Hi.
I recently got a Qnap NAS.
To access the test-website, I have to specify the whole URL.
Like this:
https://“my-site.no”:8081
If I write just “my-site.no” I get the login page to NAS, https://“my-site.no”/cgi-bin/
I have imported my SSL certificate, so when I specify the whole address, everything is ok.
I want the easy solution… How to just make it simple?
Anyone who have the answer? 
Regards,
Roald, Norway.
Is that “mysite.no”, setup in your local DNS ? (it’s only available within your LAN … correct ? … never ever ever expose any QNAP service to WAN!)
Why do you say that? Why can’t you put your HTTPS port on the WAN so you can share files directly? Using the SmartShare service is admittedly more secure, but it only runs through QNAP’s servers in Taiwan and is quite slow.
Seems like if you have a strong password, exposing the HTTPS port should be OK particularly if you make it an oddball port number (ie: not 443 or similar)…
So the QNAP runs with its user login on port 8081. If you just attempt to use the my-site.no, then your browser is attempting to go to port 80. There’s no way using browsers and DNS to map a port other than 80 to the straight domain name (ie: my-stie.no).
Not exposing your NAS to the web is the conventional wisdom. However, I have done it for years with now 7 NAS’s and never had an issue. It is faster and less complicated. Be aware; you must 1.disable the admin account. 2. enforce long complex passwords (Caps, smalls, numbers, and special characters. at least 12 long). 3.use weird ports. Also, 2FA would give further security. People will try to break in (one guy tried over 3000 times in one day, but he never even guessed one correct user name much less their password. In the last year, hardly any attemps since the old vulnerabilities were fixed. Hackers have figured out QNAP NAS’s are no longer fertile ground. I have this message on my log in screen: If you are trying to hack me, you are wasting time! Admin account disabled. You have to guess user + password + beat 2FA
You’re “poking-the-bear”. Someone will take that as a challenge. 
It’s not OK. QNAP service authentication has traditionally been circumvented entirely (hackers crash the authentication service with malformed requests, then have access to whatever they want).
HTTPS doesn’t prevent hacking attempts. That’s not its job.
Changing the port number is irrelevant. Hackers can easily scan all ports.
So why hasn’t this been fixed? What’s so intrinsically bad about the authentication service on QNAP vs other Linux systems?
QNAP decided to write their own software to do something that could already be done with tried-and-tested software.
Their track record with security hasn’t been good. It may have improved since the last ransomware outbreak, but those affected by hacks and those of us who helped deal with the aftermath are now reluctant to trust it.
read a couple of pages of this beauty here…and you will rethink your decisions (and this is not the only malware we had to deal with)
Yowza! What a mess. I knew there had been security issues in the past related to QNAP devices but thought a lot of those had been solved. Hopefully, they have begun to plug a lot of those holes. Has there been any incidents since this last one? I can now see and understand the advice!
I didn’t read all 174 pages of posts (read about 10 or 11). What was finally determined as the attack vector?
Multiple vectors in multiple waves
Security updates only patch the holes they are aware of. i.e. too late.
“Has there been any incidents since this last one?”
There were many before and just like any other system, there will likely be more in the future.
The recent ones are either not significant or not wth QTS. The ones that caused issues were fixed a long time ago. Also, QNAP now takes great care to avoid these issues. Security Advisories | QNAP (US)