Buffalo NAS-Central Forums

Welcome to the Linkstation Wiki community
It is currently Mon Nov 20, 2017 1:23 am

All times are UTC+01:00




Post new topic  Reply to topic  [ 144 posts ]  Go to page 1 2 3 4 510 Next
Author Message
PostPosted: Sat Aug 19, 2006 1:09 am 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
Hello,

For those who haven't read my other thread, I am trying to setup a secure and simple way to remotely (worldwide) access my files. A brief recap: I wanted to do something similar to FTP, but want to secure it. I since have decided to use apache-2.2 with ssl support. Basically, I want to be able to type https://mydomain.com and have a login box displayed. The users can type their username (I would like it to be the same as for accessing the ProFTPd shares) and password, and the user would be able to view theirs and only their shares.---So basically very similar to how accessing user shares via ftp, except through http and ssl.

What I'd like to know is how I could create a login box that authenticates users using their proftp/LS2 username and passwords?

I have apache-2.2.3, openssl-0.9.8b, php-5.1.5 all installed. (well almost, still working out kinks w/ php; have a problem w libxml)

Any suggestions are appreciated.


Thanks in advance,

Jon

_________________
http://www.opifer.net


Top
   
PostPosted: Sat Aug 19, 2006 4:52 am 
Offline
Site Admin
User avatar

Joined: Sun Jul 17, 2005 4:34 pm
Posts: 5332
The simple way is to create directories and password-protect them. The users must know (bookmark) the address of their own directory. Protect the server root directory with a different password. Optionally, give them the server root password, and set up a directory directory listing or index page with links to the directory names.

Or you installed an SSL enabled FTP server, if your ProFTPD shouldn't already meat the requirement. Debian's version, for example, does.


Top
   
PostPosted: Mon Aug 21, 2006 4:39 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
@Andre,

Thanks for the idea. I think I will do follow your suggestion.

I have FINALLY installed apache-2.2.3, openssl-0.9.8b, php-5.1.5 (worked out the kink). Of course, I encountered another problem. It appears that apache will only serve text, no images, regular files. I'm extremely confused as I've never had this problem before.

For example, if I place a gif file in the DocumentRoot, I cannot view the file nor download the file. Same thing when I place and exe file, I cannot download. If I place a text file in DocumentRoot, I have no problems, I can view in the browser and download the file. I don't get any errors that says that the files cannot be found, just 0 bytes are transferred.

As a test, I used "save picture" in both IE and FireFox and downloaded a gif file located in DocumentRoot. When I open the file, the viewer does not display anything. The download gif's file size is 0 bytes.

I did not setup htaccess yet and the DocumentRoot directory is configured currently to Allow all; Deny None. I have the same issue when I setup a sub-directory, like "Images" in DocRoot. Don't know what I'm doing wrong (or if I need some special config to serve files off the LS2), very very puzzled.


Regards

_________________
http://www.opifer.net


Top
   
PostPosted: Mon Aug 21, 2006 6:05 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
Sorry Andre and Everyone else,

I figured out my error. I thought EnableSendfile and EnableMMAP were set to off; I corrected the error in the config, deleted my offline files, now image files work correctly (Took me almost 7 hours to figure out my stupid mistake; usually things like this aren't an issue, but since it's on the LS...).

_________________
http://www.opifer.net


Top
   
PostPosted: Wed Aug 23, 2006 11:00 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
Finally, it's basically done. Still some minor tweaking, but nevertheless done.

As usual, I have a question. I accidently ran
Code:
chmod og-wrx
recursivelly for one of my network shares. The problem is that my compiled progs (apache, openssl) were in that share. Will I need to recompile the progs since the permissions got messed up, or will the install scripts fix them? (I'm talking about if I need to reinstall the compiled progs).

God I hope not cause I'm not sure if I can remember all the steps I did to make this work, not to mention the amount of time it took just to compile apache and openssl.Mad

_________________
http://www.opifer.net


Top
   
PostPosted: Thu Aug 24, 2006 3:10 am 
Offline
Site Admin
User avatar

Joined: Sun Jul 17, 2005 4:34 pm
Posts: 5332
"make install" will do, when you still still have the compiled sources around.

Putting your binaries (and sources) onto a network share is a bad idea in general; making these shares world-writable -- a security hazard.

There are more elegant ways for setting permissions recursively, see http://buffalo.nas-central.org/forums/index.php?action=search&loc=1&forum=3&topic=759&page=4754


Top
   
PostPosted: Thu Aug 24, 2006 5:09 am 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
Thanks Andre,

Yeah, I know I shouldn't put my sources on a network share. Actually, I only did it temporarily so that I could easily make modifications (through windows explorer) instead of having to telnet/ssh to get to the files. As soon as I was done setting up everything, I planned on removing the files from the network share and burning them onto a CD.

