct 30, 2018 1:21 pm

This is a great write up! Only one thing keeping me from implementing.
How can we make the changes to apache.conf, ie "/share/Web/custom.conf", survive a NAS reboot?
I don't want to have to go in and add this manually every time I reboot.

User avatar
oyvindo
Experience counts
Posts: 1060
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo » Thu Nov 01, 2018 2:25 am

I have found that the change I made to apache.conf making it point to custom.conf, actually does survive a NAS reboot.
I'm not sure when this behavior changed. Perhaps in a recent QTS update, or perhaps my assumptions were wrong all along.
Just try this, and see for yourself what happens. Don't assume trouble before it actually hits you. :-)
NAS:
QNAP TS-453Be 16Gb
4x3TB RAID5
QTS 4.3.6 (after surrendering 4.4.1)
Docker installations of:
Logitech Media Server, Pi-Hole, Home-Assistant, Mosquitto

QNAP TS-251B 4Gb
2x3TB WD Red Raid 1
QTS 4.4.1 (still runnning stable)
Docker installation of:
Madsonic 7.0 and Bastillion 3.09

QNAP HS-251 2G
2x2TB RAID0
QTS 4.3.6
Kodi, Rainloop, Guacamole, L2TP
Docker installation of: deCONZ

QNAP TS-119
Single Disk 1Tb
QTS 4.3.3
Used mainly as Reverse Proxy

phillipmcmahon
New here
Posts: 3
Joined: Sun Nov 18, 2018 4:28 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by phillipmcmahon » Sun Nov 25, 2018 4:20 pm

Thanks for the great guide. Sadly for me, it's not working and I was hoping I'd get some help.

I basically want to achieve all access to my QNAP and running apps through app.domainname.com where app changes depending on the functionality I'm trying to access.

I've set a cert with all the SANs in there so that's good.

I found I had to open both 80 and 443 on my firewall and forward that to my internal QNAP. Is that expected as it isn't explicitly covered in the guide to open 443?

Starting simply I want to test access to the default admin pages and Plex running on port 32400 internally.

My conf is as follows;

Code: Select all



LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

<VirtualHost *:80>
ServerName homestorage.phillipmcmahon.com
Redirect / https://homestorage.phillipmcmahon.com
</VirtualHost>

<VirtualHost *:443 *:8081>
ServerName homestorage.phillipmcmahon.com
ProxyPass / http://192.168.1.28:8080/
ProxyPassReverse / http://192.168.1.28:8080/
SSLEngine on
SSLCertificateKeyFile /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/key
SSLCertificateFile /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert
</VirtualHost>

<VirtualHost *:80>
ServerName plex.phillipmcmahon.com
Redirect / https://plex.phillipmcmahon.com
</VirtualHost>

<VirtualHost *:443 *:32400>
ServerName plex.phillipmcmahon.com
ProxyPass / http://192.168.1.28:32400/
ProxyPassReverse / http://192.168.1.28:32400/
SSLEngine on
SSLCertificateKeyFile /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/key
SSLCertificateFile /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert
</VirtualHost>
My web server settings on the QNAP are as follows
HTTP : 80
HTTPS : 8081
SSL enabled, forced SSL not enabled

My QNAP web admin pages are set up as follows
HTTP : 8080
HTTPS: 443
SSL enabled, forced SSL not enabled

I figured a correct RP setup would mean I don't need to force SSL.

However, accessing the plex.phillipmcmahon.com URL just kicks me to the QNAP admin pages. Any help on getting this sorted would be greatly appreciated.

Thanks in advance,

Phill

User avatar
oyvindo
Experience counts
Posts: 1060
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo » Sun Nov 25, 2018 5:32 pm

phillipmcmahon wrote:
Sun Nov 25, 2018 4:20 pm
I found I had to open both 80 and 443 on my firewall and forward that to my internal QNAP. Is that expected as it isn't explicitly covered in the guide to open 443?
You are right, I forgot to mention that also port 433 has to be forwarded. Thanks for pointing that out. I have edited the guide accordingly now.

As to your problem, it seems you want to access your NAS main Web i/f directly through port 80 from the internet (?) and at the same time access any/all other apps also through port 80 (with or without redirection to 443) ?
If that is correctly understood by me, than I must ask ; Why do you want to expose your main NAS i/f to the internet? That's not a good strategy. You should not do that. Use instead the myQNAPcloud service provided by QNAP. It's free, it's safe and very reliable. Alternatively you could use a VPN, but then none of this RP stuff is needed at all. A VPN gives you all the security you need, but is of course less visitor friendly.

In order to develop a working RP setup, start with port 80, and only when everything works perfectly, then you add rerouting to port 443. And remove this section completely:

Code: Select all

<VirtualHost *:80>
ServerName homestorage.phillipmcmahon.com
Redirect / https://homestorage.phillipmcmahon.com
</VirtualHost>
The above is what causes your problems.

