Re: Ftp access to subfolders or http redirect to multiple sh

Hi Chris,

Do any of the shares on the NAS have guest access enabled? This would need to be disabled on all the shares. You should be able to set the permissions then. 1 other thing to note which may or may not be related is when connecting to the NAS try using active FTP on the client side rather than a passive FTP connection.

Hi,

Thanks for reply, I have been through all the shares on the NAS. I can't see any guest access enabled. Infact I can't see a guest access option at all? The FTP connection seem to connect fine. The problem is, when each user connects via FTP, they are connecting to the same share folder "websites", as a result they all have RW permissions on all three subfolders. What I am looking for is a solution where each users FTP connection has rw permission for their subfolder only. I know this would be possible if I set each subfolder as it's own share folder, but then i am unable to redirect incoming http traffic to more than one share folder. So... essentially what I am asking, is there a way to set ftp share access on subfolders of a share, or is there a way to redirect incoming http to more than one share folder? Either way would solve my problems.

Chris.

Hi again Chris,

Share access can be restricted via FTP or at least should be possible in user mode. You can restrict folder access in ADS mode using SBS2008 but not in usermode access without root access. You would need to add certificates, chmod the shares. Maybe one of the other power users could advise on how to do this. This would not be supported by netgear support and potenically voids the warrantly etc. Here is the kinda thing you would be doing, http://serverfault.com/questions/239850 ... -directory.

Hi again,

Thanks, this is what I wanted to know. The ability to restrict folder access for users within a share would be a great addon for the readynas.
Can any power users advise on how I might gain root access and add certificates, chmod the shares?

Chris.

hi, I am interested with how this is also setup for HTTP redirect. Would the previous posting work for HTTP as well?

A "share" is nothing more than an alias to a LINUX directory, so you should be able to accomplish either of your alternatives if you enable root SSH access via the add-on and do your work directly in LINUX. If that scares you, you probably shouldn't be trying it even if sombody leads you by the hand. I suppose you could do smoe of this via PHPShell or Ajax Explorer, but SSH is the best since it doesn't rely on FrontView and you can still get in and fix a probelm even if you somehow screw up FrontView.

If you do the appropriate CHOWN and CHMOD to the individual directories, that should control who can write to a directory. Make the user you want to have access the directory owner and give only the owner write access. Or, if you need more than one person to have permission, put them in a group and do the same with group access. If you mess it up, you can use the FrontView Advanced Options for the share and reset the permissions. I've not tried this, but I don't see why it wouldn't work. FTP might be a bit confused and think others can write to it, but the write should fail.

To create web sites, you can either edit the various .conf files in the Apache directory, or you can create totally new ones in the addons folder. I prefer the latter, because manual edits to the standard .conf files can get deleted by changes made via FrontView. But while you are experimenting, it can be a good thing to use the standard files, as they get over-written by a firmware re-install in the event you completely mess up Apache and can't even get into FrontView. I have separate web sites called by separate ports, but there are also ways to have them called by name if multiple ports are a problem for you. Just be mindful of the necessary steps (rewrite rules) to keep from creating a back door to other directories via the port(s) you have opened.

The following, put in a .conf file in addons, will create a site using share "Site1" for website1.com and a port 8085 redirect and block any attempt to get to another directory via port 8085:

Listen 8085

<VirtualHost _default_:8085>
  ServerName www.website1.com
  SSLEngine off
  RewriteEngine on
  RewriteRule ^/$ /Site1 [R,L]
  RewriteRule !/Site1 [F,L]
</VirtualHost>

You can put as many of these as you like in one file, or as many separate .conf files in addons that you like.

Hi,

Thanks for your help. So just to clarify, With the Seperate websites created in your last instruction, by "seperate" do you mean they are or can be their own shares? If so, does this mean I can create user access to each share (website) in frontview and then direct html to each share (website) with a .conf file via ssh? Also.. If I don't want to use multiple ports, can I keep the "<VirtualHost _default_:80>" for all the site .conf files I create? I would also assume that I would not need the port Listen command? I'm not too experienced with linux, so I am looking for the easiest way to achieve this.

Thanks,
Chris.

Each site can be in its own share. In the above example, "Site1" is a share. Creating a similar entry (another entry in the same .conf file or another .conf file) for another share and another port will create a separate site for that share/port. So, yes, just set up the other share in FrontView the way you want to and then add the .conf via SSH that defines the website. You can even have different sub-domains in separate shares if you set up the rewrite rules correctly. What FrontView calls a "Share" is just an alias to a directory.

There are ways to create all the sites with the same port and differentiate the share based on the domain name, but I've not done it. I don't think you can have more than one .conf file in that case, though. You cerainly shouldn't define the default virtual host more than once. Since I have a dynamic IP address and need re-directs for each domain name anyway, it's just easier for me to have each site re-direct to a different port. I have seen an example in the forum on how to do that (but I did a quick search and didn't find it right off), and I'm sure you can Google and get some examples as well since that's really the more normal way of doing it on a platform that's designed for web sites rather than a NAS. If you are looking at non ReadyNAS specific examples, just remember that you can refer to a share by it's share name (i.e "ShareName"), or it's home directory (i.e. "/c/ShareName"). The share name aliases are defined in Shares.conf, located in /etc/frontview/apache (where all the other standard Apache .conf files are located). I'm not sure of the order of execution of the various .conf files, but it seems pretty clear that httpd.conf has to go first, then Shares.conf, then Virtual.conf. Don't know about the others, but you shouldn't really be messing with them, anyway. You will have to make sure any reference to an alias is after Shares.conf is executed. If you just keep things in the files where similar FrontView entries already occur, you should be OK. If using a share name doesn't seem to work, use the directory name instead. The addons directory below the apache directory is where you would put any custom .conf files, as every .conf file in it is run after the standard .conf files, which is another reason for putting everything in there. Since it truly executes every .conf, make sure you've deleted any files you don't want run or re-name them so they don't end in .conf.

You can either edit files within the NAS LINUX environment (where VI is the only editor installed by default) or copy them to another share and edit them outside. If you do copy them, you'll need to change permissions to edit them. I've always made sure the ones I put in the apache directories have "root" as the owner. It may not be necessary, but it's best, so be sure to change that back if you edit with credentials other than "root". My old NV was particular about .conf files having only LF end-of-line instead of CRLF, but the Pro seems not to care. Don't know if later firmwares on the SPARC platforms also make it tollerant to a CRLF EOL. Never had an ARM based NAS, so know nothing about their restrictions. So, you may need to be careful with the editor you choose if you are editing outside of the LINUX environment. I like UltraEdit for this.

If you are going to use Port 80, then you are either going to have to disable HTTP access to ALL shares in FrontView or you are going to have to edit the standard .conf files and potentially re-edit every time you make a change in FrontView that affects HTTP access. Letting FrontView make changes to .conf files that affect port 80 and having your own separate files that may be contradictory could have some unsavory results. Using alternate ports that FrontView knows nothing about makes all this unnecessary.