New to OpenWrt - can you route HTTPS requests to local HTTP servers?

Installing and Using OpenWrt
1

Hi, my company has the following need (apologies in advance as I am new to networking):

  • A given customer location will have 1, sometimes multiple, IoT devices hosting a local server which can be set to a specific static IP
  • A client device (e.g., mobile smartphone) at the same location needs to be able to be connected to the internet and from our web app make requests to these adapters' IP addresses in the browser (requiring https / SSL)
  • For our purposes we are unable to access the devices to manually trust the certificate in the browser / "proceed anyway" - it must trust the certificate on the first try

Would we be able to do the following with OpenWrt:

  • Configure a router (e.g., NanoPi) with OpenWrt and ship it to a customer
  • Customer plugs the NanoPi into their main WiFi router using an ethernet cable and has it act as a WiFi access point
  • Connect the IoT devices to the NanoPi's wireless network
  • Client device makes an https request in the browser to the NanoPi (and specifies which adapter's IP address it wants) and the NanoPi somehow redirects / resolves this https request as a local http request to one of the IoT devices' IP address, and then passes back the response in the browser

Is the above achievable with an OpenWrt enabled router where we could do this on a somewhat repeatable basis with multiple customers? Thank you!

2

This is similar to my current setup:

  • You can use a NGINX server on the router, to act as an HTTPS to HTTP reverse proxy.
  • You can also use Letsencrypt to create valid certificates, so the browser does not complain.
2 Likes
3

This is not simply a matter of routing. As @eduperez said, the process is called a reverse proxy, and the program called nginx (which is available as an OpenWrt package) is often used to run it.

  • Client phone makes a https request to the reverse proxy server.
  • Reverse proxy sends a valid certificate to client and opens an encrypted connection to the phone.
  • Reverse proxy parses the client's request (usually a subdomain name) then makes a http request on the IOT network to the correct IOT and obtains the page data.
  • Page data is served back to the client on the encrypted connection.

To get a certificate signed with a registered top level CA that is already in the phone, it must have a domain name, not an IP number. Top level CAs will not sign certificates based on an IP address. So you will need to register a domain name for this purpose. Then you can use one of LetsEncrypt's verification methods to prove that you control the domain name so they will sign certificates for it.

2 Likes
4

Thank you both, that sounds great. I'll give it a shot and report back.