(SOLVED) TS-209 Apache Basic Password Authentication

Post your questions about Web Server usage and Apache + PHP + MySQL/SQLite web applications.
Post Reply
User avatar
pakoistinen
Know my way around
Posts: 149
Joined: Sat May 24, 2008 12:38 pm

(SOLVED) TS-209 Apache Basic Password Authentication

Post by pakoistinen » Tue May 27, 2008 1:18 am

Here's a howto for setting up TS-209 apache to require password authentication from Internet but not from Intranet. I find this very useful because I have many web apps on the machine that I don't want to offer openly to the Internet without authenticating the users. From intranet I like some openness so I allow the traffic to the box from there. Please notice that .htaccess files should be used to control access only in exceptional cases when more reliable apache authentication can't be used.

Okay, let's get started! :)

Requirements:
-NAT enabled on the edge of the network, the example internal network is in the 192 range
-Port 80 forwarded to the NAS box
-SSH connection to the NAS box

First, create the user password file:
/usr/local/apache/bin/htpasswd -c /etc/config/password.txt bob
(enter the password for the user)

If you like to add another user, leave out the -c option because it -creates a new password file overwriting the existing one! Like so:
/usr/local/apache/bin/htpasswd /etc/config/password.txt alice

Now edit the apache configuration:
# vi /etc/config/apache/apache.conf

Now, you see the /share/Qweb directory that you need to edit as follows:
<Directory "/share/Qweb">
Options FollowSymLinks MultiViews
AllowOverride All
AuthName "Protected"
AuthType Basic
AuthUserFile /etc/config/password.txt
Require valid-user
Order deny,allow
Allow from 192.168.
Satisfy any
</Directory>


Then restart the apache and you are done:
/etc/init.d/Qthttpd.sh restart

NOTE1: There is no visible authentication from the intranet (192.268.x.x) so comment out the following line in the example above if you need to be sure that the basic auth is working.
Allow from 192.168.

NOTE2: You need to close your web browser when testing basic authentication! This means you must close the browser *every* time you test the configuration after restarting the apache. Browsers don't time out the sessions after authentication. This sometimes messes up things for even the experienced people since it's so easy to forget in practice :)
Last edited by pakoistinen on Fri Jul 18, 2008 7:40 pm, edited 1 time in total.
TS-421 with QTS 4: 4 hdds: 2 x 1,5TB raid1 and 2 x 2TB raid1 arrays.
TS-209: 2 hdds: 2 x 750GB raid1 array.
Mail pasi at turvallisuus dot org

louisli
Starting out
Posts: 29
Joined: Sun Oct 14, 2007 1:02 pm
Location: Hong Kong

Re: (not yet SOLVED) TS-209 Apache Basic Password Authentication

Post by louisli » Thu Jul 17, 2008 12:51 am

In TS-109 pro firmware 2.1.0
when I execute htpasswd command, it shows "command not found" error.

Any clues?
TS-109 Pro 3.3.0 Build 0924T
TS-409 Pro
TS-212

User avatar
pakoistinen
Know my way around
Posts: 149
Joined: Sat May 24, 2008 12:38 pm

Re: (SOLVED) TS-209 Apache Basic Password Authentication

Post by pakoistinen » Fri Jul 18, 2008 7:37 pm

Yep, I have a clue: I should've remembered to add that the htpasswd binary is not in the path so you need to use it directly. It's here with other apache binaries:

/usr/local/apache/bin/htpasswd

By the way, this should be sufficient for the access.conf (or you could put it also in apache.conf if you like). I have this in my apache.conf:

<Directory "/share/Qweb">
Options FollowSymLinks MultiViews
AllowOverride All
AuthName "Protected"
AuthType Basic
AuthUserFile /etc/config/password.txt
require valid-user
</Directory>
TS-421 with QTS 4: 4 hdds: 2 x 1,5TB raid1 and 2 x 2TB raid1 arrays.
TS-209: 2 hdds: 2 x 750GB raid1 array.
Mail pasi at turvallisuus dot org

8ball
New here
Posts: 6
Joined: Tue Jan 08, 2008 5:08 am

Re: (SOLVED) TS-209 Apache Basic Password Authentication

Post by 8ball » Wed Apr 01, 2009 10:57 pm

Hi,

I could use some help with this one. I modified the /etc/config/apache/apache.conf as instructed in the first post.

<Directory "/share/Qweb">
Options FollowSymLinks MultiViews
AllowOverride All
AuthName "Protected"
AuthType Basic
AuthUserFile /etc/config/password.txt
Require valid-user
Order deny,allow
Allow from 192.168.
Satisfy any
</Directory>

But it did not ask for a password when i open the website internally or from the internet. It always asks for a passwork when i leave the last three lines out.

