Are you exposing this device to the internet?
It just connected with Controller and some client devices like mobiles in home and gives seemless connection to client devices.
That didn't answer the question...
such as for remote administration or some other purpose?
No. It will not use for remote administration or other purposes.
Are there any users that may try to attack/hack the device?
It may try to attack like we accessing the device from local host which having internet. But we should consider to avoid some attacks in future.
I don't understand what you are talking about...
That doesn't make any sense to me.
But, here is the bottom line: if the devices n your local network are reasonably well trusted (i.e. family members and devices you own and control), the value of using https on your AP may be limited at best. It is not likely to protect your network or devices, and it is not likely to be attacked, either.
I think that you are wasting your time with this exercise.
Okay. I could understand the purpose of using https.
Thanks for your support.
Still you can make a https only admin connection if you want (with or without redirect) by using the methods in my earlier posts.
But take care not to lock yourself out from the router.
I my self has a admin/management vlan for the router, switch and access point. And I run https for this inside the network.
But the development off this setup has been made over long time and a lot of trial and errors, and resets and retries…
At a minimum I highly recommend that you at least have a working serial connection to the router so it easier to save the day.
maybe setup SSH tunnel and access LUCI only from 127.0.0.1 ??
it is the best security
1 Like
That would provide an equal sense of security without the headache of adding the luci-ssl.
1 Like
The transition from v19.02 to v20.02 is messy. And I am not sure I understand how to set up reliable https access to LuCI. But, short summary, v19.07 defaults to https-on-if-possible, and needs particular bits of extra software to make it possible. v20.02 defaults to https-off but includes the necessary software. So if you upgrade to keep the v19.07 settings you get surprised by https being turned on.
I made very sure that the file /etc/config/uhttpd was set to https-off before I upgraded. It is different if you're already using https to access LuCI. This is the no-surprises setting in that file.
# Redirect HTTP requests to HTTPS if possible
option redirect_https 0
Different users have different local threat levels. Some people do need it. I would rather keep the https change distinct from the OpenWRT upgrade.
I'm afraid you have this a bit confused...
19.07 (official stable release builds) did not include the necessary packages to enable LuCI over https. It was, of course, possible to add the ssl libraries and the LuCI ssl functions. However, because ssl was not included, LuCI it was purely http unless the user installed additional packages.
21.02 does include all of the necessary support for SSL and LuCI over https. By default, the automatic redirect is disabled, and both plain http (port 80) and https (443) are supported. The redirect is automatically enabled when upgrading from 19.07, and it can be enabled/disabled easily using the setting you cited.
This is all available in the release notes for 21.02
2 Likes
Yeah. Its good to have the serial connection for debugging purpose. Thanks for your support.
I think you're the one confused.
It's the interaction between the default settings, different in the two versions, and the default packages included. If you want to carry over settings from v19.07 to v20.02 the result is an alarming surprise if you're not using https already.
Not everyone needs https to LuCI, and there has enough chaos across the internet recently associated with the necessary certificates. Surprising people is not a good idea.
And knowing how to switch https on or off is a long way from knowing how to set up and maintain a secure https connection to LuCI. I have just had a too-interesting day over a browser upgrade, and it can be hellish enough just finding useful keywords for a search engine. Sometimes, I suspect the jargon used here functions more as an argot.
What about my previous statement was incorrect? I mentioned that 19.07 is http unless the user installs the ssl and LuCI ssl packages. And I said that 21.02 is both http and https, unless a user upgrades from 19.07 in which case it is https only.