[HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post your questions about Web Server usage and Apache + PHP + MySQL/SQLite web applications.
User avatar
oyvindo
Experience counts
Posts: 1060
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo » Sat Apr 27, 2019 1:18 pm

Of course, accessing your NAS from the the internet using VPN is the other method - and the preferred one when it comes to security, many would say - and I agree. It's only less flexible since it requires you to have the VPN client installed on all devices you plan to use. With reverse Proxy, you can use any internet connected device, as is. Even from an internet café in Indonesia! But is it safe enough for you? That's for you to decide.
I use 2FA to logon to all my server apps and a self signed SSL, and I find that to be enough.
NAS:
QNAP TS-453Be 16Gb
4x3TB RAID5
QTS 4.3.6 (after surrendering 4.4.1)
Docker installations of:
Logitech Media Server, Pi-Hole, Home-Assistant, Mosquitto

QNAP TS-251B 4Gb
2x3TB WD Red Raid 1
QTS 4.4.1 (still runnning stable)
Docker installation of:
Madsonic 7.0 and Bastillion 3.09

QNAP HS-251 2G
2x2TB RAID0
QTS 4.3.6
Kodi, Rainloop, Guacamole, L2TP
Docker installation of: deCONZ

QNAP TS-119
Single Disk 1Tb
QTS 4.3.3
Used mainly as Reverse Proxy

mikeculnane
New here
Posts: 2
Joined: Fri Jun 14, 2019 7:03 am

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by mikeculnane » Fri Jun 14, 2019 7:23 am

Thanks for this @yvindo - a really good post !

Followed this and then rechecked everything - but still not quite working as expected .

1. Created 3 x Dynamic DNS names that resolve to my external IP Address correctly
2. Setup regular update of the dns
3. Can access Dynamic dns and get to the entry door of my NAS - the login screen for the main console
4. have 2 x virtual servers on the NAS web with separate ports defined (Site A & Site B) and assigned these with virtual servers in apache (as described)
can access the when on internal LAN using the LAN IP address
5. the apache server config has the correct include for custom config and restarts ok
6. the redirect from port 80 works ok - if I go to the http dns - it loads up a https for the same dns

so - my issue is - 3 web Dynamic DNS entry locations should take me to 1) the login page, 2) the virtual web page A & 3) the virtual web page B

however - all 3 load up the login page with an url of https://dnsname/cgi-bin/

I think it is likely another setting or the apache index.php is doing something ?

Any ideas or pointers as to why the virtual pages arent being presented ?

User avatar
oyvindo
Experience counts
Posts: 1060
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo » Fri Jun 14, 2019 9:05 am

Hi @mikeculnan,
It seems to me (from what you write) that your purpose is to access the NAS QTS main web page from the internet side? Correct?
If that is the case, you should not use the Reverse Proxy method. Use instead a VPN or the "myQNAPCloud" service.
If you still wish to use the RP to access the QTS Web, you must modify the default index.php to avoid conflict with port 8080 redirection.
I'm not sure how to do that. I suspect that it will revert automatically upon every reboot of your NAS.
NAS:
QNAP TS-453Be 16Gb
4x3TB RAID5
QTS 4.3.6 (after surrendering 4.4.1)
Docker installations of:
Logitech Media Server, Pi-Hole, Home-Assistant, Mosquitto

QNAP TS-251B 4Gb
2x3TB WD Red Raid 1
QTS 4.4.1 (still runnning stable)
Docker installation of:
Madsonic 7.0 and Bastillion 3.09

QNAP HS-251 2G
2x2TB RAID0
QTS 4.3.6
Kodi, Rainloop, Guacamole, L2TP
Docker installation of: deCONZ

QNAP TS-119
Single Disk 1Tb
QTS 4.3.3
Used mainly as Reverse Proxy

mikeculnane
New here
Posts: 2
Joined: Fri Jun 14, 2019 7:03 am

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by mikeculnane » Fri Jun 14, 2019 12:58 pm

Thanks @oyvindo for the response

"If you still wish to use the RP to access the QTS Web, you must modify the default index.php to avoid conflict with port 8080 redirection."

