Adding .htaccess File To QNAP’s /share/Web/ To Secure All Web Applications Within

Legal Disclaimer:  Following the tip within this blog post at your own risk.  You have been warned, thus you know that you are going to do something dangerous here to your web server or QNAP server.  With this knowledge of yours and by having reading this warning or skipping this clear warning, you cannot hold me for your stupidity or dangerous action against your very own QNAP server or web server or against anyone’s web server that you’re responsible for its administrative duties and procurements.

Are you running a web server on QNAP NAS?  NAS stands for Network Attached Storage server.  If you are for whatever purpose, whether this web server is for production purpose or testing purpose, you might want to know that .htaccess file can help secure QNAP’s web applications such as WordPress, Drupal, and the rest.  Here’s how to create proper .htaccess file that controls all web applications at once on your QNAP server.

  1. You need to change into directory of /share/Web by using this Linux command [cd /share/Web].  Of course, please do ignore the square brackets as these are only for clarifying the command line.
  2. Quickly do [ls -la] to figure out if you have an .htaccess file already.  If you do, please make a backup of this file in case you need this original file again for whatever purpose.  To make a backup of this .htaccess file that you already have had in the QNAP’s /share/Web directory, use this command [cp -p -a /share/Web/.htaccess /share/Web/.htaccess-old].
  3. Once you had followed the step #2 herein, then you can try to remove the original .htaccess file (Not the backup one you just made OK?) by using this command [rm -rf /share/Web/.htaccess].  Be very careful with [rm -rf] command line, because if you misspell a file or a directory you’re trying to remove, you will definitely lose such directory or file forever and won’t be able to recover it.
  4. Now let us create the .htaccess file again, but this time we’re creating it the way we like it.  Of course, .htaccess is a complex file, thus regular Joe like us needs not to worry about making this file too complex.  Instead, let a regular Joe like us to just create simple .htaccess file that denies all IP addresses but only allows a specific IP addresses.  This means, if you want to allow one or two specific IP addresses to access QNAP’s web applications, this .htaccess file should satisfy your command.  So here we go…
    1. Creating .htaccess file by using this command [touch /share/Web/.htaccess].
    2. Now, let’s edit the .htaccess file we just created by using this command [vim /share/Web/.htaccess].
    3. Let’s enter the lines below for our new .htaccess file shall we?  These lines must be in the order as follow…
      1. order deny,allow
      2. allow from 192.168.0.x (please use your very own IP address here)
      3. allow from 192.168.0.x (please use your very own IP address here)
      4. deny from all
    4. What we had done was adding 2 IP addresses to the allow list in .htaccess file so these 2 IP addresses will be able to interact/access the web applications that reside in QNAP’s /share/Web directory.  You can add more IP addresses or remove most IP addresses but allowing only one according to your desire by simply adding more [allow from…] or remove [allow from…] lines.  Of course all [allow from…] lines must be written or typed out above the line which said [deny from all] and below the line which said [order deny,allow].  Now, we must save our newly edited .htaccess file by doing this while you’re still in the vim editor.
      1. Hit escape key on the keyboard to exit the editing mode.
      2. Type in [:wq] and hit enter key on the keyboard.  Of course, please do ignore the square brackets as these are only for clarifying the command line.
  5. The last step is to secure our new .htaccess file by doing two things.
    1. First thing to secure is to make sure the owner and the group owner of the .htaccess file are indeed the right owner and group owner.  For me personally, I prefer to not use admin user and administrators group for any web application files and directories, because I don’t want the evil doers to be able to use one of these files with high privilege access to escalate the privilege and execute malicious commands.  This is why on my QNAP server I rather make most of my web applications’ files and directories in the name of user httpdusr and group owner everyone.  So let’s do this command to make this happens OK?  Type in [chown httpdusr:everyone /share/Web/.htaccess].  Afterward, just do [ls -la /share/Web/.htaccess] to see if .htaccess file indeed is using user httpdusr and group owner everyone.
    2. Second thing to secure is to make sure the .htaccess file has the right permission.  So we need to use this command [chmod 400 /share/Web/.htaccess].  What this command does is change the permission of .htaccess file in /share/Web directory to read only for user (owner of the .htaccess file) and no other permission is allowable for anyone else, hint the two zeros after #4.  These two zeros stand for no permission for group user (whoever has the group authorization of whichever group) and no permission for everyone else (this is the last 0 for).  Finally, you can do [ls -la /share/Web/.htaccess] to confirm that the permission for .htaccess file is indeed 400 or not.  If it’s so, it means only the QNAP web server user httpdusr will be able to read the file, but even this user cannot write to or execute whatever within this .htaccess file.

Now, with this .htaccess file configuration for your QNAP’s /share/Web directory, the web applications that are residing within this specific Web directory will not be accessible to anyone with any IP address unless somebody is using the IP address that is being allowed by this very .htaccess file.

Do you know that by following the tip herein, you can also use this very tip for non-QNAP web server?  Just create a similar .htaccess file within whatever web server’s directory to prevent snooping to most IP addresses and allow only the IP addresses that are being allowed within.