Rgds
Viking
NAS:
QNAP TS-453Be 16Gb
4x3TB RAID5
QTS 4.3.6 (after surrendering 4.4.1)
Docker installations of:
Logitech Media Server, Pi-Hole, Home-Assistant, Mosquitto

QNAP TS-251B 4Gb
2x3TB WD Red Raid 1
QTS 4.4.1 (still runnning stable)
Docker installation of:
Madsonic 7.0 and Bastillion 3.09

QNAP HS-251 2G
2x2TB RAID0
QTS 4.3.6
Kodi, Rainloop, Guacamole, L2TP
Docker installation of: deCONZ

QNAP TS-119
Single Disk 1Tb
QTS 4.3.3
Used mainly as Reverse Proxy

phillipmcmahon
New here
Posts: 3
Joined: Sun Nov 18, 2018 4:28 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by phillipmcmahon » Sun Nov 25, 2018 7:08 pm

Fair point with regards to not exposing the QNAP admin UI to the Intranet, I have the following simplified example and it is still pushing me to the QNAP web admin GUI. Apologies if I am missing the blindingly obvious... :/

Code: Select all


<VirtualHost *:80>
ServerName torrents.phillipmcmahon.com
Redirect / https://torrents.phillipmcmahon.com
</VirtualHost>

<VirtualHost *:443 *:6564>
ServerName torrents.phillipmcmahon.com
ProxyPass / http://192.168.1.28:6564/
ProxyPassReverse / http://192.168.1.28:6564/
SSLEngine on
SSLCertificateKeyFile /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/key
SSLCertificateFile /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert
</VirtualHost>

User avatar
oyvindo
Experience counts
Posts: 1060
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo » Mon Nov 26, 2018 4:44 am

He he, as always, Philippe is of course right (but his explanations aren't always easy to follow) :lol:
Let me follow up by a few questions:

1. Assuming that the name "torrents.phillipmcmahon.com" is fake (for security purpose - I tried it, and it doesn't work), obviously you have a 'real' name that you are sure is actually being converted to the correct IP (redirected by your domain) ?

2. You're using port 6564 - which in itself is ok, as long as you are sure that port isn't being used by any other service. The fact that your are forwarding traffic to the same port indicates that you have a port collision. Your should not use the app port as your RP port. That will not work. Try to use 8081 instead, or at least a port # which is different from your app port.

Philippe's point is that if you want to access your QTS web i/f from the internet, there are a few things you need to worry about.
As a general advice, never try to achieve more then one step at a time. Only when your simples step is successful, then move on to the next step.

Rgds
Viking
NAS:
QNAP TS-453Be 16Gb
4x3TB RAID5
QTS 4.3.6 (after surrendering 4.4.1)
Docker installations of:
Logitech Media Server, Pi-Hole, Home-Assistant, Mosquitto

QNAP TS-251B 4Gb
2x3TB WD Red Raid 1
QTS 4.4.1 (still runnning stable)
Docker installation of:
Madsonic 7.0 and Bastillion 3.09

QNAP HS-251 2G
2x2TB RAID0
QTS 4.3.6
Kodi, Rainloop, Guacamole, L2TP
Docker installation of: deCONZ

QNAP TS-119
Single Disk 1Tb
QTS 4.3.3
Used mainly as Reverse Proxy

User avatar
oyvindo
Experience counts
Posts: 1060
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo » Tue Nov 27, 2018 2:30 am

father_mande wrote:
Mon Nov 26, 2018 4:13 pm
So I will suppress my previous post (to don't mix with your approach)
Apologize ...
Philippe.
Hi Philippe,
No need to apologize. Your comments are always welcome, so please stay with us.

Have a nice day. :)

Rgds
Oyvind
NAS:
QNAP TS-453Be 16Gb
4x3TB RAID5
QTS 4.3.6 (after surrendering 4.4.1)
Docker installations of:
Logitech Media Server, Pi-Hole, Home-Assistant, Mosquitto

QNAP TS-251B 4Gb
2x3TB WD Red Raid 1
QTS 4.4.1 (still runnning stable)
Docker installation of:
Madsonic 7.0 and Bastillion 3.09

QNAP HS-251 2G
2x2TB RAID0
QTS 4.3.6
Kodi, Rainloop, Guacamole, L2TP
Docker installation of: deCONZ

QNAP TS-119
Single Disk 1Tb
QTS 4.3.3
Used mainly as Reverse Proxy

nasnoob
Getting the hang of things
Posts: 52
Joined: Sun Jun 21, 2009 4:31 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by nasnoob » Sat Dec 29, 2018 8:11 am

Many thanks for this guide, I followed your steps and used a mash up of other guise to get the reverse proxy working with location switches (e.g. /sonarr, /couchpotato etc) instead of subdomains and it works well

I have also allowed access to my QTS login page which I can login to and use fine remotely.

However I have had a couple hickups with some QTS screens and settings not working or changing properly when I try remotely. It works fine over LAN just not 100% remotely over the reverse proxy. For example I cannot get BroswerStation or any app that utilises VNC to work through the QTS portal, i dont fully understand how this traffic is routed, so any ideas on how I can get this to work properly?

