Change the reForis web admin port

alienheartbeat · March 6, 2024, 11:57am

I’ve just bought a Turris Omnia wifi6 and have read the documents
and am configuring it. I have used Gargoyle for many years but not openwrt.
Turris OS version is 6.5.2.

I have one question:
I have changed the ssh port with no problem, but
how do I change to admin port for the reForis web interface from 80/443 to some other nn/nnn?

Incorrect answers i have found online:

System > Settings / Admin Access

- no such menu entry

System > Administration > Services > Find the HTTP service and click Edit

- no such menu entry

Edit the configuration file /etc/reforis/reforis.conf, look for line port = 8080

- no such file

There is a file:
/etc/config/reforis
but the only entry is a comment
# void for now

I assume I can put an entry in /etc/config/reforis,
but if so, what is the syntax?

peci1 · March 6, 2024, 1:31pm

What about looking at /etc/config/lighttpd?

AreYouLoco · March 6, 2024, 6:24pm

I wonder why to do that. Seems like a security by obscurity. And I believe it will get overwriten by each update

alienheartbeat · March 7, 2024, 2:05am

No, its both

statistical arbitrage:
Increases the cost of attacking me by 65000/4 (assuming 2 open ports).
and
leveraging the actual threat landscape:
Many attackers simply scan known ports for knoown vulnerabilities
using something like Shodan as target guidance.

alienheartbeat · March 7, 2024, 2:08am

There is no
/etc/config/lighttpd,
there is
/etc/lightppd/lighttpd.conf
which I checked.

I also checked:
All the relevant files in /etc/lighttpd/conf.d/
All the plausible files in /etc/config/
(including foris, foris-controller, foris-controller-subordinates,luci, network, reforis)

The only item I found was:
/etc/config/foris-ws has a line
option port 9080
but I dont know what foris-ws is and the line seems not relevant.

So I cant find where the reForis and Luci listening ports are set,
or how to change them.

alienheartbeat · March 7, 2024, 2:12am

It doesn’t get overwritten by Gargoyle updates, which is also based on openwrt.
Anyway, if it is, after each update, I’ll just fix it again
until it gives up overwriting it and apologises for being inconsiderate .

alienheartbeat · March 7, 2024, 7:21am

Of course I can amend the firewall rules

luci / network / firewall / traffic rule

specifically

wan_https_turris_rule

to change port 443 to nnnn

but that only allows the packet in,
it doesn’t mean reForis will accept it.

For example
if I change port 22 to nnnn in the firewall, then try to ssh from the wan,
sshd will receive the packet but reject the connection attempt.

I did try to just connect to the box from the lan on a different port
(from the lan so the firewall would not reject it)
but it just resets the connection.

So, there must be some way to configure reForis
to accept connections on a different port.

alienheartbeat · March 7, 2024, 8:10am

Further information on what doesn’t work:

As the web server seems to be lighttpd, after reading

I tried editing
/etc/lighttpd/lighttpd.conf
to add:
server.port = “nnnn”
or
server.port = nnnn
and then restarting the service

However then I just couldn’t connect.

AreYouLoco · March 7, 2024, 8:26am

root@router:~# grep port /etc/lighttpd/conf.d/*
/etc/lighttpd/conf.d/30-fastcgi.conf:#
            "port" => 9999,
/etc/lighttpd/conf.d/30-fastcgi.conf:#    "port"
=> "2000",
/etc/lighttpd/conf.d/30-proxy.conf:#
        "port" => 80
/etc/lighttpd/conf.d/70-foris-ws.conf:  proxy.ser
ver = ( "" => ( ( "host" => "127.0.0.1", "port" =
> "9080" ) ) )
/etc/lighttpd/conf.d/80-netdata.conf:  proxy.serv
er = ( "" => ( ( "host" => "127.0.0.1", "port" =>
 "19999") ) )
/etc/lighttpd/conf.d/90-turris-root.conf:# to sup
port Turris webapps.
root@router:~# grep 443 /etc/lighttpd/conf.d/*
/etc/lighttpd/conf.d/40-ssl-enable.conf:$SERVER["
socket"] == ":443" {
/etc/lighttpd/conf.d/40-ssl-enable.conf:$SERVER["
socket"] == "[::]:443" {

Maybe this will give you some hints

alienheartbeat · March 7, 2024, 9:36am

thanks for that, I had seen some of those but not all.

I think the first few are not relevant:
they are the loopback address (127.0.0.1) rather than an external access address.
also we are looking to change ports 80 and 443, not 1999 etc

But the last 2 could be key. I detailed them below

I do worry as both of them say:
“is not meant to be edited”
and sometimes they really mean it.

Also the lighttpd documentation does say to change lighttpd.conf:

server.port = 80

and even though it doesn’t work, it deosn’t seem wise to ignore it.

Anyway I’ll try them both tomorrow - bedtime in NZ.

Just in case, is there any way of doing rollbacks to the snapshots
reforis/administration/snapshots
from the command line?

90-turris-root.conf

#This is part of turris-webapps package and is not meant to be edited.
#If you need different setup, uninstall this package and create your own config
#Listen on IPv4 “:80" (default) and on IPv6 “[::]:80”
$SERVER[“socket”] == ":80” { }
$SERVER[“socket”] == “[::]:80” { }

40-ssl-enable.conf

#This package is not meant to be edited, it is part of package lighttpd-https-cert
#If you need different https setup, uninstall this package and create your own configuration
$SERVER[“socket”] == “:443” {
ssl.engine = “enable”
}
$SERVER[“socket”] == “[::]:443” {
ssl.engine = “enable”
}

alienheartbeat · March 9, 2024, 8:56am

ok, thanks to Orest, I think it is solved.

Background:
OpenWrt Luci uses uhttpd as its webserver.
Gargoyle replaces Luci, also using uhttpd.
GL.iNet uses uhttpd as its webserver for Luci
and nginx as its webserver for its own web admin panel.
(so one can set the access ports separately).
reForis seems to use lighttpd as the web server,
and for both reForis and for Luci.
This is why none of the online guides are correct.

1. To change to https port from 443 → nnn
edit /etc/lighttpd/conf.d/40-ssl-enable.conf
change:

$SERVER[“socket”] == “:443” {
ssl.engine = “enable”
}
$SERVER[“socket”] == “[::]:443” {
ssl.engine = “enable”

to

$SERVER[“socket”] == “:nnn” {
ssl.engine = “enable”
}
$SERVER[“socket”] == “[::]:nnn” {
ssl.engine = “enable”

Now, after restarting lighttpd, you can https to port nnn.
but as expected, not to 443.

2. To add xxx as a port for http
edit /etc/lighttpd/conf.d/90-turris-root.conf

$SERVER[“socket”] == ":80” { }
$SERVER[“socket”] == “[::]:80” { }

change to:

$SERVER[“socket”] == ":xxx” { }
$SERVER[“socket”] == “[::]:xxx” { }

Now, after restarting lighttpd, you can http to port xxx.

3. But a funny,
you can now http to both port 80 and port xxx ?!?!
So , now you have to edit /etc/lighttpd/lighttpd.conf
to add a line:

server.port = xxx

Now you can connect http on xxx but not 80.

4. But still one funny outstanding.
if you try to connect on 443 you get the correct error:

Unable to connect

but if you now try to connect on port 80 you get a page with just one lonely line,
obviously output by some confused code:

Network Error when attempting to fetch resource

UPDATE:
After a few reboots and a day of cool-down, this last error seems to have disappeared, so I think I can mark this as a solution.

system · March 12, 2024, 8:56am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.