So if I understand correctly, even though the permissions for every file in my compiled sources has been changed to
Code:
-rwx------

, "make install" will still install the programs correctly??? Just wanted to make sure that when I run "make install" the files will regain their proper permissions instead rather than just installing a bunch of files with screwy permissions. If I understand correctly, I am very relieved.:)

@Andre, Thanks so much for you help.

Regards,

Jon

_________________
http://www.opifer.net


Top
   
PostPosted: Thu Aug 24, 2006 12:27 pm 
Offline
Site Admin
User avatar

Joined: Sun Jul 17, 2005 4:34 pm
Posts: 5332
It can't get worse, can it? ;) The Makefile tell you what exactly will be done.


Top
   
PostPosted: Thu Aug 24, 2006 1:59 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
@Andre, Thanks for confirming :) Oh, and I meant "wouldn't" in the above post.

Well, I don't know if I should post an update in my original thread, but essentially, I am finished.

I have:
1) Installed apache-2.2, update openssl and grep, openssh, php.
2) Setup up apache to securely handle access to user-shares on the linkstation via ssl.
3) Created a simple way for users to remotely and securely access files from the linkstation.
4) Taken andre's advice and password protected the user directories and secure_docs folders with .htpasswd (not located in DocRoot). --I'll post exactly what I did here if anyone wants to know.

Future Plans:
1) Create a simple upload script (probably w/ php) so that users can uploads files to their LS via http. (Currently using winScp and SFTP, but linux permissions make it rather difficult to deny specific users access to certain folders. If I remove group and user rw access, httpd does not serve those files/folders. I may have to play with setting up Apache to run as a different user/group and possibly swith authentication systems rather that using htpasswd.
2) Write some html/php code to enable "folder view" like appearence when viewing the directory indexes. (Not particularly important performance wise, just want to do it so that users can have an easier time browsing files through http).
3) Complete rigerous testing in order to secure the LS from outside attacks;hackers. (As best as can reasonably be).

@Andre, ramuk, and mindbender - I wouldn't have completed this project w/o your help. Thank You.

Anyone who has any suggestions for the "future plans" section; or rather just comment on the project--your comments/suggestions are greatly appreciated.

Regards

_________________
http://www.opifer.net


Top
   
PostPosted: Thu Aug 24, 2006 2:09 pm 
Offline
Newbie

Joined: Thu Aug 10, 2006 4:59 pm
Posts: 21
Location: United Kingdom (Great Britain)
Hi Jonli447,

I'll be interested in having the same setup as you...unfortunately my Apache knowledge is limited but my Linux is good. Would it be possible to explain exactly how you achieved steps 2, 3 and 4?

Many Thanks!


Top
   
PostPosted: Thu Aug 24, 2006 3:09 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
@Sweepsy,

Detailed info,
1) You need to purchase an SSL certificate (through Verisign, etc. Google for cheap ones), or create a self-signed certificate. A self-signed certificate is free and is usually used for testing purposes, but sinces this is a private service that you are offering (I assume), then self-signed cert will suffice. You'll just have an annoying message pop up saying "this cert is not trusted".

2) You said you have a decent knowledge of Linux, so I'll just state the important stuff. Make sure you use
Code:
./configure --enable-ssl
to statically enable ssl for apache. I installed many other stuff like php, but it's not necessary. Also, I upgraded SSL to the latest version to avoid a security problem, you can do the same.

Remove openssl version-0.9.7e and install 0.9.8b (let me know if you need specifics on how). When you compile openssl, make sure you use the tag
Code:
--no-sha512
when configuring the makefile. After exhaustive testing, the results showed that current version of Devtools contains an outdated version of GCC that has a problem compiling sha512 support. (Not much we can do about this currently if you're on a LS2 {gotta wait for kernel 2.6 to fully run correctly for LS2}, for LS1, upgrade the kernel to 2.6) You don't really need the large hash(Sha512) anyways, so I'd just save the trouble and configure like I stated. You must also enable shared libraries in order for apache/openssh to work correctly. So use:

Code:
./config --prefix=/usr --openssldir=/etc --no-sha512 shared


3) After everthing is installed, you will need to setup the apache config scripts. If you installed apache to the default location, the main server config is located in /usr/local/apache2/conf. The two main scripts are httpd.conf and ssl.conf (in the extras subfolder).

