Hi, I would like to run a HTTP file server running on R4S which using OpenWrt 22.03.5. So that the user can open the web browser to download files. I think the server can open a port from the WAN port. (Not the default 80 port, since it is blocked by my ISP)
Any one would suggest a tool or a server?
I see by default, in the configuration web, a Samba server can be enabled, but I don't this this fits my need. I would like to have a http server. Thanks.
Do you mean something like WebDAV? Are you trying to serve up files to people on you home LAN, or across to the internet? Please explain more about your use case.
In the mean time, these might be helpful:
Hi, thanks for the help.
Yes, I means something like WebDAV. I think I would like to share files to a few people, let them to download files. People can also upload files. I would like to use it through internet. Maybe I can put a simple html file on this router.
I mainly used the Lighttpd as a web administration tool to configure the router.
Currently, I try to use this tool: svenstaro/miniserve: 
For when you really just want to serve some files over HTTP right now!, I can run this tool in my OpenWrt now in the SSH shell, but once I close the shell, the web site is gone. So I need to find a way to run the executable in the background. Not sure how to do that.
Also, I need to open the port to the internet, so that users can access to my http server.
why not ssh, and have the mates use (win)scp, or does it have to be browser based ?
I don't know if it is important for you, but uploading with WebDAV doesn't preserve timestamp.
I just found another tool named dufs: sigoden/dufs: A file server that supports static serving, uploading, searching, accessing control, webdav..., it said has webdav feature. I just download a single executable file of dufs, and I see I can run this file from the OpenWrt, that's great.
Yes, I think I need a simple file http server, which can let a few people to login and download what they like. So, people will access the files in their browser.
Make sure you have it heavily firewalled, and also with some form of security, e.g. TLS and authentication, etc. Maybe even hide it behind a VPN or SSH tunnel, with only your chosen few having the VPN or SSH tunnel details.
If you have an open, insecure HTTP server which permits uploads and is accessible to the entire Internet, it will be exploited, whether by crooks or "warez kiddies" or the like. In a worst-case scenario, if the cops come calling to ask why you've got illegal material on your computer, good luck proving it's not yours.
Hi, @iplaywithtoys thanks for the information.
I think for security reasons, I will only allow upload files when in the LAN port. I have already enabled the L2TP VPN server in the router. When the VPN client logged in, it is in LAN(virtual) port.
BTW: is it safe to only have a read-only file http server running on the router which can be accessed by internet?
Then that kind of defeats the objective of having the thing available over the Internet. However, not exposing the service directly to the Internet is a step in the right direction.
L2TP on its own offers no security. It's a tunnel, nothing more. If you're going to use L2TP then make sure you've got some layer of encryption, such as IPsec, on top of it. There are some niche use cases for using L2TP without encryption, but yours isn't one of those.
If you're going to use a VPN to permit only your chosen users to connect, I would suggest something like WireGuard (easy to set up, and lightweight; it's pretty fast when in use), Tailscale (WireGuard with a fancy GUI and some clever hacks to make it easier for the user to set up a WG mesh), or OpenVPN (uses certificates so is slightly more difficult to set up).
Or, if you've already got IPsec in place on top of L2TP, and it works for you, then feel free to stick with it. The important bit is that you employ some protection; the specific flavour of protection isn't as important as that it does what it's supposed to do.
The answer, as with all things I.T. related, is "it depends".
And what it depends on is how securely-configured it is and whether or not there are any vulnerabilities in the software on the router.
Personally, I would advise against doing so. I prefer single-function devices, for simplicity. The more things a device has to do, the more things that can go wrong and the more risk there is of one component introducing a vulnerability.
Instead, set up a different device to run the HTTP server and leave the router to route. That's it's job.
The above is only advice, which you are free to accept, adapt, or ignore as you see fit. Ultimately, it's your device and your network, so it's your choice how to proceed.
Hi, thanks. I have already have L2TP/IPSec server running and working in my openwrt router. In-fact, I'm not using the two ways(WireGuard or OpenVPN) you mentioned. Instead, I use Softether VPN server. The setup is also not complex(see How to tweak the firewall of OpenWrt 22.03 to support Softether VPN server - Installing and Using OpenWrt / Network and Wireless Configuration - OpenWrt Forum and L2TP vpn client report 720 Error when try to connect SoftEther VPN on OpenWrt), in-fact, it is quite easy. I have seen the OpenWrt wiki doesn't have a page for the Softether VPN server, but I don't have the right to edit the wiki. I have try to applied a wiki account several weeks ago, but failed(reply got deleted automatically). Today have tried again. (see here: Applying for OpenWrt wiki account)
OK, thanks. I will consider your advice.
Thank you for the reminder of Softether; I meant to tinker with it a while ago and forgot due to being distracted by some other shiny novelty.
You seem to be most of the way there, from your description. It sounds like you've got the encryption side of things locked down already, so all you need to do is ensure that your firewall permits access to the HTTP server only from users of the VPN (and, optionally, LAN users, depending on how your environment is set up).
Use a tool like tmux to launch a detached session, you can reconnect to that anytime, and stuff keeps running in the background when you log out.
Yes, the VPN already works in my router.
I think I am lucky on configure the firewall for the HTTP server. When I run the http server, I don't need to set any firewall rule for the LAN users. I mean my LAN as 192.168.2.x address, and my VPN client setting for the SoftEther vpn client is also 192.168.2.x, and that means my VPN client and my Local LAN users are in the same intranet. So, all the above users can access to the HTTP server correctly without tweak the firewall.
If your users are connecting over a VPN, then how about moving to something which doesn't need a browser. You can use Samba to serve up the files, and access them directly.
It should be mentioned that the major web servers nginx and Apache are OpenWrt packages. On hardware such as this with sufficient memory and CPU they should be considered as they are well proven safe to expose directly to the Internet.
+1. I prefere nginx because of smaller footprint. However, apache a bit easier to set up with php.
If your users are connecting over a VPN, then how about moving to something which doesn't need a browser. You can use Samba to serve up the files, and access them directly.
Yes, I will try Samba, since Samba is a pre-installed package. I mean it can be enabled by the web-configuration panel, under the webpage: http://192.168.2.1/cgi-bin/luci/admin/nas/samba4
Thanks.
Hi, @mk24 and @reinerotto thanks. If I would like to expose directly to the internet(for example, a very small static web site), is it possible to just use nginx? I'm not quite familiar with web site config. To my understanding, I have already a running http server named: uHTTPd webserver running as a LuCI web interface for OpenWrt, so that I can configure the router. When I install another tool such as nginx, can they got conflict?
For my understanding, the nginx is a reverse proxy tool, which means it got the HTTP request from the WAN port, and direct it to some running serve behind it. So, maybe I still need another kinds of HTTP server?
Thanks.
nginx also can be set up as reverse proxy. But org usage as high perf web server. Yes, nginx and uHTTPd would interfere with each other, in default config. Unless you use different ports (i.g. for uHTTPd/LuCI) . May be, http for LuCI, https for nginx, only. You might also use nginx for LuCI, too, eliminating uHTTPd. In a second phase, after getting some expirience in nginx.