LuCI security questions

my question is about this part from: https://openwrt.org/docs/guide-user/luci/luci.secure?s[]=luci&s[]=secure

You'll need to remove (or comment with a '#') all occurances of listen_http and listen_https options. These parameters tells uhttpd the IP and PORT to listen to, more information: https://openwrt.org/docs/guide-user/services/webserver/uhttpd

Now we are going to tell uHTTPd to listen to 127.0.0.1:80, by appending the following option

list listen_http '127.0.0.1:80'

what is the difference between this and disabling LuCI?

@Biox, welcometo the community!

From reading that page, there's a big difference between this and disabling LuCI (which is noted at the bottom of the same page):

  • these instructions have the machine listen on localhost instead of a specific interface's IP (i.e. the LAN)
  • this is to allow only connections via SSH tunnels to access the device's LuCI page
  • when LuCI is disabled, it isn't running whatsoever - the instructions then tell you to SSH and start LuCI when desired
3 Likes

From reading that page, there's a big difference between this and disabling LuCI (which is noted at the bottom of the same page):

these instructions have the machine listen on localhost instead of a specific interface's IP (i.e. the LAN)
this is to allow only connections via SSH tunnels to access the device's LuCI page
when LuCI is disabled, it isn't running whatsoever - the instructions then tell you to SSH and start LuCI when desired

I tried this setting and I lost access to LuCI so I dont know how to access LuCI now while this setting is on. Typing 127.0.0.1 in the browser does not show anything.

So my next question is how can I login to LuCI now?

You can log into the router using SSH, then edit the file and enable LuCI again.
Or you can use SSH to establish a SSH-Tunnel, and connect with your browser through it.

1 Like

Assuming you are running LuCI on port 443 with TLS and you can/want to use 8443 (nothing magic about this number, it's just a convenient one above 1023) on the laptop/desktop you're going to access LuCI from

ssh -L 8443:localhost:443 root@<your router ip>

Then you can browse to https://localhost:8443/ and be connected to LuCI on your router.

If you're not using TLS, then it would be -L <some port>:localhost:80 and just http:// instead of https://

See further things like https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding#Local_Port_Forwarding

4 Likes