Accessing LUCI over Reverse Proxy

gardiol · November 18, 2020, 8:15am

Hi all!
in my system i have five OpenWRT routers. The overall site has a remote-accessible control page (safely protected behind SSL + strong two factor authentication). On this remote control page i can access all the services and many web control pages.

I have an NGINX configured with reverse provxy on all the internal services which are published.
For all the services (webcams, heating control, mechanical pumps and systems and such) i have dedicated web pages which are easily accessed using the NGIX reverse proxy.

I would like to access also the five LUCI web pages, so that i can check on the wireless and wired network easily too, from one single point.

I cannot.

On NGINX i have the following setup:

                location /OpenWRT-1/ {
                        proxy_pass http://192.168.1.2/;
                        proxy_redirect / $scheme://$host:$server_port/OpenWRT-1/;
                        proxy_set_header Accept-Encoding "";
                        gunzip on;
                        sub_filter "src=\"/" "src=\"/OpenWRT-1/";
                        sub_filter "href=\"/" "href=\"/OpenWRT-1/";
                        sub_filter "action=\"/" "action=\"/OpenWRT-1/";
                        sub_filter_once off;
                        sub_filter_types *;
                }

This was working for a Netgear web-gui, but for luci, it does not.
I can see the login page fine, but then a red bar on top appears with the following error:

"Error No related RPC reply"

The login does not work.

The failing request seems to be the following one:

https://<my server>/cgi-bin/luci/admin/ubus?1605686821774

Which is incorrect, it should instead be like this one:

https://<my server>/OpenWRT-1/cgi-bin/luci/admin/translations/en?v=git-20.247.75781-0d0ab01

See the missing "OpenWRT-1" part in the address of the first one? That's the issue.

Does luci has any way to configure the base uri?
Or does anybody knows how to properly redirect also these URLs?

thank you

justsoft · October 16, 2023, 12:46pm

I had similar issue, any solution?
Thanks

eduperez · October 16, 2023, 2:02pm

Unless I am mistaken, LuCi does not work outside the root path.

shminer · January 12, 2024, 8:37am

I'm late. I've been looking for this recently. Here's how I have to modify it, and it's been verified that it works. Add ""op" to the sub path.

=====================================
file:/etc/config/uhttpd

option cgi_prefix '/op/cgi-bin'
list lua_prefix '/op/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'

=====================================
move /www/* to /www/op
exculude index.html

=====================================
file:/www/index.htm

this line
<meta http-equiv="refresh" content="0; URL=op/cgi-bin/luci/" />
and this line
<a href="/op/cgi-bin/luci">LuCI - Lua Configuration Interface</a>

=====================================
file:/etc/config/luci

config core 'main'
option resourcebase '/op/luci-static/resources'
option ubuspath '/ubus/'
option mediaurlbase '/op/luci-static/material'
option lang 'zh_cn'

config internal 'themes'
option Bootstrap '/op/luci-static/bootstrap'
option BootstrapDark '/op/luci-static/bootstrap-dark'
option BootstrapLight '/op/luci-static/bootstrap-light'
option Material '/op/luci-static/material'

=====================================
NGINX config

location /op/
 {
    proxy_pass http://xxxx;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Original-Request $request_uri;
 }

drajabr · January 15, 2024, 2:20pm

Hey! Just signed up to say thank you.
I was about installing nginx to use for luci instead of uhttp, but you saved me lots of time and effort.

This should be pinned in uhttp docs page maybe?

stokito · January 16, 2024, 9:43pm

The Luci has some URLs inside of JS files and this makes content replacement more difficult. Here you used sub_filter_types * e.g. to replace not just inside text/html but also for JS. So you are safe. Still the sub_filter has a limitation: it process only chunks of chunked transfer encoding and potentially this may cause problems. Still the Luci itself works fine with this.

It should be easier to use a separate subdomain e.g. openwrt1.example.com.
The all paths would remain same and the sub_filter to change URL in the HTML content is not needed.
The Nginx will terminate TLS and use raw HTTP between proxy and router.

But basically the OpenWrt Luci can work with TLS too (but it's painful to issue a valid cert) so you can use a SNI proxy or just use a separate port and forward it to a router's 443 port.

Generally speaking the reverse proxy can set a header for a base url but this is not widely used. Only the Deluge torrent web panel has an ability to set a base url https://dev.deluge-torrent.org/wiki/UserGuide/WebUI/ReverseProxy