--I will continue the directions went I return from work as I do not have the scripts in front of me. Hope this will get you started--

_________________
http://www.opifer.net


Top
   
PostPosted: Thu Aug 24, 2006 3:40 pm 
Offline
Moderator
User avatar

Joined: Thu Apr 06, 2006 1:33 pm
Posts: 1082
Location: United States of America
wow:), that was a pretty herculean effort. Do you think you could write this up as an article on the Wiki???

This might also be a idea for a preformed distribution....... Cool

-KP

_________________
-Ramuk

LinkStation HG *250 Uboot - Foonas-EM - Freelink
Kuro HG *750 Uboot - Foonas-EM - Debian Squeeze
Kuro HD *60 Uboot - Foonas-EM - Debian Squeeze (For Sale)
KuroPro *2TB Debian Lenny Armel- Kernel 2.6.26
KuroPro *1TB Debian Lenny Armel- Kernel 2.6.25.6


Top
   
PostPosted: Thu Aug 24, 2006 6:22 pm 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
@ramuk

Thanks for the complement. I'll try to get to writing this up in an article soon. Maybe I'll start 2nite when I get home from work.
I am going to PM mindbender and ask him to upload some utilities/packages (ie. deb2targz, libxml) to the wiki. That way people aren't searching all over the internet looking for the them.

@Sweepsy - Sorry for the delay, hung up on a project at work, I'll post the directions on how to modify the apache config scripts soon, probably in a few hours.

_________________
http://www.opifer.net


Top
   
PostPosted: Thu Aug 24, 2006 7:21 pm 
Offline
Site Admin
User avatar

Joined: Wed Mar 08, 2006 5:00 pm
Posts: 1029
Location: Ottawa, Canada
jonli447
interested in your apache memory usage.
Would you mind to post
Code:
free -m

before & after you stopped apache ?

I'd like to add some real-world memory usage figures on this Wiki article:
http://buffalo.nas-central.org/index.php?title=Troubleshoot_Memory_usage


Top
   
PostPosted: Fri Aug 25, 2006 12:44 am 
Offline
Site Admin

Joined: Fri Aug 04, 2006 2:37 am
Posts: 1652
Location: United States of America
@flavoie, I tried running "free -m", but I don't have that command.

@Sweepsy, con't directions.

4) To setup Apache, we first must edit httpd.conf. The file is located in /usr/loacl/apache2/conf/. Using any text editor, edit :
-
Code:
ServerRoot "/absolute/path/to/apache2_dir


- ie. /usr/local/apache2
-
Code:
Listen 80


Unsecure http usually runs on port 80, so we should usually leave this. If you change the port to something else, ie 8080, you will have to access your webserver by using "http://yourdomain.xxx:8080"
-
Code:
ServerAdmin your_email_address


-
Code:
 ServerName your.domain.xxxx


- This is very important to enter this correctly. "Port" is the number you entered in the above port directive.
-
Code:
DocumentRoot "/your/www/directory


- You can leave the as default or define a spefic location where you want your web pages to be. For example, if you chose /usr/local/apache2/htdocs/, Apache will serve this directory to the internet.
- Uncomment
Code:
Include conf/extra/httpd-ssl.conf


-this tells apache to look at httpd-ssl.conf for more directives.

Now open httpd-ssl.conf, default is located in /usr/local/apache2/conf/extra/;
- Leave the Listen directive at 443.
- You are now creating what is known as a virual host. Apache is basically serving to directories. One through port 80 as unsecured http and the other through port 443 as secured. Note, when you type https://anydomain.xxx, the browser automatically attempts to connect to the server at port 443.
- You will want to change the DocumentRoot here to a different directory than your unsecurred one. That way you don't accidentally server the "secure documents" through an unsecure connection. You could change the DocRoot to /usr/local/apache2/secure_folder. Do not have this directory on a network share for security reasons.

Before we leave this file, we need to make sure that the certificate paths are correct. The Directives that you need to be concerned with for cert paths are
Code:
SSLCertificateFile 
SSLCertificateKeyFile
SSLCACertificateFile


it is ok to leave the values at default, but make sure you place the certs in those directories with the specified names (ie. ca.crt).
The SSLCertificateKeyFile is the RSA key used to encrypt your server certificate. The SSLCACertificateFile is the Certificate-Authority certificate used to issue your server certificate. Your CA (ie versign) will tell you which are which, or if you decide to make a self-signed one with OpenSSL, you will have to be careful to identify which file is which correctly.

If you need to make a self-signed certificate, PM me and I'll try to help you there; self-signed certs is probable too off topic for this thread/forum. You can google "self-signed certificate using openssl" and find many tutorials as well. I possibly will create an wiki article for this.