I sort of am at that point now - thinking its playing a role. Not sure if I can just remove that file completely on the parent web directory - assuming it shouldn't impact the QTS web when started locally ?

I don't really want to access QTS Web from externally - I do want to access maybe 3 or 4 development web sites using DDNS - all defined with ports and separate directories ... and setup using your RP instructions from a Dynamic dns

Have just now removed all the "defined" Port Forwarding from the NAS and also the Router and reinstated just 2 rules on the Router:

Port 80 & port 443 both forward to port 80 & 443 on the LAN IP of the NAS

On the NAS - I have just re-enabled uPNP forwarding and it looks like these 4 rules get auto applied (as well/instead ?):

ExternalIPAddress = xx.xx.xx.xx
0 TCP 8080->192.168.0.180:8080 '1e97001e730cf05d44e71dbcd2802c0b-Web Admin' ''
1 TCP 443->192.168.0.180:443 '1e97001e730cf05d44e71dbcd2802c0b-Secure Web Admin' ''
2 TCP 80->192.168.0.180:80 '1e97001e730cf05d44e71dbcd2802c0b-Web Server/Multi' ''
3 TCP 8081->192.168.0.180:8081 '1e97001e730cf05d44e71dbcd2802c0b-Secure Web Serve' ''

I have 5 x ddns names

The 3 with RP entries for https direct all get to the QSWeb interface login - but under https .. - so that redirect is working !
The 2 with no entries in RP - get to the QSWeb interface login via http ... as expected

What doesn't happen is the redirect to the subfolder / port

Am thinking I will remove the index.php file and see if that helps ..

The relative RP section is:

<VirtualHost *:80 *:8080>

# redirect http back to https
ServerName xxx.ddns.net
Redirect / https://xxx.ddns.net/

</VirtualHost>


<VirtualHost *:443 *:8081>

# A Coming Soon Home page
ServerName xxx.ddns.net

ProxyPass / http://192.168.0.180:10096/
ProxyPassReverse / http://192.168.0.180:10096/

SSLEngine on
SSLCertificateKeyFile /usr/certificates/xxx.ddns.net.key
SSLCertificateFile /usr/certificates/xxx.ddns.net.cert

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

</VirtualHost>



Mike

lleir89
First post
Posts: 1
Joined: Thu Jan 17, 2019 5:34 pm

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by lleir89 » Thu Aug 08, 2019 8:45 pm

Hi!

DId you get any solution about this issue?
Fiser wrote:
Tue Apr 16, 2019 1:32 am
Hi

I use this system for put my public domain with the nas, my withlab and other things. I use this structure.
nas.mydomain.com
gitlab.mydomain.com
portainer.mydomain.com

In nas.mydomain.com i have a reverse proxy to the port 8443 of my NAS that expone the webadmin of the qnap, but I cannot edit my VM because websockets dont work.

This is my virtualhost, can any help me?
<VirtualHost *:443>
ServerName xxx.com

SSLEngine on
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/xxx.key
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/xxx.cert

ErrorLog /var/log/fisernas-error.log
CustomLog /var/log/fisernas-access.log combined

ProxyPass / https://192.168.1.10:8443/
ProxyPassReverse / https://192.168.1.10:8443/
ProxyPass "/qvs/" wss://192.168.1.14:8443/qvs/
</VirtualHost>

User avatar
oyvindo
Experience counts
Posts: 1060
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo » Fri Aug 09, 2019 1:45 pm

