Topic: access luci via https

how to access to luci web via https instead of http protocol? in other words I want to sent password to luci
in a protected way.
Thanks a lot.

Re: access luci via https

this would be a great feature .. or is there a way to tunnel traffic through matrixtunnel somehow ?

Sensi

Re: access luci via https

yep, in webif, there was matrixtunnel. How is it in LuCI ?

cheers,
Tex

Asus 500gp - Wireless Atheros CM9 - 8.09 (bleeding edge, r13870) Kernel 2.6

Re: access luci via https

So no https access in LuCI ?!  sad

Tex

Asus 500gp - Wireless Atheros CM9 - 8.09 (bleeding edge, r13870) Kernel 2.6

5 (edited by CyrusFF 2009-01-28 12:39:41)

Re: access luci via https

Unfortunately we did not manage to get HTTPS support ready for 8.09, reasons were we had no stable solution that worked on all platforms.
matrxtunnel had problems on some platforms with lockups probably caused by some uclibc bug / race condition and xrelayd was only compatible to an old version of xyssl that was known to have security issues. The only reliable solution we found was openssl but due to its heavy size (> 1MB) we did not implement it for now.

We are trying to implement HTTPS directly into our upcoming LuCI httpd which will probably replace the old busybox httpd for performance reasons.
If you need protected access to your router you can however establish an SSH tunnel using:

ssh -NL localhost:8080:192.168.0.1:80 root@192.168.0.1

(Putty can establish similar tunnels on Windows clients)

and then point your browser to http://localhost:8080 which will reliable encrypt the connection in any case.

Re: access luci via https

ok thanks. I'm mostly accessing the web config via a ssh tunnel. The https would be a nice to have.

Thanks anyway,

Tex

Asus 500gp - Wireless Atheros CM9 - 8.09 (bleeding edge, r13870) Kernel 2.6

Re: access luci via https

You can install mini-httpd-matrixssl, which will provide limited functionality with luci, I still did not research, why.

Re: access luci via https

I am familiar with this issue.  I know, because I've implemented a working solution for my own web interface for openwrt (www.gargoyle-router.com).  I solved it with a highly customized version of the mini-httpd-matrixssl noted above.

You can't solve this problem with the default version of  mini-httpd-matrixssl.  The default matrixssl implementation uses mutexes to make sure that it is thread safe.  However, the version of uclibc used in Kamikaze 8.09 has a broken pthread implementation, and unless modified, matrixssl will die if you try to use it.  On top of that, the default adapter functions for matrixssl die if you try to transfer over 16Kb.  I had to fix these.

Also, the default authentication system in mini-httpd-matrixssl requires you have .htaccess files in EVERY directory where you have files -- it doesn't apply recursively.  I had to patch this too.

Finally, the default version of mini-httpd-matrixssl only allows you to open up one port -- you can't have one port for http connections and another for https connections.  This too has been patched.

If luci developers are interested they are more than welcome to shamelessly copy (all or portions of) my code -- it is GPL after all, and I make it freely available.

9 (edited by CyrusFF 2009-01-29 15:48:34)

Re: access luci via https

Thanks for your offering ebishop, but as we want to get rid of CGI because of its performance issues we are working on a httpd that keeps our engine loaded in the background without the need to reinitialize it witth every http request. So mini-httpd is not an option for us. Our httpd itself already runs successfully on the Fon 2.0 firmware only https support is missing for now.
Basic auth is no problem for us, as we are using cookie-based auth because we want to be able to offer public webui pages together with protected ones and because basic auth is vulnerable to XSRF attacks and does not support a reliable logout function.
FastCGI would be another possibility but webservers supporting FastCGI are probably too big for embedded systems.

Re: access luci via https

Cyrus:

Are you saying that if one enables luci-http in the trunk, you can then disable the mini-httpd and just use the LuCI server?

Thanks.

marc.

Re: access luci via https

marca56 wrote:

Are you saying that if one enables luci-http in the trunk, you can then disable the mini-httpd and just use the LuCI server?

LuCI httpd will replace the Busybox httpd web server...

Re: access luci via https

Yes in theory, but you have to disable busybox httpd.
But as we are currently focussing on stabilizing LuCI for 8.09 its not very well tested on OpenWrt yet.

Re: access luci via https

Cyrus:

I figured that out.

I went into the Busybox config and disabled the httpd and then enabled the luci-httpd. It built properly but does not work on the board.

I love the concept of what you are doing (and working a lot with Jo on Asterisk, etc., config) so I'm happy to pitch in and test it thoroughly. One suggestion is to use the deps and a profile to automatically disable the Busybox httpd when selecting the LuCI httpd.

I'm building with the latest trunk on the BCM63xx platform.

Thanks.

marc.

Re: access luci via https

I tried out luci via https using lighttpd and it works fine.

Requirements:
- openwrt 8.09 Kamikaze (r14417) or later
- ~1.2 MB free space on /jffs
- ~6.4 MB free memory

Installation:

# opkg update
# opkg install lighttpd lighttpd-mod-cgi

Generate self signed SSL certificate:

# mkdir -p /etc/lighttpd
# cd /etc/lighttpd
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# chmod 0600 /etc/lighttpd/server.pem

Now edit the lighttpd.conf file:

# vi /etc/lighttpd.conf

Comment out the lines like below:

server.modules = (
#       "mod_rewrite",
#       "mod_redirect",
#       "mod_alias",
#       "mod_auth",
#       "mod_status",
#       "mod_setenv",
#       "mod_fastcgi",
#       "mod_proxy",
#       "mod_simple_vhost",
        "mod_cgi"
#       "mod_ssi",
#       "mod_usertrack",
#       "mod_expire"
)

Add the following lines to the end of the file:

$HTTP["host"] =~ "^.*$" {
        server.document-root = "/www/"

        cgi.assign = ( "luci"  => "/usr/bin/lua" )
}

$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/lighttpd/server.pem"
}

Save configuration and exit vi:

:wq

Stop Busybox httpd:

# /etc/init.d/httpd stop
# /etc/init.d/httpd disable  # this command is optional

Start lighttpd:

# /etc/init.d/lighttpd start
# /etc/init.d/lighttpd enable  # this command is optional

Now you can visit the luci webinterface by https://routerhostname-or-ipaddress

Re: access luci via https

mark!

is lucid can support https ??  8.09 RC2

vi  /etc/config/lucid
...
config daemon https
    option slave httpd
    list address 443
    list publisher webroot
    list publisher luciweb
    option nokeepalive 1
    option memlimit 1572864
    option enabled 1
    option tls maincert
    option encryption enable

config tls maincert
    option key /etc/nixio/rsa_main.der
    option cert /etc/nixio/cert_main.der
    option type asn1
    option generate 1

but https://myapip  can not open?

16

Re: access luci via https

ccbcfan wrote:

is lucid can support https ??  8.09 RC2

Yes, we can!

Re: access luci via https

Dogge wrote:
ccbcfan wrote:

is lucid can support https ??  8.09 RC2

Yes, we can!

can you tell me how you set?

this is my set:

vi  /etc/config/lucid
...
config daemon https
    option slave httpd
    list address 443
    list publisher webroot
    list publisher luciweb
    option nokeepalive 1
    option memlimit 1572864
    option enabled 1
    option tls maincert
    option encryption enable

config tls maincert
    option key /etc/nixio/rsa_main.der
    option cert /etc/nixio/cert_main.der
    option type asn1
    option generate 1

http://myrouterip            #can open luci
but
https://myrouterip          #can not open luci with ssl?

libopenssl 0.9.8l-1 installed   
libgnutls-openssl 2.8.5-1  not installed    ##????

18 (edited by Dogge 2010-03-08 17:17:37)

Re: access luci via https

Isn't it enabled by default?

There is a lucid.https.enabled=1 option in your lucid config.

19 (edited by ccbcfan 2010-03-09 05:01:52)

Re: access luci via https

Think you help!

I can't  find lucid config file has set with lucid.https.enabled=1 option , which file?

I only find /etc/config/lucid   with  :

config daemon https
    option slave httpd
    list address 443
    list publisher webroot
    list publisher luciweb
    option nokeepalive 1
    option memlimit 1572864
    option enabled 1                # already enabled  but not open
    option tls maincert
    option encryption enable

Are you used 8.09.2 ?

Re: access luci via https

anyone can https wtih lucid ?

Re: access luci via https

yes i can use https with my backfire 10.3 or 10.3-rci on a DIR-825 (does that help you?)

22

Re: access luci via https

Btw. Backfire switched to uhttpd...

Re: access luci via https

Hi all I have moved from uhttpd to lighthttpd on backfire - I am also using vhosts. But I hava one problem I cannot seem to be ablo to configure vhosts and lucid at once.

/www# ls /www
cgi-bin      luci-static  org          resources

But new hosts do not seem to work.
If I access a host I get 403 forbiden.
But if I access the specific file host/index.html it works fine.
My light http config:

server.modules = (
        "mod_simple_vhost",
        "mod_status",
        "mod_cgi",
)

server.network-backend = "write"

server.document-root = "/www/"

server.errorlog = "/var/log/lighttpd/error.log"

index-file.names = ( "index.php", "index.html", "default.html", "index.htm", "default.htm" )

mimetype.assign = (
        ".pdf"   => "application/pdf",
..
        ".xml"   => "text/xml"
)

$HTTP["url"] =~ "\.pdf$" {
        server.range-requests = "disable"
}

static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

server.pid-file = "/var/run/lighttpd.pid"

simple-vhost.server-root = "/www"
simple-vhost.default-host = "default.host"
simple-vhost.document-root = "/"

server.upload-dirs = ( "/tmp" )

$HTTP["host"] =~ "^.*$" {
        server.document-root = "/www/"
        cgi.assign = ( "luci"  => "/usr/bin/lua" )
}
OpenWRTx3 Asus 500gP  DD-WRTx1 Asus n16 (cool machine unfortunately no Open-WRT support but why?)

Re: access luci via https

Ok I figured some errors I have made. The lighthttpd.conf was missing:
cgi.assign = ( ".php" => "/usr/bin/php-cgi" )
And i had to remove document root from php.ini.
But still if I live this line like it is:

$HTTP["host"] =~ "^.*$" {
        server.document-root = "/www/"
        cgi.assign = ( "luci"  => "/usr/bin/lua" )
}

PHP is not working sad I fugure that I would have inform the system to run lua only in some cases but I do not understand this line sad

OpenWRTx3 Asus 500gP  DD-WRTx1 Asus n16 (cool machine unfortunately no Open-WRT support but why?)

Re: access luci via https

hi guys,

Does any one of you know, how I should install ssl support for luci with backfire 10.03.1-RC5? The described tutorial on openwrt.org didn't worked for me.
Thx in advance,
jousch