Apache HTTP Webserver set up

[dgarrard]

I have installed the latest Apache HTTP Server from App Central and moved my \htdocs directory from my old Windows PC running Apache2 over to my NAS. I was quickly able to get the DDNS and Let's Encrypt implemented. Nice and easy. I have set up 2 virtual hosts (for HTTP and HTTPS) pointing to the ASUSTOR [Web] directory and I am serving up my pages remotely.

But, how does one access the httpd.conf file and other Apache files that I would use to tune the website behaviour. IE, where are the error.log and access.log files? My old apache webserver would use an ICO file that I had in my \htdocs directory as the icon presented in the web browser tabs - how to do this now?

Thank you

[father.mande]

Hi,

Apache web server is now an APKG
path is : /usr/local/AppCentral/httpd-2.4.43/
in data folder, you can get the httpd.conf and other files and folder (conf, modules_*, icons, var/log, etc.)

Philippe.

[dgarrard]

Hi Philippe,

I am a newbie wrt accessing these resources. How and with what tools would I access them? Is there an Asustor support page that describes this?

Thank you,

David

[dgarrard]

Regarding editing Apache config files, etc., I have attempted to SSH to my NAS on my local network using the Terminal from another linux box:
SSH myusername@192.168.1.50

I get back 'connection refused'

I then searched in ADM App Central and found 'Shell in a box". I installed that and when I run it, I get:

This site can’t provide a secure connection
192.168.1.50 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Does anyone have any advice?

Thank you

[Nazar78]

For SSH, you need to enable it in Services > Terminal.

For the SSL error, unless you've setup the matching certs, just access the app locally via non-SSL i.e. http://192.168.1.50:4200/.

JFYI, there's several ways to run httpd.

1. Using ADM Web Center.

2. Via containers such as LXC, Docker, chroot.

3. Build your own or using Entware repo packages.

4. VM - too much overhead.

I'm using chroot to run all my web apps (migrated from the old NAS). Using the container method like Docker is preferred nowadays for ease of deployment/migration especially for DevOps. Just ensure you're using the official image when deploying.

[dgarrard]

Thanks Nazar,

Given my very limited Unix skills, I think trying to go via 1. Using ADM Web Center is the best first option for me. Unfortunately I have not been successful.

- I had overlooked "enable SSH in Services > Terminal." Now Done.
- Now, when attempting to run Shell in a Box using http://192.168.1.50:4200/ I get:
This page isn’t working
192.168.1.50 didn’t send any data.
ERR_EMPTY_RESPONSE

In the meantime I have succeeded in connecting with SSH to my NAS on my local network using the Terminal from another linux box:
SSH myusername@192.168.1.50, and I can navigate via ls, cd.

So not sure why Shell in a Box is not making the local connection.

My real goal here is to simply edit some config files that are accessible via the Windows file explorer in the 192.168.1.50\Web directory and place them in the /usr/local/AppCentral/httpd-2.4.43/conf/ directory. The ADM File Explorer doesn't seem to allow 'exploring' into these directories - is there a way to alter that?

Or is there some sort of file browser utility in App Central that would allow that. I also looked for a text editor within App Central that would have access to paths within /user.

Thank you

[Nazar78]

- Now, when attempting to run Shell in a Box using http://192.168.1.50:4200/ I get:
This page isn’t working
192.168.1.50 didn’t send any data.
ERR_EMPTY_RESPONSE

Sorry correction for shell in a box, it's running with SSL by default, I had modified mine not to use SSL as I'm using it via reverse proxy SSL instead and using EC certs which the app doesn't support. So you should access it using https://192.168.1.50:4200/.

If you still can't access it, it could be a cert issue which you can check:

Code: Select all

/usr/local/AppCentral/shell-in-a-box/CONTROL/start-stop.sh stop
/usr/local/AppCentral/shell-in-a-box/CONTROL/start-stop.sh stop start

Error:

Code: Select all

[ssl] Cannot read valid certificate from "etc/certificate.pem"! Check file permissions and file format.

This means something is wrong with your default cert and you need to fix the cert in "./etc/" that's symlinked to "/usr/builtin/etc/certificate/ssl.pem". You can link it to this instead: /usr/builtin/etc/certificate/ssl_default/ssl.pem.

Or is there some sort of file browser utility in App Central that would allow that. I also looked for a text editor within App Central that would have access to paths within /user.

There's also many ways to do this. WinSCP for Windows to "SFTP" into the NAS. There's also a docker web based client, FileZilla, in the App Central which you can SFTP into the NAS. I usually just use the sftp/scp/rsync command line or lftp to mirror stuffs. Note you'll need the admin account to SFTP into the rootfs. I'm using key-based login using the root account. The other SFTP option in the ADM settings I think it's only for jailed environment (I haven't tested).

[astroboylrx]

This means something is wrong with your default cert and you need to fix the cert in "./etc/" that's symlinked to "/usr/builtin/etc/certificate/ssl.pem". You can link it to this instead: /usr/builtin/etc/certificate/ssl_default/ssl.pem.