If you enable uPNP on your router, you effectively hand over control to your various network devices, among them your QNAP NAS.
That is not advisable.
Try to start simple - to see if you can get a single remote communication to an internal web service as explained in the guide. Once you are successful, you can go from there, adding one step at a time until you either succeed complete, or reach your first blocking point (error).
NAS:
QNAP TS-453Be 16Gb
4x3TB RAID5
QTS 4.3.6 (after surrendering 4.4.1)
Docker installations of:
Logitech Media Server, Pi-Hole, Home-Assistant, Mosquitto

QNAP TS-251B 4Gb
2x3TB WD Red Raid 1
QTS 4.4.1 (still runnning stable)
Docker installation of:
Madsonic 7.0 and Bastillion 3.09

QNAP HS-251 2G
2x2TB RAID0
QTS 4.3.6
Kodi, Rainloop, Guacamole, L2TP
Docker installation of: deCONZ

QNAP TS-119
Single Disk 1Tb
QTS 4.3.3
Used mainly as Reverse Proxy

chrisloughnane
New here
Posts: 8
Joined: Wed Aug 03, 2016 3:59 am
Location: Ireland

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by chrisloughnane » Mon Oct 21, 2019 4:12 am

Thank you very much for your great post!

I now have multiple nodejs apps, PHP apps and basic HTML pages all loading from their own domains/sub domains. I setup a docker image to serve the pages and using softlinks the source comes from an easily accessible NAS shared folder. I wrote all that to get across that I have a good handle on the process and I have done similar for AWS loadbalancers etc.

BUT

I cannot get port 80 to redirect to port 443 for any of the sites.

Example: http://test.chrisloughnane.com/ will not load but https://test.chrisloughnane.com/ will. Things get weird though. If I paste the http address, hit enter then immediately click on the address bar again and hit enter the page will redirect!

Here is an example of one of my entries: (nodejs)

Code: Select all

<VirtualHost *:443 *:8081>
	ServerName test.chrisloughnane.com
	ProxyPass / http://192.168.253.53:3335/
	ProxyPassReverse / http://192.168.253.53:3335/
	SSLEngine on
	SSLCertificateKeyFile /share/Web/certificates/__.chrisloughnane.com.key	
	SSLCertificateFile /share/Web/certificates/__.chrisloughnane.com.cert
	SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>
<VirtualHost *:80>
	ServerName test.chrisloughnane.com
	Redirect / https://test.chrisloughnane.com:443/
</VirtualHost>
I've spent my whole Sunday at this and cannot see/find what's wrong. Does anyone have any suggestions?

User avatar
oyvindo
Experience counts
Posts: 1060
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo » Mon Oct 21, 2019 4:50 am

Perhaps an annoying question, but are you sure that Port 80 is open in your router, and forwarded correctly?
Secondly, are you sure that your ISP haven't blocked port 80 traffic? (Many of them do!)
NAS:
QNAP TS-453Be 16Gb
4x3TB RAID5
QTS 4.3.6 (after surrendering 4.4.1)
Docker installations of:
Logitech Media Server, Pi-Hole, Home-Assistant, Mosquitto

QNAP TS-251B 4Gb
2x3TB WD Red Raid 1
QTS 4.4.1 (still runnning stable)
Docker installation of:
Madsonic 7.0 and Bastillion 3.09

QNAP HS-251 2G
2x2TB RAID0
QTS 4.3.6
Kodi, Rainloop, Guacamole, L2TP
Docker installation of: deCONZ

QNAP TS-119
Single Disk 1Tb
QTS 4.3.3
Used mainly as Reverse Proxy

chrisloughnane
New here
Posts: 8
Joined: Wed Aug 03, 2016 3:59 am
Location: Ireland

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by chrisloughnane » Mon Oct 21, 2019 5:54 am

At this stage if you asked did I close the bathroom window I'd check LOL

Here I can see the standard :80 is serving from the QNAP's Web folder http://192.168.253.53/..... I just wrote that and double checked my router... it wasn't forwarding :80 to my NAS at all. I have a techie flatmate and he had changed to his setup without telling me.

