Allowing Luci/TurrisOS to be published Locally only

blobert · January 24, 2022, 5:21pm

Dear All,

I would like to prevent LuCI/reForis from being published on the internet (using lighttpd) on a freshly restored Turris Omnia router, running TurrisOS 5.3.3

Ideally, I would only like to make the web interface available from within my local network, and close it for outside access.

How can I achieve this? Thank you.

viktor · January 24, 2022, 5:50pm

LuCI and reForis are not accessible from WAN in default.

blobert · January 24, 2022, 8:37pm

Thank you for your response viktor.

And I have to apologize.

I’ve just now done another factory reset of the Turris Omnia using the reForis interface - the last time I did this was already a month ago.

Right now, automatic updates are on, wifi is off, threat detection is off, and the dynamic firewall is off.

The first batch of automatic updates have just been downloaded, and the router is freshly restarted.

Indeed, I confirm that nothing is being published externally.

e. Once I activate “Advanced security & analytics - Turris Sentinel” (with the default selection: “Usage Survey”, “Dynamic Firewall”, “Firewall Logs”, “Minipots”) in “Package Management > Packages”, and accept the license, then port 80 is exposed.

e2. If you disable “Minipots”, then port 80 is no longer exposed.

e3. So, I think what you see from the outside is just a honeypot and not the real LuCI/reForis launcher page.

iron-maiden · January 24, 2022, 10:33pm

You can make it even listen on localhost(127.0.0.0:80) which means it will not be available even from the lan.
So then you access by ssh local forward.

blobert · January 25, 2022, 6:07am

Thanks iron-maiden, is it this option in /etc/lighttpd/lighttpd.conf?

### Options that are useful but not always necessary:
#server.chroot               = "/"
#server.port                 = 81
>>>#server.bind                 = "localhost"<<<
#server.tag                  = "lighttpd"
#server.errorlog-use-syslog  = "enable"
#server.network-backend      = "writev"

iron-maiden · January 25, 2022, 10:41am

Hi yes. SSH forwarding is well known technique. There should be even community documentation. Let me find it.

Here it is:

https://wiki.turris.cz/doc/en/public/lighttpd

After setup you can verify that clients from lan can’t access anymore by http://192.168.1.1

system · January 28, 2022, 10:42am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.