DSM6 - Basic or digest authentication / Allow/Deny

Questions about HTTP Access/Mods may go here
Forum rules
Please note the disclaimer before modifying your Synology Product.
User avatar
Hathor27
Apprentice
Apprentice
Posts: 99
Joined: Sat Feb 21, 2009 4:09 pm
Location: Switzerland

DSM6 - Basic or digest authentication / Allow/Deny

Postby Hathor27 » Mon Apr 18, 2016 9:46 pm

Dear Community,

with DSM 5.2 (and older) I used to modd Apache's httpd-ssl-vhost.conf-user to get Digest (or Basic) Authentication before reverse proxying to name based websites: This looked like

Code: Select all

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so
#LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so

<VirtualHost *:443>
  ServerName m65.myDomain.ch
  SSLEngine On
  SSLProtocol all -SSLv2 -SSLv3
  SSLProxyEngine On
  ProxyRequests Off
  ProxyVia Off
  <Proxy *>
    Order deny,allow
    Deny from all
    Allow from 91.38
    Allow from 80.160
 </Proxy>
  ProxyPass /         http://internalDomain:5000/
  ProxyPassReverse /  http://internalDomain:5000/
  <Location />
    AuthType Digest # other type of auth would also be ok, because it’s https anyway
    AuthName "Login Required"
    AuthUserFile /secret/path/passwd/digest.user
    Require user secAdmin
  </Location>
</VirtualHost>


I tried to do the same within DSM 6.0 but it doesn't work. Neither Allow from nor AuthType Digest (or Basic) doesn't work anymore.
My personal config file is either ignored or even deleted (!) by restarting Webserver :(

Does anybody out there know how to solve this in DSM 6.0?
Best Regards
Hathor27

Hardware: DS107+/DS207+/DS109+/DS209+/DS409/DS211+/DS214+/DS215+/DS716+
Featured: WebAlizer/VPN/ReverseProxy/MailServer/CloudServer/DNS/DHCP/CMS/Syslog/Subversion
User avatar
Hathor27
Apprentice
Apprentice
Posts: 99
Joined: Sat Feb 21, 2009 4:09 pm
Location: Switzerland

Re: DSM6 - Basic or digest authentication / Allow/Deny

Postby Hathor27 » Sun May 01, 2016 10:32 pm

Is not anyone experienced out there knowing anything about it - or is my request so weird? :(
Best Regards
Hathor27

Hardware: DS107+/DS207+/DS109+/DS209+/DS409/DS211+/DS214+/DS215+/DS716+
Featured: WebAlizer/VPN/ReverseProxy/MailServer/CloudServer/DNS/DHCP/CMS/Syslog/Subversion
Partach
I'm New!
I'm New!
Posts: 4
Joined: Thu Sep 30, 2010 6:00 pm

Re: DSM6 - Basic or digest authentication / Allow/Deny

Postby Partach » Mon Jun 20, 2016 2:54 pm

Hi

I know how you feel ;)

Am not the expert here but definitely something changed in the last updates

After the latest update my website also did not funtion anymore. I get redirections on URLs to my website that used to work and even my DSM management page i cannot reach anymore (from outside).
It seems (can not verify yet, open support question @ Synology) that default ngnix is now the webserver. I used to use Apach and belonging config files (like .htaccess)
ngnix has different configuration files than apache aparently (again, not the expert here).

Eventhough you should be able to switch (via webserver settings) between ngnix and apache 2.2 it does not work / seems not to change anything (anymore). At least for me. The DSM mgt UI even throws an error when i try to switch now.

So it seems we have to dive into ngnix now and try to re-configure stuff that will again make our websites work (including security).
Not looking forward... :(
Can anyone confirm this (or deny, is also fine).
BTW also my httpd modules directory seems to have gone completly no idea what that is about...

BTW 2 since half a week my Synology reports it is not running fine anymore. An orange exclamation mark in the DSM mgt UI. Something with not being able to start correctly. It suddenly appeared in the log at 3 AM so have no clue what this means (again open support question to Synology)

Regards
User avatar
Hathor27
Apprentice
Apprentice
Posts: 99
Joined: Sat Feb 21, 2009 4:09 pm
Location: Switzerland

Re: DSM6 - Basic or digest authentication / Allow/Deny

Postby Hathor27 » Mon Jun 20, 2016 9:47 pm

Partach wrote:I know how you feel ;)

Thx for your sympathy - even if it doesn't make it better.

