OpenWrt Forum Archive

Topic: access luci via https

The content of this topic has been archived on 7 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

how to access to luci web via https instead of http protocol? in other words I want to sent password to luci
in a protected way.
Thanks a lot.

this would be a great feature .. or is there a way to tunnel traffic through matrixtunnel somehow ?

Sensi

yep, in webif, there was matrixtunnel. How is it in LuCI ?

cheers,
Tex

So no https access in LuCI ?!  sad

Tex

Unfortunately we did not manage to get HTTPS support ready for 8.09, reasons were we had no stable solution that worked on all platforms.
matrxtunnel had problems on some platforms with lockups probably caused by some uclibc bug / race condition and xrelayd was only compatible to an old version of xyssl that was known to have security issues. The only reliable solution we found was openssl but due to its heavy size (> 1MB) we did not implement it for now.

We are trying to implement HTTPS directly into our upcoming LuCI httpd which will probably replace the old busybox httpd for performance reasons.
If you need protected access to your router you can however establish an SSH tunnel using:

ssh -NL localhost:8080:192.168.0.1:80 root@192.168.0.1

(Putty can establish similar tunnels on Windows clients)

and then point your browser to http://localhost:8080 which will reliable encrypt the connection in any case.

(Last edited by CyrusFF on 28 Jan 2009, 12:39)

ok thanks. I'm mostly accessing the web config via a ssh tunnel. The https would be a nice to have.

Thanks anyway,

Tex

You can install mini-httpd-matrixssl, which will provide limited functionality with luci, I still did not research, why.

I am familiar with this issue.  I know, because I've implemented a working solution for my own web interface for openwrt (www.gargoyle-router.com).  I solved it with a highly customized version of the mini-httpd-matrixssl noted above.

You can't solve this problem with the default version of  mini-httpd-matrixssl.  The default matrixssl implementation uses mutexes to make sure that it is thread safe.  However, the version of uclibc used in Kamikaze 8.09 has a broken pthread implementation, and unless modified, matrixssl will die if you try to use it.  On top of that, the default adapter functions for matrixssl die if you try to transfer over 16Kb.  I had to fix these.

Also, the default authentication system in mini-httpd-matrixssl requires you have .htaccess files in EVERY directory where you have files -- it doesn't apply recursively.  I had to patch this too.

Finally, the default version of mini-httpd-matrixssl only allows you to open up one port -- you can't have one port for http connections and another for https connections.  This too has been patched.

If luci developers are interested they are more than welcome to shamelessly copy (all or portions of) my code -- it is GPL after all, and I make it freely available.

Thanks for your offering ebishop, but as we want to get rid of CGI because of its performance issues we are working on a httpd that keeps our engine loaded in the background without the need to reinitialize it witth every http request. So mini-httpd is not an option for us. Our httpd itself already runs successfully on the Fon 2.0 firmware only https support is missing for now.
Basic auth is no problem for us, as we are using cookie-based auth because we want to be able to offer public webui pages together with protected ones and because basic auth is vulnerable to XSRF attacks and does not support a reliable logout function.
FastCGI would be another possibility but webservers supporting FastCGI are probably too big for embedded systems.

(Last edited by CyrusFF on 29 Jan 2009, 15:48)

Cyrus:

Are you saying that if one enables luci-http in the trunk, you can then disable the mini-httpd and just use the LuCI server?

Thanks.

marc.

marca56 wrote:

Are you saying that if one enables luci-http in the trunk, you can then disable the mini-httpd and just use the LuCI server?

LuCI httpd will replace the Busybox httpd web server...

Yes in theory, but you have to disable busybox httpd.
But as we are currently focussing on stabilizing LuCI for 8.09 its not very well tested on OpenWrt yet.

Cyrus:

I figured that out.

I went into the Busybox config and disabled the httpd and then enabled the luci-httpd. It built properly but does not work on the board.

I love the concept of what you are doing (and working a lot with Jo on Asterisk, etc., config) so I'm happy to pitch in and test it thoroughly. One suggestion is to use the deps and a profile to automatically disable the Busybox httpd when selecting the LuCI httpd.

I'm building with the latest trunk on the BCM63xx platform.

Thanks.

marc.

I tried out luci via https using lighttpd and it works fine.