Code:
anylinuxbox# /usr/local/apache2/bin apachectl start


will start apache if installed to default directory.

5) Okay, now the final part. After you have tested that you have got your server up and running, you will want to password protect certain directories. I assume that you know the basics of html coding. Design your index page to hearts desire and place file in you unsecured DocRoot. The important thing is that you will want to have a way to access your secured link.

For example, you may place a "login" button on your index page with a link to https://yourdomain.xxx. Optionally, you can disable unsecured html and require users to type https://yourdomain.xxx. To do so, comment out the Listen Directive in httpd.conf.

6) You have two options for basic-authentication with apache. First, you can create an .htaccess file, Second, you can add a "Directory" directive to the config files (here would be httpd-ssl.conf). .htaccess is highly discouraged as apache must run the script everytime it access a password-protected file, So I will explain the second method here.

Open httpd-ssl.conf w/ the text editor again. Someone in the file (doesn't really matter where, just not in the middle of any directives) add
Quote:
<Directory"/absolute/path/to/secure_dir">
Options Indexes FollowSymLinks
Order Deny,Allow
Allow from All
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/domain/.htpasswd
AuthGroupFile /dev/null
require user user_with_permission1 user_with_permission2


Important things to know right now are that the AuthName can be whatever you want it to be. Just make sure you keep the same when you make this directive for the subdirectories. Otherwise, the user will have to type in their username and password each time they change directories. "Domain" is your domain name w/o the TLD (.com .net). You don't actually have to put .htpasswd here, but you will want to make sure that it's not located in either DocumentRoot or their subdirectories. If you place .htpasswd somewhere else, change AuthUserFile to point to
Code:
<pre>AuthUserFile /absolute/path/to/.htpasswd


the "require user" specifies what users are allowed to access the directory. Note, these users are not the same as Linux users. We will be creating them when we create .htpasswd.

7)Almost Done
We need to create the passwd file for the directory. To do this, type
Code:
htpasswd -b -c /absolute/path/to/.htpasswd user_with_permission1 user1_password


Make sure no-ones looking when you do this. -b flag take the passwrd from the command line rather than prompting for it. The prompt doesn't always work, so use -b flag.

The -c flag tells htpasswd to create a new passwd file. You will need to repeat the above step to add additional users. Just remove the -c flag.

Cool Place a symlink in your secure DocumentRoot pointing to /mnt/hda/user1 and so forth.
Code:
ln -s /mnt/hda/user1 /usr/local/apache2/secure_directory/user1 
ln -s /mnt/hda/user2 /usr/local/apache2/secure_directory/user2
...


Do not place an index file in this folder. That way when someone contacts your Linkstation via https://youdomain.xxx, the will be prompted to type their username/password and then they will see the directories they're given permission to access.

9) Last step -- I promise,
We will need to repeat steps 6 and 7 for each user directory. When you make a "directory" directive (step 6) for a user, make sure you set the directive for
Code:
Directory"/absolute/path/to/secure_dir/user_folder">


rather than
Code:
Directory"/mnt/hda/user_folder">


*The path is the same as the symlink you made previously for each user directory.

Change require user to have only the user you want access. For example, if you want user3 to only have access to his/her directory. You would set the require user option to
Code:
require user user3


Change the AuthUserFile to the absolute path to .htpasswd2 that you will create for each user.

When making a .htpasswd file for a user folder, name the ,.htpasswd file to something like .htpasswd2, and use the c-flag. You can save the .htpasswd file in the same folder as the.htpasswd file for DocRoot.

Note, If you have to directories that the same users are allowed to use, you don't need to create additional .htpasswd files. Just point AuthUserFile to where the .htpasswd that has both users is.

Congrats, if all works right, you should now have a passwd protected/secure user directories accessible via http.. :)

Make sure to disable FTP through webmin after this works. You will need to use OpenSSH and a SFTP client if you want to remotely upload files. I will post script that you can add to you webpage so that you can securely upload files through the browser after it is completed.

These instructions are rather generic (as it's supposed to just get you started w/ pointers), go to www.apache.org to read more about apache directives. You will soon understand the directives used in this tut and will be able to customize it to your liking. If you have any questions, let me know. I will try to get to working on a wiki article that explains this method clearer soon. Good Luck

--Wheph!!! :)

@everyone else, any suggestions on the best way to create upload scripts or telling browsers to view the files with a "folder view" is greatly appreciated.

_________________
http://www.opifer.net


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 144 posts ]  Go to page 1 2 3 4 510 Next

All times are UTC+01:00


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited