Dne neděle 8. května 2016 10:19:59 CEST, Per Jessen napsal(a):
Vojtěch Zeisek wrote:
Dne sobota 7. května 2016 17:52:32 CEST, Jan Ritzerfeld napsal(a):
Am Freitag, 6. Mai 2016, 12:58:05 schrieb Vojtěch Zeisek:
I set up Synology NAS server and allowed only HTTPS access for the web interface. It has self-signed certificate, but as it is only for internal purposes, it is not any problem.
Well, current browsers do not like self-signed certificates. So, I would suggest that you create your own CA, deploy its certificate on all of the internal clients, create a certificate for your NAS with matching SANs, and sign it with your own CA certificate. This will be pretty efficient if you want to secure multiple internal servers because you only have to deploy exactly one certificate to get rid off all the browser warnings. I did this for my NAS, printer, and router. If you need any help, I will be happy to provide openssl configuration files and the corresponding commands to create all of the above.
However, if "internal purposes" means that only a limited set of people should access the Web Server of your NAS via a regular domain name then
Yes, it is the case, so that I think own CA is too much work...
upgrade to DSM 6 and use Let's Encrypt to remove the necessity of creating and deploying any CA certificate at all. I cannot do it this way because my NAS is accessible only via VPN, intentionally.
I did upgrade to DSM 6. Do You have experience with Let's Encrypt? I wonder why it needs port 80 opened...
That's how it communicates with the core server.
So could I allow connection on port 80 only from certain IP? -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux https://www.opensuse.org/ https://trapa.cz/