Requirements:
- openwrt 8.09 Kamikaze (r14417) or later
- ~1.2 MB free space on /jffs
- ~6.4 MB free memory

Installation:

# opkg update
# opkg install lighttpd lighttpd-mod-cgi

Generate self signed SSL certificate:

# mkdir -p /etc/lighttpd
# cd /etc/lighttpd
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# chmod 0600 /etc/lighttpd/server.pem

Now edit the lighttpd.conf file:

# vi /etc/lighttpd.conf

Comment out the lines like below:

server.modules = (
#       "mod_rewrite",
#       "mod_redirect",
#       "mod_alias",
#       "mod_auth",
#       "mod_status",
#       "mod_setenv",
#       "mod_fastcgi",
#       "mod_proxy",
#       "mod_simple_vhost",
        "mod_cgi"
#       "mod_ssi",
#       "mod_usertrack",
#       "mod_expire"
)

Add the following lines to the end of the file:

$HTTP["host"] =~ "^.*$" {
        server.document-root = "/www/"

        cgi.assign = ( "luci"  => "/usr/bin/lua" )
}

$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/lighttpd/server.pem"
}

Save configuration and exit vi:

:wq

Stop Busybox httpd:

# /etc/init.d/httpd stop
# /etc/init.d/httpd disable  # this command is optional

Start lighttpd:

# /etc/init.d/lighttpd start
# /etc/init.d/lighttpd enable  # this command is optional

Now you can visit the luci webinterface by https://routerhostname-or-ipaddress

mark!

is lucid can support https ??  8.09 RC2

vi  /etc/config/lucid
...
config daemon https
    option slave httpd
    list address 443
    list publisher webroot
    list publisher luciweb
    option nokeepalive 1
    option memlimit 1572864
    option enabled 1
    option tls maincert
    option encryption enable

config tls maincert
    option key /etc/nixio/rsa_main.der
    option cert /etc/nixio/cert_main.der
    option type asn1
    option generate 1

but https://myapip  can not open?

ccbcfan wrote:

is lucid can support https ??  8.09 RC2

Yes, we can!

Dogge wrote:
ccbcfan wrote:

is lucid can support https ??  8.09 RC2

Yes, we can!

can you tell me how you set?

this is my set:

vi  /etc/config/lucid
...
config daemon https
    option slave httpd
    list address 443
    list publisher webroot
    list publisher luciweb
    option nokeepalive 1
    option memlimit 1572864
    option enabled 1
    option tls maincert
    option encryption enable

config tls maincert
    option key /etc/nixio/rsa_main.der
    option cert /etc/nixio/cert_main.der
    option type asn1
    option generate 1

http://myrouterip            #can open luci
but
https://myrouterip          #can not open luci with ssl?

libopenssl 0.9.8l-1 installed   
libgnutls-openssl 2.8.5-1  not installed    ##????

Isn't it enabled by default?

There is a lucid.https.enabled=1 option in your lucid config.

(Last edited by Dogge on 8 Mar 2010, 17:17)

Think you help!

I can't  find lucid config file has set with lucid.https.enabled=1 option , which file?

I only find /etc/config/lucid   with  :

config daemon https
    option slave httpd
    list address 443
    list publisher webroot
    list publisher luciweb
    option nokeepalive 1
    option memlimit 1572864
    option enabled 1                # already enabled  but not open
    option tls maincert
    option encryption enable

Are you used 8.09.2 ?

(Last edited by ccbcfan on 9 Mar 2010, 05:01)

anyone can https wtih lucid ?

yes i can use https with my backfire 10.3 or 10.3-rci on a DIR-825 (does that help you?)

Btw. Backfire switched to uhttpd...

Hi all I have moved from uhttpd to lighthttpd on backfire - I am also using vhosts. But I hava one problem I cannot seem to be ablo to configure vhosts and lucid at once.

/www# ls /www
cgi-bin      luci-static  org          resources

But new hosts do not seem to work.
If I access a host I get 403 forbiden.
But if I access the specific file host/index.html it works fine.
My light http config:

server.modules = (
        "mod_simple_vhost",
        "mod_status",
        "mod_cgi",
)

server.network-backend = "write"

server.document-root = "/www/"

server.errorlog = "/var/log/lighttpd/error.log"

index-file.names = ( "index.php", "index.html", "default.html", "index.htm", "default.htm" )

mimetype.assign = (
        ".pdf"   => "application/pdf",
..
        ".xml"   => "text/xml"
)

$HTTP["url"] =~ "\.pdf$" {
        server.range-requests = "disable"
}

static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

server.pid-file = "/var/run/lighttpd.pid"

simple-vhost.server-root = "/www"
simple-vhost.default-host = "default.host"
simple-vhost.document-root = "/"

server.upload-dirs = ( "/tmp" )

$HTTP["host"] =~ "^.*$" {
        server.document-root = "/www/"
        cgi.assign = ( "luci"  => "/usr/bin/lua" )
}

Ok I figured some errors I have made. The lighthttpd.conf was missing:
cgi.assign = ( ".php" => "/usr/bin/php-cgi" )
And i had to remove document root from php.ini.
But still if I live this line like it is:

$HTTP["host"] =~ "^.*$" {
        server.document-root = "/www/"
        cgi.assign = ( "luci"  => "/usr/bin/lua" )
}

PHP is not working sad I fugure that I would have inform the system to run lua only in some cases but I do not understand this line sad

hi guys,

Does any one of you know, how I should install ssl support for luci with backfire 10.03.1-RC5? The described tutorial on openwrt.org didn't worked for me.
Thx in advance,
jousch

The discussion might have continued from here.