Partach wrote:It seems (can not verify yet, open support question @ Synology) that default ngnix is now the webserver. I used to use Apach and belonging config files (like .htaccess)

That's what I recognized as well. But no one ever was pleased to help up to now :(

Partach wrote:BTW 2 since half a week my Synology reports it is not running fine anymore. An orange exclamation mark in the DSM mgt UI. Something with not being able to start correctly. It suddenly appeared in the log at 3 AM so have no clue what this means (again open support question to Synology)

I had the a similar behaviour on my DS214+: Synology Support told me to reinstall the system... you can believe I wasn't motivated at all. After a few uninstallations and reinstallations of packages and one or two system updates my machine worked proper again without reinstalling the whole system - have a try
Best Regards
Hathor27

Hardware: DS107+/DS207+/DS109+/DS209+/DS409/DS211+/DS214+/DS215+/DS716+
Featured: WebAlizer/VPN/ReverseProxy/MailServer/CloudServer/DNS/DHCP/CMS/Syslog/Subversion
Partach
I'm New!
I'm New!
Posts: 4
Joined: Thu Sep 30, 2010 6:00 pm

Re: DSM6 - Basic or digest authentication / Allow/Deny

Postby Partach » Tue Jun 21, 2016 7:54 am

Thanks for the reply.

Synology told me similar: install DSM on alternate disk or do a hard reset.
That i want to avoid at all cost as it would take me days or even longer to get it back to a decent system again.

They first asked me to send a log file (debug.dat). Did that.
From that they concluded i had some 3rd party packages (like minecraft server for my son) so that must be the problem (sigh).
All 3rd party package are not running for a while and nothing changed to that for months or even years.
They didnt even bother to look at the debug.dat better... :(

So i replied to pls check the debug.dat file and btw i found out some stuff in the mean time and explained.
They replied again seemingly not reading my arguments (feels like 3rd party support agency that do not know what they are talking about) and said, well you should try installen dsm on a seperate disk and see if it persists....

Reading your reply it seems their standard argument/remedy and it sounds like they know they screwed up something but do not want to make it public (as some updates fixed something for you).

My findings till now:
Nginx is definitely the default backend web server. It was running ok on apache 2.2 for me but a week back decided to give nginx a try as i was experimenting with websockets and wanted to see if security wise a different backend server would be different. Once you go nginx you never go back seems to be my problem. Since then my websites do (of-course) not work anymore. Trying to swicth back to apache 2.2 (as per option given in web station) gives an 'operation failed' in the DSM mgt UI.
Also after that my Synology is giving me a strange error message of not being able to start up correctly and telling me to contact support (which does not help...)

When on the command line executing: 'nginx -s reload' i get:

nginx: [emerg] BIO_new_file("/usr/local/etc/certificate/WebStation/vhost_0cc94188-78bc-4544-823c-72bf1deebe6e/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/etc/certificate/WebStation/vhost_0cc94188-78bc-4544-823c-72bf1deebe6e/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file).

So that seems at least to be a problem that needs fixing. Giving synology support this message returns in the answer given (try to install DSM on alternate disk.) BTW asking how that works also is not answered...
Why cant they explain me how i fix this certificate error?

Anyway...
Which packages did you re-install? Can you be more specific on which and how pls? Want to see if it makes sense to do as well and see what that brings.
Thanks in advance for any support given.
BTW i found this for converting older .htacces towards nginx config file: https://winginx.com/en/htaccess. Also seems to work for Auth things. (it seems...). Cant verify of-course yet...


If others are willing to help please feel free, would appreciate.
Can someone explain how the webserver setup now works on Synology? When you choose apache 2.2 is it then apache all the way? Or is only part apache and below somewhere still nginx?
By default all attempts to reach my web pages get redirected to the 5000 port. Guess that nginx does that. But making a config file (after a lot of googeling) and putting that in conf.d dir did not bring me anything. Or do i need to do more?
Perhaps because nginx does not really start all the way due to the missing certificate file?
Thanks, Par

Return to “HTTP/Apache Mods”

Who is online

Users browsing this forum: No registered users and 1 guest