I am trying to tunnel LuCI and Reforis via SSH

Hi,

I am trying to tunnel LuCI and Reforis via SSH, but unfortunately without success. I followed these guide > Accessing Web Interface Securely [Turris wiki]

My steps on my Turris Omnia (v6.0.2):

# nano /etc/lighttpd/lighttpd.conf

#server.bind = “localhost” > server.bind = "localhost"
#server.port = 81 > server.port = 80

# mv /etc/lighttpd/conf.d/40-ssl-enable.conf /etc/lighttpd/conf.d/40-ssl-enable.conf.bak

reboot

My steps on my laptop:

nano ~/.ssh/config

Host turris
Hostname 192.168.1.1
User root
Port 22
LocalForward 127.0.0.1:8000 127.0.0.1:80

ssh turris

But when I now enter http://127.0.0.1:8000/ into my web browser, I get the following message: The connection to the server was reset while the page was loading.

And in the terminal appears: channel 2: open failed: connect failed: connection denied

Does anyone have an idea where I made a mistake?

Try clearing browser cache or start with new profile, generally I use different profiles for different things.
I have also same setup and works fine for me.

Cache was cleared, new profile created and tested with a second browser as well. Nothing helps

service lighttpd status

running

What happens if you do curl -v http://127.0.0.1:80/ on the router itself?

# curl -v http://127.0.0.1:80

Failed to connect to 127.0.0.1 port 80 after 0 ms: Connection refused
curl: (7) Failed to connect to 127.0.0.1 port 80 after 0 ms: Connection refused

Normally that curl cmd should return homepage html if ligthttpd up properly, so something wrong with your http server and not working.

I use SSH to tunnel connection (not only to the omnia bust also to other systems) since quite some time… It works without problems. But I use a virtual Debian (via lxc on the omnia) which is the SSH-tunnel endpoint.

You have to enable port-forwarding in the SSH-daemon. The actual tuinnel-configuration ist done in the SSH-client. And you have to configure a proxy in your browser.

The protocols I use are http/https, svn and rdp,

Hope this helps.

Rainer

Hi, I wish this would help me. Please consider me as a complete newbie

In the ~ /.ssh/config file I use to connect to my Omnia, I added the following line as described in the mentioned guide: LocalForward 127.0.0.1:8000 127.0.0.1:80

Is this what you mean?

I guess you have just broken the lighttpd configuration and it does not start.
What do you get when you run pidof lighttpd || echo -e 'lighttpd not running'?

root@staging-gw-prg:~# pidof lighttpd || echo -e 'lighttpd not running'
26423
root@staging-gw-prg:~# service lighttpd stop
root@staging-gw-prg:~# pidof lighttpd || echo -e 'lighttpd not running'
lighttpd not running
root@staging-gw-prg:~# 

You can even try to run lighttpd -f /etc/lighttpd/lighttpd.conf -tt to check the configuration for errors.

Anyway, I think the best approach is to add a rule to the firewall blocking the access to the webserver port(s). The loopback access won’t be affected.

root@turris:~# service lighttpd status
running
root@turris:~# pidof lighttpd || echo -e 'lighttpd not running'
lighttpd not running
root@turris:~# lighttpd -f /etc/lighttpd/lighttpd.conf -tt
root@turris:~#

Maybe. But I only changed the two lines as described in the guide

GNU nano 6.4              /etc/lighttpd/lighttpd.conf                         
server.document-root        = "/www"
server.upload-dirs          = ( "/tmp" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"

#server.username             = "http"
#server.groupname            = "www-data"

index-file.names            = ( "index.php", "index.html",
                                "index.htm", "default.htm",
                              )

static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

### Features
#https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_feature-flagsDetails
server.feature-flags       += ("server.graceful-shutdown-timeout" => 5)
#server.feature-flags       += ("server.graceful-restart-bg" => "enable")

### Options that are useful but not always necessary:
#server.chroot               = "/"
server.port                 = 80
server.bind                 = "localhost"
#server.tag                  = "lighttpd"
#server.errorlog-use-syslog  = "enable"
#server.network-backend      = "writev"

### Use IPv6 if available
#include_shell "/usr/share/lighttpd/use-ipv6.pl"

#dir-listing.encoding        = "utf-8"
#server.dir-listing          = "enable"

include "/etc/lighttpd/mime.conf"
include "/etc/lighttpd/conf.d/*.conf"

So, revert the changes and see if it helps? Your problem is not with SSH tunneling, but with broken lighttpd.

After changing /etc/lighttpd/lighttpd.conf back, I can access LuCI and Reforis via http://192.168.1.1 and http://127.0.0.1.

root@turris:~# service lighttpd restart
root@turris:~# service lighttpd status
running
root@turris:~# pidof lighttpd || echo -e 'lighttpd not running'
10270

Good.
Next step is to verify the SSH tunnel works.
On your computer run ssh root@192.168.1.1 -L:8000:127.0.0.1:80 and try to access the http://localhost:8000. If it works for you now, you can block the access to the router management panel with firewall rule.

Works
I create the firewall rule like this, right?

913ec53bad1a4bd36492911e32205ab5d3871079f5bcfb9555371fcd96a0c872e02342bf48b2d6989568aec45790f3474d6e9c92f23cd3610e915×610 46.2 KB

Can I rename the file /etc/lighttpd/conf.d/40-ssl-enable.conf.bak back or is it still necessary? > /etc/lighttpd/conf.d/40-ssl-enable.conf

image916×582 53.6 KB

It will get renamed back to 40-ssl-enable.conf (or created) with every update so it is useless to move/delete/rename it. Do not fiddle with it, it bites back.

All right

Everything is working fine and I am super happy right now. Thank you so much hagrid!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.