NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

laat's avatar
laat
Aspirant
Apr 06, 2022
Solved

ReadyNas 6.10.7

Hello and thank you for reading my question.   To have one and only one share available on the wan, I have enabled https access for that share.   Now I notice that also the admin GUI (https:..../...
  • laat's avatar
    laat
    Apr 06, 2022

    Thank you,

    Since apparently there is no intended configuration setting to do this, I have entered it manually in the configuration as follows. This assumes that your LAN ip addressrange starts with 192.168., if not you can change that in the instructions below. Suggestions to make this easier are welcome.

     

    1. Create a new file /etc/apache2/conf-enabled/PasswordRecoveryLanOnly.conf containing these lines:

    <Location /password_recovery/>
    Order deny,allow
    deny from all
    allow from 192.168
    </Location>

    <Location /my_password>
    Order deny,allow
    deny from all
    allow from 192.168
    </Location>

     

    2. Edit the file /etc/frontview/apache/fv-admin.conf. In the <Location /admin> block mark two lines as comment by putting a # sign in front of it:

    # Order allow,deny
    # Allow from all

    And right below that add 3 lines:

    Order deny,allow
    deny from all
    allow from 192.168

     

    3. Restart frontview with the command:

    service apache2 restart

     

Sandshark's avatar
Sandshark
Sensei - Experienced User
Apr 06, 2022

Your desires may not be the same as others'.  I suggest you look into other ways to make your files available remotely, as just making a share available over the internet is not really a particularly good idea, IMHO.  ReadyCloud is one obvious method.  A VPN is another.  I personally use ZeroTier, which is a VPN of sorts.  Depending on exactly what you are sharing, OwnCloud or NextCloud may be an option.

 

I actually use ZeroTier for my own and my family's remote access and NextCloud as a repository for files to be shared with others, typically on a temporary basis, though I have "external" links (external from NextCloud's perspective) to a couple of shares shared more permanently with a couple friends.

laat's avatar
laat
Aspirant
Apr 06, 2022

I do have my own reasons to have a particular share available by https.

I am not in need of other solutions.

Hence the questions remain.

 

  • Sandshark's avatar
    Sandshark
    Sensei - Experienced User
    Apr 06, 2022

    You would have to manually edit the apache options in one of the .conf files in /etc/frontview/apache.  Just Google how to limit access by IP address on a Linux host.  Note, however, that an OS update or any changes to HTTP access from the GUI may overwrite your added restrictions.

     

    To restrict admin access, you should add to Admin_Auth.conf.  I think something of this form would work:

     

    Require host localhost
    Require ip 127.0.0.1
    Require ip 192.168

     

    I'm not sure if you can lock out the password change page without affecting others.

     

    Note that it might be best to first try it out on something other than your online system.  Temporarily creating a volume on a scratch drive would be one way to do that.  An OS re-install would probably restore it if something got messed up, but an OS restore doesn't overwrite everything, so I recommend the additional precaution.

     

     

    • StephenB's avatar
      StephenB
      Guru - Experienced User
      Apr 06, 2022

      FWIW, it would be great if it were possible to limit access to the admin UI (including password recovery) to the local network.  But unfortunately, Netgear doesn't have an option like that.  

       

      Sandshark's suggestions should get you started. If you get everything working the way you like, then I suggest posting exactly what you did - so others who want to do that can also implement your changes.

       

      Another option that wouldn't require any mods is to use FTPS instead of HTTPS to access the share remotely.  That is also encrypted, but would require people to use an FTP client like FileZilla or WinSCP.

       

       

      • laat's avatar
        laat
        Aspirant
        Apr 06, 2022

        Thank you,

        Since apparently there is no intended configuration setting to do this, I have entered it manually in the configuration as follows. This assumes that your LAN ip addressrange starts with 192.168., if not you can change that in the instructions below. Suggestions to make this easier are welcome.

         

        1. Create a new file /etc/apache2/conf-enabled/PasswordRecoveryLanOnly.conf containing these lines:

        <Location /password_recovery/>
        Order deny,allow
        deny from all
        allow from 192.168
        </Location>

        <Location /my_password>
        Order deny,allow
        deny from all
        allow from 192.168
        </Location>

         

        2. Edit the file /etc/frontview/apache/fv-admin.conf. In the <Location /admin> block mark two lines as comment by putting a # sign in front of it:

        # Order allow,deny
        # Allow from all

        And right below that add 3 lines:

        Order deny,allow
        deny from all
        allow from 192.168

         

        3. Restart frontview with the command:

        service apache2 restart

         

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More