All is working now and the world makes sense again. Thanks for the reply, you fixed it :)

simonwilkins
New here
Posts: 3
Joined: Tue Apr 02, 2019 8:05 am

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by simonwilkins » Fri Jan 31, 2020 6:27 am

<r>I am trying use reverse proxy for owncloud. I seem be able to get it working however it doesn't display the page properly when loading it on port 443. See my code below along with screenshot when attempting to load it via SSL. <br/>
<br/>
Thanks in Advance <br/>

<CODE><s>

Code: Select all

</s>LoadModule  proxy_module         modules/mod_proxy.so
LoadModule  proxy_http_module    modules/mod_proxy_http.so
LoadModule  proxy_ftp_module     modules/mod_proxy_ftp.so
LoadModule  proxy_connect_module modules/mod_proxy_connect.so

<VirtualHost *:80 *:443>
        ServerName myusername.myqnapcloud.com
        ProxyPreserveHost On
        ProxyRequests Off
        ProxyVia Off
        <Location /owncloud>
                #Order deny,allow
                ProxyPass http://NAS_IP:Port#/index.php/login 
                ProxyPassReverse http://NAS_IP:Port#/index.php/login
        </Location>
        <Proxy *>
                #Order deny,allow
                Require all granted
        </Proxy>

	SSLEngine on
	SSLCertificateKeyFile /share/CACHEDEV1_DATA/Web/192.168.1.1.key	
	SSLCertificateFile /share/CACHEDEV1_DATA/Web/192.168.1.1.cert
	SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

</VirtualHost><e>
</e></CODE>

<IMG src="https://i.postimg.cc/0j5zwxFk/screensho ... g]</s><URL url="https://i.postimg.cc/0j5zwxFk/screensho ... pg</URL><e>[/img]</e></IMG></r>

User avatar
OneCD
Ask me anything
Posts: 6995
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by OneCD » Fri Jan 31, 2020 6:39 am

simonwilkins wrote:
Fri Jan 31, 2020 6:27 am
<r>I am trying use reverse proxy for owncloud. I seem be able to get it working however it doesn't display the page properly when loading it on port 443. See my code below along with screenshot when attempting to load it via SSL. <br/>
<br/>
Thanks in Advance <br/>

<CODE><s>

Code: Select all

</s>LoadModule  proxy_module         modules/mod_proxy.so

</VirtualHost><e>
</e></CODE>

<IMG src="https://i.postimg.cc/0j5zwxFk/screensho ... g]</s><URL url="https://i.postimg.cc/0j5zwxFk/screensho ... pg</URL><e>[/img]</e></IMG></r>
What's with all the inline tags? Writing a new bot? ;)

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

User avatar
oyvindo
Experience counts
Posts: 1060
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo » Fri Jan 31, 2020 2:38 pm

simonwilkins wrote:
Fri Jan 31, 2020 6:27 am
I am trying use reverse proxy for owncloud. I seem be able to get it working however it doesn't display the page properly when loading it on port 443. See my code below along with screenshot when attempting to load it via SSL. <br/>
Thanks in Advance <br/>
Are you forwarding myQNAPCloud traffic through your ReverseProxy?
NAS:
QNAP TS-453Be 16Gb
4x3TB RAID5
QTS 4.3.6 (after surrendering 4.4.1)
Docker installations of:
Logitech Media Server, Pi-Hole, Home-Assistant, Mosquitto

QNAP TS-251B 4Gb
2x3TB WD Red Raid 1
QTS 4.4.1 (still runnning stable)
Docker installation of:
Madsonic 7.0 and Bastillion 3.09

QNAP HS-251 2G
2x2TB RAID0
QTS 4.3.6
Kodi, Rainloop, Guacamole, L2TP
Docker installation of: deCONZ

