How to add HTTP Authorization to Synology's web interface


October 2014.
Image

Situation


This article is relevant to a DS412+ appliance.

You're using a small Synology server. You use the web interface for whatever purpose. (the one at http://nas.example.com:5001). You'd like to access this interface remotely, but you are afraid to open the port on your firewall since you don't trust the associated CGI scripts.

Solution


Add HTTP auth to httpd, so that any request must go through a password.

Create file /usr/syno/etc/httpd/passwd (here or in whatever location you fancy) and create your credential database.

user:$apr1$mN37yOqk$7wKJq7B710AcJSa7Y6WJD1
user2:$apr1$4zha9SDn$Vcs481LpfkUMx1Y/SybKw.
user3:$apr1$Gq/AeNY4$68DGcCVo6BdOSy1eSDjkP/
user4:$apr1$ihJ0/hfG$1MUZzj3LYKG7tU3P7S9hh/

Create file /etc/httpd/conf/extra/httpd-something.conf and configure httpd to serve on port 5002 the same content as port 5001, but with basic HTTP authentication.

Listen 5002

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authn_file_module modules/mod_authn_file.so


ServerName *
ServerAlias *

SSLEngine on


AuthType Basic
AuthName "Secure Content"
AuthBasicProvider file
AuthUserFile /usr/syno/etc/httpd/passwd
Require valid-user



Edit /etc/httpd/conf/httpd.conf-sys and include the preceding file at the end.

Include conf/extra/httpd-something.conf

Restart httpd.

/usr/syno/etc/rc.d/S97apache-sys.sh restart

Forward port 5002 in your firewall.

Image

Enjoy your (a tiny bit more) secured NAS from anywhere in the world.