Difference between revisions of "OpenWRT LuCI GUI with UHTTPD using HTTPS"

Wiki.TerraBase.info
Jump to navigation Jump to search
(Created page with "It is needlessly confusing, even with the OpenWRT GUI interface... ===== Installation ===== opkg update opkg install luci-ssl-openssl luci-app-<ins>uhttpd</ins> ===== Confi...")
 
m
Line 1: Line 1:
It is needlessly confusing, even with the OpenWRT GUI interface...
It is needlessly confusing, even with the OpenWRT GUI interface...


===== Installation =====
=====Installation=====
opkg update
opkg update


opkg install luci-ssl-openssl luci-app-<ins>uhttpd</ins>
opkg install luci-ssl-openssl luci-app-<ins>uhttpd</ins>


===== Configuration File(s) Location(s) =====
=====Configuration File(s) Location(s)=====
/etc/config/uhttpd
/etc/config/uhttpd


Default location for HTTPS / Certificate related files: /etc
Default location for HTTPS / Certificate related files: /etc


===== Working Configuration File (with a catch) =====
=====Working Configuration File (with a catch)=====
The catch is that the uhttpd.crt and uhttpd.key file must exist (read on)<syntaxhighlight lang="text">
The catch is that the uhttpd.crt and uhttpd.key file must exist (read on)<syntaxhighlight lang="text">


Line 44: Line 44:
</syntaxhighlight>
</syntaxhighlight>


===== Configuring SSL with the LuCI GUI =====
===== Firewall =====
Don't forget to add settings to the Firewall.  This is only needed if remote management is needed.  Even though UHTTPD is really good about security, it is strongly recommended to restrict GUI access to a limited number of IP Addresses.  See example below;<syntaxhighlight lang="text">
config rule
        option dest_port '22'
        option src 'wan'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'tcp'
        list src_ip 'W.X.Y.Z/S'
        list dest_ip 'Z.Y.X.W'
        option name 'SSH_TCP_22'
 
config rule
        option dest_port '80'
        option src 'wan'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'tcp'
        list src_ip 'W.X.Y.Z/S'
        list dest_ip 'Z.Y.X.W'
        option name 'HTTP_TCP_80'
 
config rule
        option dest_port '443'
        option src 'wan'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'tcp'
        list src_ip 'W.X.Y.Z/S'
        list dest_ip 'Z.Y.X.W'
        option name 'HTTPS_TCP_443'
 
 
config rule
        option dest_port '4443'
        option src 'wan'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'tcp'
        list src_ip 'W.X.Y.Z/S'
        list dest_ip 'Z.Y.X.W'
        option name 'HTTPS_TCP_4443'
</syntaxhighlight>In the above example, of course replace 'source' and 'destination' IP Addresses with proper ones.  The port 8080 and 4443 items are shown as a reminder that anyone using OpenWRT as a web server will need to take ports 80 and 443 into consideration when managing a router (IE, can't double up on the ports, as something won't work properly).
 
=====Configuring SSL with the LuCI GUI=====
Forget about it (see below).  Just restart the UHTTPD service and it will generate the proper SSL certificate, etc.
 
Here's why the GUI is a bit misleading: There are two buttons that prompt one to "Select file".  What it doesn't say is that the "Remove old certificate and key" Button will not work reliably unless the above information is configured in the /etc/config/uhttpd file.
Here's why the GUI is a bit misleading: There are two buttons that prompt one to "Select file".  What it doesn't say is that the "Remove old certificate and key" Button will not work reliably unless the above information is configured in the /etc/config/uhttpd file.


In fact after an hour of testing the LuCU HTTPD GUI was so wonky and unpredictable, it became pointless to give explicit directions.  That combined with a rather curious feature of clicking on the "Remove old certificate and key" Button redirecting to a URL that claims it "can't display this page", but is the exact same as the one can go "back" to, that works.
In fact after an hour of testing the LuCU HTTPD GUI was so wonky and unpredictable, it became pointless to give explicit directions.  That combined with a rather curious feature of clicking on the "Remove old certificate and key" Button redirecting to a URL that claims it "can't display this page", but is the exact same as the one can go "back" to, that works.


===== Items of Note =====
=====Items of Note=====
The "Redirect all HTTP to HTTPS" check box should be renamed to "Redirect all HTTP to HTTPS (if HTTPS is available)".  IE, if that check box / setting is enabled AND HTTPS is not functional, HTTP will work.  This is a good thing.  Otherwise the LuCI GUI wouldn't work.
The "Redirect all HTTP to HTTPS" check box should be renamed to "Redirect all HTTP to HTTPS (if HTTPS is available)".  IE, if that check box / setting is enabled AND HTTPS is not functional, HTTP will work.  This is a good thing.  Otherwise the LuCI GUI wouldn't work.


Line 63: Line 109:


Bottom line is that this LuCI GUI is rough and needs some tweaks.  You're better off using text files to configure UHTTPD.
Bottom line is that this LuCI GUI is rough and needs some tweaks.  You're better off using text files to configure UHTTPD.
<br />
 
===== Questions =====
Given the push for everything being secure, it's really a wonder all of this isn't part of a default package thing for the Linksys AC Series of routers given how much storage space they have.  For smaller routers with less storage space, it is certaintly understandable for conserving storage space, yet...  Hmmm...<br />

Revision as of 10:56, 18 October 2021

It is needlessly confusing, even with the OpenWRT GUI interface...