Advertisements

How To Install Web Server On Linux

I might not be very good at explaining things in an impromptu manner, but hopefully within the video right after the break I do somewhat OK in showing you how to install a web server on Linux.  Also, I explain how to use the web server in a basic sense.  For the bonus, I also show you how to install MySQL’s web administrative interface PHPMyAdmin.  At the end of the video, I demonstrate how to install WordPress just to prove to you that you can really host a web application on your brand new web server.  Please enjoy the video tutorial right after the break!

Enabling WebDAV On Fedora 16

Logo for the Apache HTTPD Server Project .

Image via Wikipedia

Here is how I enabled WebDAV on Fedora 16 (before starting, you need to know how to use a terminal/shell and change into root account from terminal/shell):

  1. I opened up ports 80 and 443 for the firewall
  2. I disabled SELinux
    1. Open up the file vi /etc/sysconfig/selinux by typing in the command vi /etc/sysconfig/selinux as root inside a terminal
    2. Change the line that says SELINUX=enforcing to SELINUX=disabled
    3. Save the /etc/sysconfig/selinux file and get out of vi
    4. Reboot the machine
  3. I installed Apache Web Server
    1. Inside a terminal as root, type in the command yum -y install httpd
    2. Edit the file vi /etc/httpd/conf/httpd.conf by typing in the command vi /etc/httpd/conf/httpd.conf inside a terminal as root user
    3. Change line #43 to ServerTokens Prod
    4. Change line #75 to KeepAlive On
    5. Change line #261 to root@localhost
    6. Change line #275 to ServerName localhost:80
    7. Change line #337 to AllowOverride All
    8. Change line #401 to DirectoryIndex index.html index.php
    9. Change line #535 to ServerSignature Off
    10. Comment out the line #758 to something like this #AdDefaultCharset UTF-8
    11. Save the file /etc/httpd/conf/httpd.conf and get out of vi
    12. Type the command systemctl start httpd.service inside the terminal as root user to start Apache web server
    13. Type the command systemctl enable httpd.service to enable the starting of Apache web server on each fresh boot
    14. Install PHP by typing command yum -y install php php-mbstring php-pear inside a terminal as root user
    15. Type the command systemctl restart httpd.service inside a terminal as root user to restart Apache web server
    16. Configuring SSL for Apache to serve websites in SSL mode (i.e., HTTPS) by installing mod_ssl, so type the command yum -y install mod_ssl inside a terminal as root user
    17. Edit the file vi /etc/httpd/conf.d/ssl.conf by typing in the command vi /etc/httpd/conf.d/ssl.conf inside a terminal as root user
    18. Uncomment the line #78 to DocumentRoot “/var/www/html”
    19. Uncomment the line #79 to ServerName localhost:443
    20. Uncomment line #112 if it’s not yet uncommented, so the line should look like this SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    21. Uncomment the line #119 if it’s not yet uncommented, so the line should look like this SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    22. Save the file /etc/httpd/conf.d/ssl.conf and get out of vi
    23. Type the command systemctl restart httpd.service to restart the Apache web server
  4. Create WebDAV server/protocol
    1. Inside a terminal as root user, type in the command mkdir /home/WebDAV to create a directory named WebDAV
    2. Change the owner for directory WebDAV by typing in the command chown apache. /home/WebDAV inside a terminal as root user
    3. Change permission for WebDAV directory to 770 by typing in the command chmod 770 /home/WebDAV inside a terminal as root user
    4. Make a webdav.conf file to configure WebDAV server by typing in the command vi /etc/httpd/conf.d/webdav.conf inside a terminal as root user
    5. Type the lines below into the file /etc/httpd/conf.d/webdav.conf using vi editor:
    6. Alias /share /home/WebDAV
    7. <location /share>
    8. DAV On
    9. SSLRequireSSL
    10. Options None
    11. AuthType Basic
    12. AuthName WebDAV
    13. AuthUserFile /etc/httpd/conf/.htpasswd
    14. <LimitExcept GET OPTIONS>
    15. Order allow,deny
    16. Allow from 192.168.1.
    17. Require valid-user
    18. </LimitExcept>
    19. </Location>
    20. Stop typing the stuffs into the file /etc/httpd/conf.d/webdav.conf and save it and get out of vi
    21. Type the command htpasswd -c /etc/httpd/conf/.htpasswd fedora inside a terminal as root user to add password for fedora user to use WebDAV server
    22. You will be asked to create a password and confirm password, so type in the same password twice
    23. Now you need to restart the Apache server by typing in the command systemctl restart httpd.service inside a terminal as root user

Log into the WebDAV server by using https://192.168.1.(enter the last bit of number for your server IP address here)/share.  You will be asked to enter username and password.  The username should be fedora, and the password is the password that you had created earlier.

Troubleshooting:  You should check to see if you can ping your Apache server. Check to see if Apache server has a daemon running (i.e., ps aux | grep httpd).  Check to make sure firewall ports 80 and 443 are opened.  Check to make sure SELinux is disabled.  Check to see the configuration file for httpd.conf is correctly configured.  Check to see the configuration file for webdav.conf is correctly configured.  If permission 770 for /home/WebDAV isn’t working, try to change it to 755 or 777.  Make sure you had enabled SSL for Apache correctly.  If all failed, you might want to reboot Apache and to see if problems could be resolved this way.