@nguyenquocnam The WebUI [LuCI] should never be accessed over HTTP [80], as that sends the root password as plain text.
- If a webpage requires a password, it should always be accessed via HTTPS [443], without exception.
While the luci-ssl and luci-ssl-openssl pacakges will auto-generate a self-signed certificate, this is also not a secure means, opening the user to a MITM attack [while the liklihood is low on a LAN, the fact remains this is a known exploit that can occur due to having no chain of trust]
- The OpenSSL Certificates wiki can be utilized to create a self-signed CA and a properly digitally signed certificate
/etc/config/uhttpd, for HTTPS, should resemble
#
##::[[--- OpenWrt uHTTPd Config ---]]::##
#===================================================
##----- Servers -----##
#===================================================
# Main #
#---------------------------------------------------
config uhttpd 'main'
list listen_http '192.168.1.1:80'
list listen_https '192.168.1.1:443'
option redirect_https '1'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/ssl/certs/wrt1900acs-uhttpd.crt'
option key '/etc/ssl/private/wrt1900acs-uhttpd.key'
option cgi_prefix '/cgi-bin'
option lua_prefix '/luci'
option lua_handler '/usr/lib/lua/luci/sgi/uhttpd.lua'
option ubus_prefix '/ubus'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'