Below is my config file:

For anyone looking to use the same config, replace the remoteip, lanip:port and port1,2,3, accordingly



LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_http_module modules/mod_proxy_http.so

<VirtualHost *:443>

ServerName remoteip

ProxyPass / http://lanip:port/

ProxyPassReverse / http://lanip:port/

SSLEngine On

ProxyPreserveHost On

ProxyRequests Off

ProxyVia Off

SSLCertificateKeyFile /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/key

SSLCertificateFile /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

<Location /sonarr>

Order deny,allow

ProxyPass http://127.0.0.1:port1/sonarr

ProxyPassReverse http://127.0.0.1:port1/sonarr

</Location>

<Location /couchpotato>

Order deny,allow

ProxyPass http://127.0.0.1:port2/couchpotato

ProxyPassReverse http://127.0.0.1:port2/couchpotato

</Location>

<Location /transmission>

Order deny,allow

ProxyPass http://127.0.0.1:port3/transmission

ProxyPassReverse http://127.0.0.1:port3/transmission

</Location>

</VirtualHost>

<VirtualHost *:80>

ServerName remoteip

Redirect / https://remoteip/

</VirtualHost>

MasterFuba
New here
Posts: 3
Joined: Fri Aug 11, 2017 3:14 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by MasterFuba » Mon Mar 11, 2019 3:20 pm

Hi all,

On my Qnap i can't edit the apache.conf!?
chmod u+w apache.conf didn't change anything and my linux and ssh knowledge is very limited.
Was this different in past or do i something wrong? I use putty for my ssh connection.
Is winscp more powerful?
I fear it is qnap blocking me doing any change in apache.conf.
What alternatives we have to get a reverse proxy running without editing apache.conf?

Kr Daniel

Gesendet von meinem ONEPLUS A3003 mit Tapatalk


User avatar
Toxic17
Ask me anything
Posts: 5299
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by Toxic17 » Mon Mar 11, 2019 8:23 pm

MasterFuba wrote:
Mon Mar 11, 2019 3:20 pm
What alternatives we have to get a reverse proxy running without editing apache.conf?

Kr Daniel

Gesendet von meinem ONEPLUS A3003 mit Tapatalk
https://www.qnapclub.eu/fr/qpkg/642
Regards Simon

QTS 4.x User Guidex

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.4.2.1262 • TVS-463-16GB 4.4.2.1262 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.1161 • APC Back-UPS ES 700G •
QPKG's: Plex 1.18.9 • Apache73 v2441.7316 • QSonarr 3.0.3.750 • QNBZGet 21.0 • phpMyAdmin 4.9.5 • Qmono 5.20.1.19 • McAfee 3.0.2 -6010 • HBS 3.0.200212 • LEgo v3.3.0
Network: VM Hub 3.0 <500/35> • UniFi USG Pro 4 • UniFi USW-16-150W • UniFi USW-8-60W • UniFi CloudKey Gen2+• UniFi G3-Flex • UAP AC Pro • UAP AC Lite • SLM2008 • Dell 7050 MFF •

Fiser
First post
Posts: 1
Joined: Tue Apr 16, 2019 1:29 am

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by Fiser » Tue Apr 16, 2019 1:32 am

Hi

I use this system for put my public domain with the nas, my withlab and other things. I use this structure.
nas.mydomain.com
gitlab.mydomain.com
portainer.mydomain.com

In nas.mydomain.com i have a reverse proxy to the port 8443 of my NAS that expone the webadmin of the qnap, but I cannot edit my VM because websockets dont work.

This is my virtualhost, can any help me?
<VirtualHost *:443>
ServerName xxx.com

SSLEngine on
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/xxx.key
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/xxx.cert

ErrorLog /var/log/fisernas-error.log
CustomLog /var/log/fisernas-access.log combined

ProxyPass / https://192.168.1.10:8443/
ProxyPassReverse / https://192.168.1.10:8443/
ProxyPass "/qvs/" wss://192.168.1.14:8443/qvs/
</VirtualHost>

User avatar
oyvindo
Experience counts
Posts: 1060
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo » Sat Apr 27, 2019 1:18 pm

Of course, accessing your NAS from the the internet using VPN is the other method - and the preferred one when it comes to security, many would say - and I agree. It's only less flexible since it requires you to have the VPN client installed on all devices you plan to use. With reverse Proxy, you can use any internet connected device, as is. Even from an internet café in Indonesia! But is it safe enough for you? That's for you to decide.
I use 2FA to logon to all my server apps and a self signed SSL, and I find that to be enough.
NAS:
QNAP TS-453Be 16Gb
4x3TB RAID5
QTS 4.3.6 (after surrendering 4.4.1)
Docker installations of:
Logitech Media Server, Pi-Hole, Home-Assistant, Mosquitto

QNAP TS-251B 4Gb
2x3TB WD Red Raid 1
QTS 4.4.1 (still runnning stable)
Docker installation of:
Madsonic 7.0 and Bastillion 3.09

QNAP HS-251 2G
2x2TB RAID0
QTS 4.3.6
Kodi, Rainloop, Guacamole, L2TP
Docker installation of: deCONZ

QNAP TS-119
Single Disk 1Tb
QTS 4.3.3
Used mainly as Reverse Proxy

Post Reply

Return to “Web Server & Applications (Apache + PHP + MySQL / SQLite)”