Hi, sorry for replying an old thread. I am trying to access my NAS ADM via https with a valid certificate. I followed this guide (https://www.asustor.com/en/online/Colle ... ?topic=324) and was able to finish the part "Enabling HTTPS and DDNS". Visiting my site via cloud-id.myasustor.com shows the default success set-up page from Apache. However, I wasn't able to proceed like "3.2 Getting a certificate from Let's Encrypt". Specifically, Certificate Manager keeps saying my cloud-id.myasustor.com is invalid and asks me to make sure it can be accessed via port 80, whereas tests via Let's Debug shows my address is okay (either HTTP-01 or DNS-01). I don't really understand what's happening here. Any suggestions regarding how to proceed would be greatly appreciated!

Since the attempt above failed. I thought it would be fine if I can just access my NAS through TailScale's magic DNS via https, something like machine-name.sub-domain.ts.net. I can access them via http correctly. I tried to upload the cert & key files generated by "tailscale cert". However, Certificate Manager told me "Invalid certificate. (Ref. 5041)".
I then tried to use Certificate Manager to generate a Let's Encrypt certificate for machine-name.sub-domain.ts.net. It again told me that "machine-name.sub-domain.ts.net is invalid. Please ensure that your domain name can be successfully connected to using port 80. (Ref. 5056)" (actual site name redacted). At this point, I feel like the Certificate Manager does not challenge the website itself. Instead, it asks some cloud service to challenge the site, because only machines inside my TailScale network can access my site.
So, can I simply replace files in /usr/builtin/etc/certificate/ssl_default/ with the cert & key & pem files I got from "tailscale cert" to make this work? But I'm not sure how should I edit the file "/usr/builtin/etc/certificate/certificate.json" to reflect the change in the default ssl files. Again, any suggestions regarding how to proceed would be greatly appreciated!

[Nazar78]

Do a nslookup on your domain against Google DNS (both myasustor.com and TailScale i.e. `nslookup your-cloud-id.myasustor.com 8.8.8.8`) then check the result printed does the IPv4 reflect your current public IP (on the same home network, Google what is my IP)? For IPv6 the way it works, you'll need to check the IPv6 directly from your NAS.

From an external network, i.e. using mobile network with Wi-Fi/VPN/Proxy turned off, try access the above two domains on port 80 see if you can reach them.

For certs import, they need to be a specific format, both the cert and key should look like this (ignore the "...", below e.g. of Asustor's default cert):
ssl.crt:

Code: Select all

-----BEGIN CERTIFICATE-----
MIID9jCCAt6gAwIBAgIULAzQjlOGmtWVM89BVT+YlulWv3AwDQYJKoZIhvcNAQEL
BQAwgZExCzAJBgNVBAYTAlRXMQ8wDQYDVQQIDAZUYWl3YW4xDzANBgNVBAcMBlRh
aXBlaTEQMA4GA1UECgwHQXN1c3RvcjEMMAoGA1UECwwDTkFTMRwwGgYDVQQDDBNz
dXBwb3J0QGFzdXN0b3IuY29tMSIwIAYJKoZIhvcNAQkBFhNzdXBwb3J0QGFzdXN0
b3IuY29tMB4XDTIxMDcwMTAwMTAxMFoXDTMxMDYyOTAwMTAxMFowgYUxCzAJBgNV
BAYTAlRXMQ8wDQYDVQQIDAZUYWl3YW4xDzANBgNVBAcMBlRhaXBlaTEQMA4GA1UE
CgwHQXN1c3RvcjEMMAoGA1UECwwDTkFTMRAwDgYDVQQDDAdTdXBwb3J0MSIwIAYJ
...
wBv4jNKeOVsvOE41I5ijlu4+2/erTWVu6RnaeJ1NtPrULau1HUb1tKEcRvFr0Aca
v5lCcpoZp0gDDDhvxLcpi8b7I1W+swmOlBotbuJHrORnnKDETig7N7H3+8NDFSFg
kNUCB/0BigpkYud8HcRlXqqWFWnl7BxhJTeiV24M2YSTmQY+ifj0GOGUr5bPFLTv
406Td6FYwY7HOmccUhFVyXCwG/s10bqECUa1eORvLwIDAQABo1AwTjAdBgNVHQ4E
FgQUgNnCBNjWEe4rkQYi02qUNcOTNdcwHwYDVR0jBBgwFoAUvw6zwETrGdAANs8I
/2yFCysZ4+4wDAYDVR0TBAUwAwIBADANBgkqhkiG9w0BAQsFAAOCAQEAX2LyRNyw
h5VxVSrugWC0lB4Bhl+Zt1WDraw64+DqqHSO/W50yesGUR1lac1OJNC36sWa0V4L
c4c5jiy64WUGok7rFtKznodutgINz93ruYX/roCkPIFbmwiYh6qj7PNiL6z7wjSM
4LVrQ/SoRt3XKy+MUbF2gbvWaUgZ7BP83trIvCTo+5AUwGXeVz/llAVfWc87ZTzx
hE6M3b1O7UBG3qB/ukvgEVHNItjcqQSpQcle19o4WDUkau/+rpilZCIY9by4CZP2
+35m02v638RPeL0ZKnP0ToOrsuzLKV5S4r2a95SIilcNkkZ4TPVwbku9Cau5HL8z
BxjsQHtQeetFng==
-----END CERTIFICATE-----

ssl.key:

Code: Select all

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtNCOMLktcWqwQNn930n3a8QX9bnFw9bYXFTEq5h48P/Ht+h8
7JE00LNUOvksraSd6QM6UbCKIo4NPE1kdVITUx8SOdaIa0fEEuAsyYzs2e6ewBv4
jNKeOVsvOE41I5ijlu4+2/erTWVu6RnaeJ1NtPrULau1HUb1tKEcRvFr0Acav5lC
cpoZp0gDDDhvxLcpi8b7I1W+swmOlBotbuJHrORnnKDETig7N7H3+8NDFSFgkNUC
B/0BigpkYud8HcRlXqqWFWnl7BxhJTeiV24M2YSTmQY+ifj0GOGUr5bPFLTv406T
d6FYwY7HOmccUhFVyXCwG/s10bqECUa1eORvLwIDAQABAoIBACwwwF+WEk4ixfrD
jDFTMX4MCdMLWRMY4f4G1Z4egIhd6uC+mDF095R+D3ruRQYXMmStXkZyv//b+c4g
GAo4SfLJqDmsfeDCRGBcm3WS1Jwann/TFjbMjtDzwSGgs4oElw6fIYu/BwW+YZHk
uKk7wK8Xkl2rFnOWURyZN4D7Jd9MQ+srL/PPHySOcNSDLooVN592gBi1lqKQf8oC
/BDYnAEBCD8A0awtek+JGafy1q978udb8VpFOtLaGr/fMntUR+qYuNjxx7m08iON
...
oq83SOECgYEA4byHMgyf+31BzwIOYMNnMrhxgAheTzx0LSOFskR0XZycLBrQ1Ftm
8SdUhZ4YsU5kg/20CBJRUWo5zL5vXTqYcdg4/JctBDmxi5IRmDnahbXzhbUUixuG
VZqNanYDDpkldrMEyOzOwHiwvEJfysRgRwE8L+BSjn1TZc6YL2YyK78CgYEAzQ5F
4Qps1Cbl8YDOWOPwgJaYsk6tOILbOIPb8KCtShRr0pgPQE+ZFY87Tc/bZ0W2cjwa
jkttHOtcFSAhdIAAN8I1xJ7hj1g6+8xYUgD/oDz2lhbxH+HETYp63Llwvs/1iNs/
s2p7jiGHewrpw/z6xiuGGfYPEPpr/KLQHESQWJECgYEAnLXeAW/kTJoLaqOZybE9
3mdPXDvzBP0KBiAn+7csNaS4gqHnIdWGZJoSQmSb7dNnUn55UjUtQOEG2U3HUCiS
lk4uWaS1ur42tJcmIdDgFH1ZXxRz+5KTMrCFxkfBHYxSBtKG2toTOmlPAJLvn3uu
/vwrhW0swwDcOcwvuJAw+k8CgYBe8r70pykhSymqG+RwUItqX1ExLzESO7Vag+Px
ldTnunD6wKI/Oxw9WWcybo6/UQ5b8uyw+sf5XhnzRj93fFWde/X9pzv2bfpR4Zr7
za6P+eqMMO9Rve5xoS+myM8l65Fb33mtkB7J/0iGdtUrhRZxcHHVz5PGXs5l2tXW
YQEdoQKBgBoR6Aatv0ihxqn37Vxz6omsgiBsQxKjGbW5VSPorIL0zTneJ4vRCpRz
OsCBM0loXH4/T29N3esFpNl0afQ4SL+GQ4FlzXj09QyAmVyDdVexnWgmPBviXVfQ
vCgCqCCivNoaal/L22HsZ0eqDGLT7JHaHwgXi238Gk3TRjlVSOe7
-----END RSA PRIVATE KEY-----

[astroboylrx]

Thank you very much for your help and response!!

Do a nslookup on your domain against Google DNS (both myasustor.com and TailScale i.e. `nslookup your-cloud-id.myasustor.com 8.8.8.8`) then check the result printed does the IPv4 reflect your current public IP (on the same home network, Google what is my IP)? For IPv6 the way it works, you'll need to check the IPv6 directly from your NAS.

Yes, nslookup on my domain cloud-id.myasustor.com does return the public IP (both at the same network and the external network). DDNS in "Manual Connect" in ADM's Settings also shows everything is okay.

try access the above two domains on port 80 see if you can reach them.

Not sure how exactly should I do this. But I tried to visit cloud-id.myasustor.com in browser from external network. It does show the default success page, which to my understanding means the port 80 is accessible.

Are there any other tests I should do?

For certs import, they need to be a specific format.

The one generated by TailScale has three certificates in the cert file (three blocks of "BEGIN CERTIFICATE" and "END CERTIFICATE"). Maybe ADM doesn't accept such certificate file?