Installation

opkg update

opkg install luci-ssl-openssl luci-app-uhttpd

Configuration File(s) Location(s)

/etc/config/uhttpd

Default location for HTTPS / Certificate related files: /etc

Working Configuration File (with a catch)

The catch is that the uhttpd.crt and uhttpd.key file must exist (read on)

config uhttpd 'main'
	option home '/www'
	option rfc1918_filter '1'
	option max_requests '3'
	option max_connections '100'
	option cgi_prefix '/cgi-bin'
	list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
	option script_timeout '60'
	option network_timeout '30'
	option http_keepalive '20'
	option tcp_keepalive '1'
	option cert '/etc/uhttpd.crt'
	option key '/etc/uhttpd.key'
	list listen_http '0.0.0.0:80'
	list listen_https '0.0.0.0:443'
	option redirect_https '1'

config cert 'defaults'
	option days '730'
	option key_type 'rsa'
	option bits '2048'
	option ec_curve 'P-256'
	option country 'ZZ'
	option state 'Somewhere'
	option location 'Unknown'
	option commonname 'OpenWrt'
Firewall

Don't forget to add settings to the Firewall. This is only needed if remote management is needed. Even though UHTTPD is really good about security, it is strongly recommended to restrict GUI access to a limited number of IP Addresses. See example below;

config rule
        option dest_port '22'
        option src 'wan'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'tcp'
        list src_ip 'W.X.Y.Z/S'
        list dest_ip 'Z.Y.X.W'
        option name 'SSH_TCP_22'

config rule
        option dest_port '80'
        option src 'wan'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'tcp'
        list src_ip 'W.X.Y.Z/S'
        list dest_ip 'Z.Y.X.W'
        option name 'HTTP_TCP_80'

config rule
        option dest_port '443'
        option src 'wan'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'tcp'
        list src_ip 'W.X.Y.Z/S'
        list dest_ip 'Z.Y.X.W'
        option name 'HTTPS_TCP_443'


config rule
        option dest_port '4443'
        option src 'wan'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'tcp'
        list src_ip 'W.X.Y.Z/S'
        list dest_ip 'Z.Y.X.W'
        option name 'HTTPS_TCP_4443'

In the above example, of course replace 'source' and 'destination' IP Addresses with proper ones. The port 8080 and 4443 items are shown as a reminder that anyone using OpenWRT as a web server will need to take ports 80 and 443 into consideration when managing a router (IE, can't double up on the ports, as something won't work properly).

Configuring SSL with the LuCI GUI

Forget about it (see below). Just restart the UHTTPD service and it will generate the proper SSL certificate, etc.

Here's why the GUI is a bit misleading: There are two buttons that prompt one to "Select file". What it doesn't say is that the "Remove old certificate and key" Button will not work reliably unless the above information is configured in the /etc/config/uhttpd file.

In fact after an hour of testing the LuCU HTTPD GUI was so wonky and unpredictable, it became pointless to give explicit directions. That combined with a rather curious feature of clicking on the "Remove old certificate and key" Button redirecting to a URL that claims it "can't display this page", but is the exact same as the one can go "back" to, that works.

Items of Note

The "Redirect all HTTP to HTTPS" check box should be renamed to "Redirect all HTTP to HTTPS (if HTTPS is available)". IE, if that check box / setting is enabled AND HTTPS is not functional, HTTP will work. This is a good thing. Otherwise the LuCI GUI wouldn't work.

The Remove configuration for certificate and key button should have it's help information re-written to this: Clicking this button will result in the deletion of HTTPS related certificate information. This includes settings and the files (/etc/uhttpd.crt and /etc/uhttpd.key by default).

Do not put in the entry: list listen_https '0.0.0.0:443'

...unless this is also set to enabled: option redirect_https '1' (if it isn't set to enabled, the above 443 entry by itself will break access to port 80)

The "Add" Button is misleading because of its placement. It has nothing to do with certificates. It generates configuration for an additional instance of the LuCI GUI. Really useful. Not.

The "Remove old certificate and key" Button is very unpredictable based on too many variables to keep track of. See above section on how to manipulate it into creating a certificate file. Wow! Here's an idea: What about a button that says "Generate New Certificate (based on the below information)"* *Note: This will delete the old certificate related information and replace it with new information. Oh, and also make it work by having some GUI validation that doesn't allow checking of the use HTTPS unless there is certificate information available. And about a dozen other things.

Bottom line is that this LuCI GUI is rough and needs some tweaks. You're better off using text files to configure UHTTPD.

Questions

Given the push for everything being secure, it's really a wonder all of this isn't part of a default package thing for the Linksys AC Series of routers given how much storage space they have. For smaller routers with less storage space, it is certaintly understandable for conserving storage space, yet... Hmmm...

Retrieved from "https://wiki.terrabase.info/index.php?title=OpenWRT_LuCI_GUI_with_UHTTPD_using_HTTPS&oldid=1503"