QNAP TS-119
Single Disk 1Tb
QTS 4.3.3
Used mainly as Reverse Proxy

simonwilkins
New here
Posts: 3
Joined: Tue Apr 02, 2019 8:05 am

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by simonwilkins » Thu Feb 13, 2020 2:37 am

oyvindo wrote:
Fri Jan 31, 2020 2:38 pm
simonwilkins wrote:
Fri Jan 31, 2020 6:27 am
I am trying use reverse proxy for owncloud. I seem be able to get it working however it doesn't display the page properly when loading it on port 443. See my code below along with screenshot when attempting to load it via SSL. <br/>
Thanks in Advance <br/>
Are you forwarding myQNAPCloud traffic through your ReverseProxy?
Correct as owncloud doesn't provide SSL hence wanted to provide a ReverseProxy to secure it.

User avatar
oyvindo
Experience counts
Posts: 1060
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by oyvindo » Thu Feb 13, 2020 3:54 am

I'm not familiar with OwnCloud.
One of the main purposes of implementing access through a Reverse Proxy, is to achieve a secure connection (SSL) through a single access point for any number of web based applications, especially for web apps which does not have naitive support for SSL.
My understanding of OwnCloud is that it's main purpose is to provide a cloud ecosystem for external users (?) As such, I would be very surprised if OwnCloud doesn't offer extensive mechanisms in place to secure safe, encrypted access methods (?) You can of course choose to route incoming connection requests through your own reverse Proxy with SSL support, but you must have a domain registered (Dyn-DNS). MyQNAPCloud relies on QNAP certificates. These are default included with every QNAP NAS for free, using self signed CERT. You can buy valid certificates from QNAP, and you can replace them with your own CERTs. But my advise in not to use myQNAPCloud as you Dyn_DNS. Instead, st up your own domain name and follow the security advises recommended in the OwnCloud documentation.
NAS:
QNAP TS-453Be 16Gb
4x3TB RAID5
QTS 4.3.6 (after surrendering 4.4.1)
Docker installations of:
Logitech Media Server, Pi-Hole, Home-Assistant, Mosquitto

QNAP TS-251B 4Gb
2x3TB WD Red Raid 1
QTS 4.4.1 (still runnning stable)
Docker installation of:
Madsonic 7.0 and Bastillion 3.09

QNAP HS-251 2G
2x2TB RAID0
QTS 4.3.6
Kodi, Rainloop, Guacamole, L2TP
Docker installation of: deCONZ

QNAP TS-119
Single Disk 1Tb
QTS 4.3.3
Used mainly as Reverse Proxy

simonwilkins
New here
Posts: 3
Joined: Tue Apr 02, 2019 8:05 am

Re: [HOW-TO] Configure Reverse Proxy using the QNAP Apache with SSL support

Post by simonwilkins » Wed Feb 19, 2020 5:17 am

oyvindo wrote:
Thu Feb 13, 2020 3:54 am
I'm not familiar with OwnCloud.
One of the main purposes of implementing access through a Reverse Proxy, is to achieve a secure connection (SSL) through a single access point for any number of web based applications, especially for web apps which does not have naitive support for SSL.
My understanding of OwnCloud is that it's main purpose is to provide a cloud ecosystem for external users (?) As such, I would be very surprised if OwnCloud doesn't offer extensive mechanisms in place to secure safe, encrypted access methods (?) You can of course choose to route incoming connection requests through your own reverse Proxy with SSL support, but you must have a domain registered (Dyn-DNS). MyQNAPCloud relies on QNAP certificates. These are default included with every QNAP NAS for free, using self signed CERT. You can buy valid certificates from QNAP, and you can replace them with your own CERTs. But my advise in not to use myQNAPCloud as you Dyn_DNS. Instead, st up your own domain name and follow the security advises recommended in the OwnCloud documentation.
Even if I attempt to reverseproxy transmission via my local IP address, it still doesn't display transmission properly as seen on the image below

Thanks in advance.

Image

Post Reply

Return to “Web Server & Applications (Apache + PHP + MySQL / SQLite)”