HTTP Auth Protection on QNAP Application

Post your questions about Web Server usage and Apache + PHP + MySQL/SQLite web applications.
Post Reply
lsbstp
New here
Posts: 2
Joined: Tue Jun 30, 2020 4:39 pm

HTTP Auth Protection on QNAP Application

Post by lsbstp »

I want to protect the qnap application (web-interface) additionally with the simple Apache HTTP Auth mechanism on a QNAP TS-256 PRO+ since i allow access from outside.

I tried that by simply adding an .htaccess file into the following folder:

1st try: /home/httpd
2nd try: /home/httpd/cgi-bin

The content of the .htaccess file is:

AuthType Basic
AuthName "LOGIN"
AuthBasicProvider file
AuthUserFile /share/homes/admin/apache/htpasswd.users
AuthGroupFile /share/homes/admin/apache/htpasswd.groups
Require valid-user

It does not work.

What is the correct and permanent way of doing this ?

Thanks!
User avatar
dolbyman
Guru
Posts: 35018
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: HTTP Auth Protection on QNAP Application

Post by dolbyman »

any changes would be reset on system reboot

best is to not expose your nas to the web and use a vpn to connect (server running on firewall or dedicated appliance)
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: HTTP Auth Protection on QNAP Application

Post by jaysona »

The QTS apps and admin pages are not served by the apache web server, they are served by thttpd. thhtpd uses the .htpasswd file, however the compiled binary of thttpd that QNAP uses seems to ignore the .htpasswd file.

In any case, the QNAP admin web page and all QTS apps should not be exposed to the Internet. All of the QNAP specific exploits rely on exploiting the poorly coded QTS and QTS apps. There are at least seven QTS 0-days that I am aware of, so just don't expose QTS to the Internet. Apache is fine - as long as it is properly configured and hardened.

If you really do require access to the QTS admin webpage from the Interment, use a VPN and access the LAN IP and as dolbyman mentioned, use another device as the VPN endpoint and not the NAS.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
lsbstp
New here
Posts: 2
Joined: Tue Jun 30, 2020 4:39 pm

Re: HTTP Auth Protection on QNAP Application

Post by lsbstp »

i want to use automatic updates of letsencrypt certificates via the qnap specific acme script (qnap-letsencrypt) - it uses the system default port to verify the domain. this is one main aspects, why i expose the nas. could i use nginx on the NAS as a proxy filter?
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: HTTP Auth Protection on QNAP Application

Post by jaysona »

Hmmm....I can't help you there.

I do not use Let's Encrypt, and I have not looked at the qnap acme script, so I have no idea what settings it needs to work.

I setup my own CA years ago, I briefly looked at Let's Encrypt, but found it to be a PIA compared to using my own CA and my own certs and have not looked back,
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
Post Reply

Return to “Web Server & Applications (Apache + PHP + MySQL / SQLite)”