How can i access the Luci WebUi securely with https only in optimal way

Are you building 19.07.8 or a snapshot or some other version?

We build 19.07.07

i have cloned the openwrt 21.02 version. and switched to openwrt-21.02 branch.
./scripts/feeds update
./scripts/feeds install luci

But could not find luci-ssl or luci-ssl-openssl package.

How to get this package ?

To be honest, do you actually know how to build a working image from source code?

You can try imagebuilder instead.

Luci-ssl is default included in 21.02.

Luci-ssl-openssl can’t be installed if luci-ssl is installed.

I just checked .config file after update with ./scripts/feeds update command.
Then i just give as try and observed that
By default, luci-ssl config not available. Then i tried with
./scripts/feeds install luci-ssl then it was shown in the make menuconfig of OpenWrt

< # CONFIG_PACKAGE_luci-ssl is not set
> **CONFIG_PACKAGE_luci-ssl=y**
< # CONFIG_PACKAGE_px5g-wolfssl is not set
> **CONFIG_PACKAGE_px5g-wolfssl=y**

Then i tried the same with OpenWrt 19.07.7. luci-ssl package was enabled in .config file. The dependency packages looks different.

< # CONFIG_PACKAGE_libustream-mbedtls is not set
> **CONFIG_PACKAGE_libustream-mbedtls=y**
> CONFIG_PACKAGE_luci-ssl=y
< # CONFIG_PACKAGE_px5g-mbedtls is not set
> **CONFIG_PACKAGE_px5g-mbedtls=y**

I added the below configuration in OpenWrt(19.7.7) configuration file. Now https was enabled. But i faced the exception while launch the Luci via Browser. Is it acceptable behavior or we need to add some additional process to work it fine. I need to also disable the Luci WebUi on http. How can i achieve ?


Yes it is acceptable, but you can follow the user guide how to remove the cert warning if you like. But it has no meaning for security, only more work for you if you are bored some day.

In uhttpd you need to remove the listening for http (the line).

I will check that to remove. I have a another doubt , Is there any option to redirect the http to https ?

Yes, that is also in uhttpd settings.

But to get this working fully as you actually want you also need to block all interface input in firewall and only open the 443 port and the other ports you need, like 22 you also probably want.

This is for restrict the http and allow the https port 443 and other ports we want right ?

Sorry i am not sure about it. Could you suggest about How to redirect it in uhttpd settings ?

The default state of the firewall on the LAN zone is Accept / Accept / Accept (input / output / forward).

What @flygarn12 is suggesting is to change the LAN zone so that input = drop. This will effectively lock the device from accepting any traffic, except that which is explicitly allowed via additional firewall traffic rules.

Be careful with this change, though -- make sure you have your traffic rules to accept the relevant traffic (443 and 22, from what I can tell) before you change your zone's input to drop... if you do this in the wrong order, you will lock yourself out and you'll have to reset to defaults. If you wish to include these settings in a custom image that you build yourself, be sure to use an actual file (/etc/config/firewall) from a tested an known good configuration.

1 Like

Thanks for detailed reply. This is only for allow or drop the packets based on desired ports we want. My understanding is right ?

Redirecting the http to https with uhttpd settings will be separate one ?

Remember the dhcp and dns ports also!

Not that easy since we have no idea what you actually are doing!? Or what your plan is since you change it from time to time?
Have you ever installed and used a working OpenWRT so you have some basic experience?

I don’t really get why you ask some of these questions if you have basic experience with OpenWRT?
Most users start with the pre compiled versions a couple of years. Some after that move on and start making more advanced configs and so on.

But not many start by building from source code and then ask how to make basic configs?

Are you still trying to build a mega much custom image from scratch without OpenWRT experience?
Have you any working LuCi GUI?

What is your backup plan B if you succeed and compile this image you are working on and you after you installed it can’t connect to the router?

It is a lot less headache involved to install a standard image (or a imagebuilder image with some favorite packages and/or absolute basic minimum config setup) and then from a working router run a setup script that do all settings in a couple of seconds. If something fails then do a reset and start over.

And the prize for building with source code is that you should be able to read the user guide we have on the homepage.


I agree with @flygarn12's sentiment above, especially this part:

@yuvaramachandran - You never really did answer anything about where this is being used and what the threat profile looks like. Is this in a home? A small business? Do you have a lot of untrusted clients (people and/or devices) on this network?

Since this device is being used as an extender/mesh/AP device and it is not directly connected to the internet, it would seem to me that the additional security features you are trying to enable are of diminishing returns in terms of improving your network security in general, unless you have untrusted/adversarial users on your network. The changes you are proposing may actually just cause you headaches if you don't really need them, especially if you make any mistakes when configuring these things.

1 Like

Sorry for confusion.
I have some Basic experience in OpenWrt related to Luci WebUi and some customization.
I have working Luci WebUi as material theme.

Due to security reasons, we need to access the Luci WebUi over https since we blocked http port on firewall and allowed the https alone. The end user may or may not give http or https depends on them, initially i decided to allow the https ports alone. If user access luci webui with http then it will not since it blocked. So only i asked about redirecting http port to https ports.

Initially i was unable to find those package for https. After that i have enabled it from the above mentioned configuration for OpenWrt 19.07.07 version.

My goal is need access the Luci WebUi over https as primary step then if http is mentioned then we need to redirect it to https since it will be blocked at firewall.

You still haven't explained the actual environment or reason for the needing HTTPS vs standard HTTP. Because this device is not being used as a router (only as a mesh/repeater/AP), the main firewall doesn't have any impact on this device unless you are either dealing with inter-VLAN routing or are exposing it to the internet (via port forwarding).

If you are exposing it to the internet, you should reconsider this approach -- it is not a good idea. Instead, a VPN is a much safer and more secure method of remote administration.

Actually we will configure http port to drop packets with iptable rules. So only i suggested for https and redirecting approach since https always allowed.

As mentioned in this command , iptable rules will not take effect until we exposing this device to internet. Am i correct ?