Using the Apache web page access controls

From SynologyWiki

Contents 1 What is this Wiki about 2 Some things to be aware of 3 Pre-requisites 4 Overview of the procedure 5 The Procedure 6 .htaccess file code 7 Internal ok, external use password

What is this Wiki about

Apache is the application that runs on your Synology NAS providing the webserver functionality, i.e. Apache delivers up the webpages of websites on the NAS. This wiki details how to implement Apache's web page access controls. If you implement this wiki you can force users to enter a user name and password to access (specific parts of) your web site on your NAS.

This wiki was based on Synology's firmware v844, but will almost certainly be valid for later and some earlier versions.

Some things to be aware of

1. Use encrypted connections to make unauthorized interception of data (such as login credentials) more difficult.
2. Apache has many ways of providing access control. This wiki just covers the "basic authentication" method, but once you see how it works, it is relatively easy to use other more secure methods. In contrast to Basic authentication, Digest authentication DOES use a stronger method (MD5 instead of Base64) to encrypt passwords stored in the password file and does NOT send passwords across the network in the clear.
3. For normal web browsing and usage via a web browser, the Apache access controls work well. However if your website interacts with other applications on the browsers PC then you need to make sure those other applications support http user verification, else the other applications will not be able to access your websites content. For example if you have a streaming media server on your website (e.g. Zina) when you select to play music the streaming media server (e.g. Zina) will create and pass a m3u file to your computer via the web browser. Your computer will then check to see what media player is associated with m3u files (Windows media player is the default on windows machines). Your computer will then start the associated media player and pass the m3u file to it (e.g. windows media player). The media player will then read the m3u file which contains hyper-links to the mp3 streams managed by your streaming media server (e.g. Zina). When the media player tries to open the hyper-link Apache will request a username and password. Windows media player supports this functionality and will prompt you to enter your username and password. However, not all media players support http user verification. I run "media monkey" as my main media player and that does not support it. So if on my PC I associates m3u files with media monkey, media monkey just says file "not found/accessible". However if I associate m3u files with Windows Media Player, it works fine. Although I used the example of Zina, the same applies to any web site function that interacts with applications installed on the browsers computer.

Pre-requisites

• You have enabled the web server ("Web Station") on the NAS, e.g. via the Web management GUI.
• You have created a web site on the NAS and want to restrict access to (parts of) it.
• The server's main configuration file (usually called 'httpd.conf') allows admins to override access control directives using .htaccess files. By default, this is allowed with Synology devices.

Overview of the procedure

1. We create the password file which will contain the user names and encrypted passwords for your users. We use an online encrypted password generator to create the code for the encrypted passwords. We use this because you can not use the binary "htpasswd" because this is not part of the Synology Apache installation.
2. We create/modify the .htaccess file(s) so it will prompt Apache to request users to login.

The Procedure

1. Enable the Command Line Interface and login as root.
2. Create the directory to hold the password file, i.e. enter the command "mkdir /usr/syno/apache/passwd". Note: In contrast to Synology's instructions, Apache's official documentation strongly recommends (for security reasons) to store the file with the passwords OUTSIDE the document tree of the web-server.
3. Use the Linux vi text editor to create the password file, this will hold your user names and encrypted passwords, i.e. enter the command "vi /usr/syno/apache/passwd/passwords"
4. Enter the text input mode of the vi, i.e. press the "i" key on your keyboard.
5. Create a username and encrypted password combination by using an online generator such as this one. If you dont like that one, there are many more. Copy the code from the encrypted password generator (the format will be username:encrypted_password) and paste it into the password file. If you want to create more users you can, just paste each one on to a new line in the password file.
6. Press "ESC" to exit insert mode
7. Type "ZZ" (note: two capital Z's) to save changes to the file and close vi.
8. Optional: "chown" and "chmod" the password directory and its contents, so only the webserver is the owner and can read it.
9. Repeat following steps to restrict each part of your website:
   1. Change to the directory on your NAS that contains files and subfolders you want to set access restrictions for, e.g. "cd /volume1/web" or "cd /volume1/web/mywebsite_subdir". Note: the restriction you create in the next step will apply to ANY file and subfolder within this folder. Hence, if you want to restrict only specific files you will need to redesign your website, so those pages are within their own folder with its own restrictions.
   2. Use the Linux vi text editor to create (or open if it already exists) the file .htaccess, i.e. enter the command "vi .htaccess"
   3. Paste the code given below in the section ".htaccess file code" into the .htaccess file. Note: If the file already existed and had code in it where you paste the code (i.e. at the beginning of the file or at the end after any already existing code) this may have an effect on whether it or other functions called by the .htaccess file works. If you do not understand what the existing text in the file is doing, then I recommend you initially append the code to the END of the file (after any existing code). If this does not work, move it to the beginning of the file.
   4. Press "ESC" to exit insert mode
   5. Type "ZZ" (note: two capital Z's) to save changes to the file and close vi.
   6. Test that the access restrictions are correctly applied to the secured folder by trying to browse some files within the restricted directory via a web browser. Also make sure web users can not simply read or download the .htaccess or worse the password file.
10. Close the Command Line Interface (log out as root).

You have finished!

.htaccess file code

Below is the code to be put in the .htaccess file.

AuthType Basic
# (For the following line, check the explanation below+)
AuthName "Restricted resources"
# (Following line is optional++)
AuthBasicProvider file
AuthUserFile /usr/syno/apache/passwd/passwords
Require valid-user

To allow only certain users in the passwords file access, replace Require valid-user with Require user and the space character and those user names and the space character between each of them.

If Order, Require, Allow, Satisfy, etc. need to be used, make sure they are correctly applied (i.e. according to the documentation).

+) AuthName: This realm or authentication name will be displayed in the user credential pop-up box, so the user can identify what the username and password are being requested for. During the browser session, the browser caches the supplied username and password and stores it along with the realm, so that if the browser requests other resources from the same realm, the browser sends the same username and password to authenticate that request without requiring the user to type those in again.

++) AuthBasicProvider: If the basic authentication provider for the restricted directory needs to be changed to "file", do not remove this line. Note: A default authentication provider may be configured for the webserver.

Internal ok, external use password

If you want to limit external users access through username/password, but allow internal network unlimited access the following example of .htaccess will help you:

Order allow,deny
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/syno/apache/passwd/passwords
Order allow,deny
Require valid-user
Allow from 192.168.1
Satisfy Any

Here 192.168.1 is the start of the IP-range of the LAN-clients that require unlimited access to the restricted directory.