How to block access to Foris/LuCI and allow to Nextcloud?

Gonzo · January 12, 2018, 10:57pm

Hello,

I got my Turris Omnia a month ago and I am currently trying to harden my setup. I have several networks for different purposes. All except one should not have access to the Turris administration interfaces (Foris/LuCI). For most this is not a problem as I can deny access to the router itself. The problem is my main LAN as I have also Nextcloud installed on the router that my family should use. So I cannot simply block access to the router.

What I want to achieve is that clients in the LAN are able to connect to Nextcloud but not to Foris or LuCI. The firewall only allows to block on IP addresses and ports. By default, those are the same for Nextcloud and Foris/LuCI. I managed to change the Nextcloud port to a different port but only for http. When I tried to configure https for it it broke and lighttpd did not start anymore.

Below I copied my attempt to change the default lighttpd configuration. Obviously, it is a problem with enabling TLS. Because when I do the changes in ssl-enable.conf lighttpd will not start anymore. But I am not even sure if this is a best way to address my problem. What I really want to achieve is that everyone in the network 192.168.51.0/24 can reach Nextcloud that is running on 192.168.51.13. At the same time, they should not be able to reach anything else on the router.

Any help/suggestion is appreciated.

Georg

=================================

nextcloud.conf:

$SERVER[“socket”] == “192.168.51.13:82” {

alias.url += ( “/nextcloud” => “/srv/www/nextcloud” )

$HTTP[“url”] =~ “^/nextcloud” {
# Add ‘X-Frame-Options’ header, making sure it the website is not embedded in a frame or iframe.
# This avoids clickjacking, and might be helpfull for HTTPS websites
# As frames are not used nowadays, this should be safe to enable at least SAMEORIGIN
# Other option might be DENY or ALLOW-FROM. DENY is not used as frame is used in some old LuCI modules
setenv.add-response-header += ( “X-Frame-Options” => “SAMEORIGIN”)
}

$HTTP[“url”] =~ “^/nextcloud/(build|tests|config|lib|3rdparty|templates|data)” {
url.access-deny = ("")
}

}

ssl-enable.conf:

This settings enables https with user-generated self-signed certificate from

package https-cert

$SERVER[“socket”] == “:443” {
ssl.engine = "enable"
ssl.pemfile = “/etc/lighttpd-self-signed.pem”
}

$SERVER[“socket”] == “[::]:443” {
ssl.engine = "enable"
ssl.pemfile = “/etc/lighttpd-self-signed.pem”
}

$SERVER[“socket”] == “:82” {
ssl.engine = "enable"
ssl.pemfile = “/etc/lighttpd-self-signed.pem”
}

$HTTP[“scheme”] == “https” {
# Add ‘HTTP Strict Transport Security’ header (HSTS) to sites
# setenv.add-response-header += ( “Strict-Transport-Security” => “max-age=31536000; includeSubDomains” )
}

jklaas · January 13, 2018, 8:10pm

I have a setup on my apache server that serves different pages to different hosts (lan vs wan basically).

It looks like lighttpd has something similar. I found on this page:
https://redmine.lighttpd.net/projects/1/wiki/docs_configuration
you can set access restrictions:

# Allow only 200.19.1.5 and 210.45.2.7 to
# have access to www.example.org/admin/
$HTTP["host"] == "www.example.org" {
  #!~ is a perl style regular expression not match
  $HTTP["remoteip"] !~ "^(200\.19\.1\.5|210\.45\.2\.7)$" {
    $HTTP["url"] =~ "^/admin/" {
      url.access-deny = ( "" )
    }
  }
}

I’m not sure how that would be set up for the Turris, but I imagine it could be set somewhere.

Gonzo · January 15, 2018, 9:52pm

Thanks,

this looks like the way to go although I did not get it working right away. Unfortunately I am right now short on time but I will check it more.

Gonzo · January 15, 2018, 10:25pm

Clumsy me. I now got it working that Foris and LuCI are blocked. I also set the firewall to allow only https.

I did not use the example provided above but the example just next to it on the linked page since I preferred, at least for the moment, to give access to Foris and Luci from a whole subnet.

Thanks a lot.

Here is what I added to lighttpd.conf:

> # Allow only 192.168.2.0/24 to
> # have access to Foris UI
> $HTTP["host"] == "192.168.1.1" {
>   $HTTP["remoteip"] != "192.168.2.0/24" {
>     $HTTP["url"] =~ "^/foris/config/" {
>       url.access-deny = ( "" )
>     }
>   }
> }
> # Allow only 192.168.2.0/24 to
> # have access to LuCI UI
> $HTTP["host"] == "192.168.1.1" {
>   $HTTP["remoteip"] != "192.168.2.0/24" {
>     $HTTP["url"] =~ "^/cgi-bin/luci" {
>       url.access-deny = ( "" )
>     }
>   }
> }