HTTP Auth Protection on QNAP Application

Post your questions about Web Server usage and Apache + PHP + MySQL/SQLite web applications.
Post Reply
lsbstp
New here
Posts: 2
Joined: Tue Jun 30, 2020 4:39 pm

HTTP Auth Protection on QNAP Application

Post by lsbstp » Tue Jun 30, 2020 5:02 pm

I want to protect the qnap application (web-interface) additionally with the simple Apache HTTP Auth mechanism on a QNAP TS-256 PRO+ since i allow access from outside.

I tried that by simply adding an .htaccess file into the following folder:

1st try: /home/httpd
2nd try: /home/httpd/cgi-bin

The content of the .htaccess file is:

AuthType Basic
AuthName "LOGIN"
AuthBasicProvider file
AuthUserFile /share/homes/admin/apache/htpasswd.users
AuthGroupFile /share/homes/admin/apache/htpasswd.groups
Require valid-user

It does not work.

What is the correct and permanent way of doing this ?

Thanks!

dolbyman
Guru
Posts: 18990
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: HTTP Auth Protection on QNAP Application

Post by dolbyman » Tue Jun 30, 2020 9:20 pm

any changes would be reset on system reboot

best is to not expose your nas to the web and use a vpn to connect (server running on firewall or dedicated appliance)

User avatar
jaysona
Know my way around
Posts: 189
Joined: Tue Dec 02, 2008 11:26 am

Re: HTTP Auth Protection on QNAP Application

Post by jaysona » Tue Jun 30, 2020 10:37 pm

The QTS apps and admin pages are not served by the apache web server, they are served by thttpd. thhtpd uses the .htpasswd file, however the compiled binary of thttpd that QNAP uses seems to ignore the .htpasswd file.

In any case, the QNAP admin web page and all QTS apps should not be exposed to the Internet. All of the QNAP specific exploits rely on exploiting the poorly coded QTS and QTS apps. There are at least seven QTS 0-days that I am aware of, so just don't expose QTS to the Internet. Apache is fine - as long as it is properly configured and hardened.

If you really do require access to the QTS admin webpage from the Interment, use a VPN and access the LAN IP and as dolbyman mentioned, use another device as the VPN endpoint and not the NAS.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig)
H/W: TS-509 Pro x2 / TS-569 Pro / TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.18
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.3
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

lsbstp
New here
Posts: 2
Joined: Tue Jun 30, 2020 4:39 pm

Re: HTTP Auth Protection on QNAP Application

Post by lsbstp » Fri Jul 03, 2020 2:08 am

i want to use automatic updates of letsencrypt certificates via the qnap specific acme script (qnap-letsencrypt) - it uses the system default port to verify the domain. this is one main aspects, why i expose the nas. could i use nginx on the NAS as a proxy filter?

User avatar
jaysona
Know my way around
Posts: 189
Joined: Tue Dec 02, 2008 11:26 am

Re: HTTP Auth Protection on QNAP Application

Post by jaysona » Sun Jul 05, 2020 3:24 am

Hmmm....I can't help you there.

I do not use Let's Encrypt, and I have not looked at the qnap acme script, so I have no idea what settings it needs to work.

I setup my own CA years ago, I briefly looked at Let's Encrypt, but found it to be a PIA compared to using my own CA and my own certs and have not looked back,
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig)
H/W: TS-509 Pro x2 / TS-569 Pro / TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.18
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.3
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

Post Reply

Return to “Web Server & Applications (Apache + PHP + MySQL / SQLite)”