Problems with OwnCloud on Qnap with Squid3 SSL Reverse Proxy

darkred

Guys, I need your help
since a few days I try to bring my OwnCloud on Qnap online through my pfsense with a Squid3 Reverse Proxy. I assume I made a mistake with the certificates, I am not very experienced in the handling with them. Without SSL I can access my OwnCloud trough my Reverse Proxy, but with, it is still impossible.
What I have done:
1. I exported the .crt and the .key file from my Qnap device (default certificate from my Qnap Device)
2. Imported the certificate into pfsense as "owncloud external certificate" (self signed)
3. Enabled "HTTPS Reverse Proxy" in my "Squid Reverse Proxy"
4. Selected "Ignore Internal Certificate Validation" (no idea if I need the Intermediate CA Certificate or what it is…?)
5. Selected my imported certificate as "Reverse SSL Certificate"
6. Allowed TCP Port 443 on my WAN address
7. Enabled and defined the "Web Server" with the IP, the peer port 4443, peer protocol https (the local port on Qnap for OwnCloud)
8. Enabled and defined the "Mappings" to my peer and defined the URIs "https://my.domain"

Locally I can access my OwnCloud instance over 4443 and it is correctly encrypted. It also works fine from external trough my reverse proxy without SSL. But if I try to access from outside with SSL (https://my.domain), I get the following error:
"Der Server unter X braucht zu lange, um eine Antwort zu senden." Interesting is, that as soon as I receive the error page, the URL changes from "https://my.domain" to "https://my.domain/redirect.html?count=0.6637583377511048". But I have no redirects defined...
I hope somebody will be able to support me, thank you!
(2.2.4-RELEASE (amd64) - squid3 0.4.1.1 - Qnap TS-509 / 4.1.4 - OwnCloud 8.0.4)

doktornotor

@darkred:

Interesting is, that as soon as I receive the error page, the URL changes from "https://my.domain" to "https://my.domain/redirect.html?count=0.6637583377511048". But I have no redirects defined…

This is internal QNAP crap that has nothing to do with pfSense.

darkred

Thank you for your message. Are you sure? That means, that my config should be correct?
If it is an internal problem, would it be a possibility to create a ssl connection to pfsense / reverse proxy and connect to the http protocol of the qnap? If yes, how?

Some other meanings or ideas?

doktornotor

Yeah, I'm very sure that the ?count= nonsense is stuff produced by QNAP webgui (they use it for some usage tracking or WTF). As for config - hitting this would suggest you are hitting the QNAP admin GUI instead of OC. The URI certainly doesn't look correct unless you produced some virtualhost on QNAP.

(Honestly, the QNAP stuff notoriously outdated LAMP stack and core system in general is something I'd never run publicly accessible.)

darkred

I have virtual host defined on Qnap to connect directly to OC, therefore I assume, that all the nonsense stuff of the Qnap Gui shouldn't have an impact, right?
If I am looking for a way to build a secure "dropbox"-like solution for my own, what would you prefer if an SSL reverse proxy combined with the virtual host on Qnap is a risk?

doktornotor

Afraid I won't be much of an assistance here, beyond a couple of notes:

• Don't use the default QNAP certificates, pretty much the same like having no encryption at all. Anyone can get the private key.
• Literally every howto that deals with running OwnCloud on QNAP suggests to move the QNAP admin webgui our of port 443.

Other than that, all QNAP boxes here are running Debian.