What am i missing? It would be really nice if i didnt ask for a password when i access the site internally only when accessed from the internet. Is there something else i can try or do i just hafty accept that it will always ask for a password?

Willo
Know my way around
Posts: 153
Joined: Sun Oct 19, 2008 8:51 am

Re: (SOLVED) TS-209 Apache Basic Password Authentication

Post by Willo » Thu Apr 02, 2009 6:31 am

I'm not a guru but I think the "Satisfy Any" line in the code...

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9723
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: (SOLVED) TS-209 Apache Basic Password Authentication

Post by Moogle Stiltzkin » Wed Jun 10, 2009 3:10 pm

Hi.

This is exactly what i needed for my Qnap setup ! Would this work on the Qnap 509 Pro ?

How does this affect the other root folders outside of Qweb located in the root of the QNAP Nas ? Will they just follow the Nas own privilege settings set in administrator webinterface ?



I was also confused by what you had mean't by the following.

Code: Select all

/usr/local/apache/bin/htpasswd -c /etc/config/password.txt bob


Where do you type this ? And what should it look like inside the password.txt file ? I have very basic computer skills and i don't have any prior experience with setting up .htaccess files :(



Anyway this is the thread i setup with what folder directories i have and how i wanted access to be configured for them.

viewtopic.php?f=32&t=15093&start=0
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D
[^] QNAP TS-228
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

jaeger2000
New here
Posts: 6
Joined: Sun Jan 18, 2009 7:04 am

Re: (SOLVED) TS-209 Apache Basic Password Authentication

Post by jaeger2000 » Fri Mar 12, 2010 12:13 pm

Hello,
I got it working by placing the following in a .htaccess file in the directory I wanted to password.

AuthName "Please Log In"
AuthType Basic
require valid-user''

kind regards,

Ian Gregory, Sydney.

User avatar
Don
Guru
Posts: 12087
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York

Re: (SOLVED) TS-209 Apache Basic Password Authentication

Post by Don » Sat Mar 13, 2010 2:02 am

Great info. I assume that this can be done on a per website basis? In other words if I have multiple virtual hosts I can protect some but not others?

Thanks
Read the Online Manuals and use the forum search feature before posting.

Use RAID with external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

Submit bugs and feature requests to QNAP via their Helpdesk app.

NAS: TVS-882BR | F/W: 4.5.2.1566 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-663 | F/W: 4.5.2.1594 | 16GB | 2 x M.2 NMVe QM2-2P RAID 1 (cache) | 4 x 4TB RAID 5
Apps: Boinc, DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +

User avatar
pakoistinen
Know my way around
Posts: 149
Joined: Sat May 24, 2008 12:38 pm

Re: (SOLVED) TS-209 Apache Basic Password Authentication

Post by pakoistinen » Tue Mar 16, 2010 2:15 am

Don wrote:Great info. I assume that this can be done on a per website basis? In other words if I have multiple virtual hosts I can protect some but not others?
Thanks

Yes, definitely this is possible. Each virtualhost requires their respective definitions. You simply need to put the basic auth things inside the virtualhost tags in the configuration of each virtual host. In fact, you can have each virtual host using completely different authentication setups. One could be completely open, the other using basic auth and a third using digest auth and SSL. I used to have that kind of a setup on my previous linux server with apache 1.3xxx. So, for each virtualhost you would have a <virtualhost> container looking something like this (in /etc/config/apache/apache.conf):

<VirtualHost *>
ServerAdmin webmaster@example.com
ServerName http://www.example.com
ServerAlias example.com
DirectoryIndex index.html index.php index.htm
DocumentRoot /var/www/www.example.com/
Options FollowSymLinks MultiViews
AllowOverride All
AuthName "Protected"
AuthType Basic
AuthUserFile /etc/config/password.txt
Require valid-user
Order deny,allow
</VirtualHost>


.. and then repeat that for each virtualhost and documentroot that you want to have. Just change a different password.txt file for each site if they don't have the same users on them. I haven't got a testing box but I'm quite sure that configuring SSL/TLS isn't too difficult either. (note: apache basic auth transfers the passwords in clear text over public networks. It isn't too secure.) Disclaimer: I didn't test the above configuration before writing this reply so please make backups of your config files prior to doing anything too drastic. Basically this *should* work out of the box but I'm known to make mistakes often. :wink:

Here is a decent overall guide for apache2 virtualhost configuration:
http://httpd.apache.org/docs/1.3/mod/core.html#virtualhost
TS-421 with QTS 4: 4 hdds: 2 x 1,5TB raid1 and 2 x 2TB raid1 arrays.
TS-209: 2 hdds: 2 x 750GB raid1 array.
Mail pasi at turvallisuus dot org

Post Reply

Return to “Web Server & Applications (Apache + PHP + MySQL / SQLite)”