1,723
edits
Difference between revisions of "OpenWRT LuCI GUI with UHTTPD using HTTPS"
OpenWRT LuCI GUI with UHTTPD using HTTPS (view source)
Revision as of 10:56, 18 October 2021
, 10:56, 18 October 2021no edit summary
(Created page with "It is needlessly confusing, even with the OpenWRT GUI interface... ===== Installation ===== opkg update opkg install luci-ssl-openssl luci-app-<ins>uhttpd</ins> ===== Confi...") |
m |
||
| Line 1: | Line 1: | ||
It is needlessly confusing, even with the OpenWRT GUI interface... | It is needlessly confusing, even with the OpenWRT GUI interface... | ||
===== Installation ===== | =====Installation===== | ||
opkg update | opkg update | ||
opkg install luci-ssl-openssl luci-app-<ins>uhttpd</ins> | opkg install luci-ssl-openssl luci-app-<ins>uhttpd</ins> | ||
===== Configuration File(s) Location(s) ===== | =====Configuration File(s) Location(s)===== | ||
/etc/config/uhttpd | /etc/config/uhttpd | ||
Default location for HTTPS / Certificate related files: /etc | Default location for HTTPS / Certificate related files: /etc | ||
===== Working Configuration File (with a catch) ===== | =====Working Configuration File (with a catch)===== | ||
The catch is that the uhttpd.crt and uhttpd.key file must exist (read on)<syntaxhighlight lang="text"> | The catch is that the uhttpd.crt and uhttpd.key file must exist (read on)<syntaxhighlight lang="text"> | ||
| Line 44: | Line 44: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
===== Configuring SSL with the LuCI GUI ===== | ===== Firewall ===== | ||
Don't forget to add settings to the Firewall. This is only needed if remote management is needed. Even though UHTTPD is really good about security, it is strongly recommended to restrict GUI access to a limited number of IP Addresses. See example below;<syntaxhighlight lang="text"> | |||
config rule | |||
option dest_port '22' | |||
option src 'wan' | |||
option target 'ACCEPT' | |||
option family 'ipv4' | |||
list proto 'tcp' | |||
list src_ip 'W.X.Y.Z/S' | |||
list dest_ip 'Z.Y.X.W' | |||
option name 'SSH_TCP_22' | |||
config rule | |||
option dest_port '80' | |||
option src 'wan' | |||
option target 'ACCEPT' | |||
option family 'ipv4' | |||
list proto 'tcp' | |||
list src_ip 'W.X.Y.Z/S' | |||
list dest_ip 'Z.Y.X.W' | |||
option name 'HTTP_TCP_80' | |||
config rule | |||
option dest_port '443' | |||
option src 'wan' | |||
option target 'ACCEPT' | |||
option family 'ipv4' | |||
list proto 'tcp' | |||
list src_ip 'W.X.Y.Z/S' | |||
list dest_ip 'Z.Y.X.W' | |||
option name 'HTTPS_TCP_443' | |||
config rule | |||
option dest_port '4443' | |||
option src 'wan' | |||
option target 'ACCEPT' | |||
option family 'ipv4' | |||
list proto 'tcp' | |||
list src_ip 'W.X.Y.Z/S' | |||
list dest_ip 'Z.Y.X.W' | |||
option name 'HTTPS_TCP_4443' | |||
</syntaxhighlight>In the above example, of course replace 'source' and 'destination' IP Addresses with proper ones. The port 8080 and 4443 items are shown as a reminder that anyone using OpenWRT as a web server will need to take ports 80 and 443 into consideration when managing a router (IE, can't double up on the ports, as something won't work properly). | |||
=====Configuring SSL with the LuCI GUI===== | |||
Forget about it (see below). Just restart the UHTTPD service and it will generate the proper SSL certificate, etc. | |||
Here's why the GUI is a bit misleading: There are two buttons that prompt one to "Select file". What it doesn't say is that the "Remove old certificate and key" Button will not work reliably unless the above information is configured in the /etc/config/uhttpd file. | Here's why the GUI is a bit misleading: There are two buttons that prompt one to "Select file". What it doesn't say is that the "Remove old certificate and key" Button will not work reliably unless the above information is configured in the /etc/config/uhttpd file. | ||
In fact after an hour of testing the LuCU HTTPD GUI was so wonky and unpredictable, it became pointless to give explicit directions. That combined with a rather curious feature of clicking on the "Remove old certificate and key" Button redirecting to a URL that claims it "can't display this page", but is the exact same as the one can go "back" to, that works. | In fact after an hour of testing the LuCU HTTPD GUI was so wonky and unpredictable, it became pointless to give explicit directions. That combined with a rather curious feature of clicking on the "Remove old certificate and key" Button redirecting to a URL that claims it "can't display this page", but is the exact same as the one can go "back" to, that works. | ||
===== Items of Note ===== | =====Items of Note===== | ||
The "Redirect all HTTP to HTTPS" check box should be renamed to "Redirect all HTTP to HTTPS (if HTTPS is available)". IE, if that check box / setting is enabled AND HTTPS is not functional, HTTP will work. This is a good thing. Otherwise the LuCI GUI wouldn't work. | The "Redirect all HTTP to HTTPS" check box should be renamed to "Redirect all HTTP to HTTPS (if HTTPS is available)". IE, if that check box / setting is enabled AND HTTPS is not functional, HTTP will work. This is a good thing. Otherwise the LuCI GUI wouldn't work. | ||
| Line 63: | Line 109: | ||
Bottom line is that this LuCI GUI is rough and needs some tweaks. You're better off using text files to configure UHTTPD. | Bottom line is that this LuCI GUI is rough and needs some tweaks. You're better off using text files to configure UHTTPD. | ||
<br /> | |||
===== Questions ===== | |||
Given the push for everything being secure, it's really a wonder all of this isn't part of a default package thing for the Linksys AC Series of routers given how much storage space they have. For smaller routers with less storage space, it is certaintly understandable for conserving storage space, yet... Hmmm...<br /> | |||