Hello,
why is HTTPS not default for LuCI and Fortis?
CU JB
It is. There is, however, quite nasty warning of untrusted certificate. That’s why unencrypted connection is also allowed.
As I stated before (see linked post), any ideas how to get rid of such warning are welcome.
Hello Ondrej,
IMHO an unencrypted HTTP session should be disabled by default.
I would prefer an encrypted session with a warning.
CU JB
You are free to do it like that. But I doubt it is a sensible default for everyone. AFAIK there is no known attack vector that would make use of unencrypted HTTP in default setup – that means access only from LAN side and enforced Wi-Fi encryption.
Hello,
any idea how to setup SSL only for LuCI and Fortis?
Disabling non SSL connections with
uci delete uhttpd.main.listen_http ; uci commit
does not work.
Regards Jörg
Hello,
done by myself:
delete the file /etc/lighttpd/conf.d/ssl-enable.conf
in /etc/lighttpd/lighttpd.conf:
server.port = 443
ssl.engine = “enable”
ssl.pemfile = “/etc/lighttpd-self-signed.pem”
server.bind = “192.168.1.246” # optional
CU Jörg
Would be nice to have the lighttpd-mod-rewrite
package so one could redirect the traffic to https.
Feel free to install the module:
root@kukuzi:~# opkg list lighttpd-mod-rewrite
lighttpd-mod-rewrite - 1.4.42-2 - URL rewriting module
opkg list lighttpd*
lighttpd - 1.4.42-2
lighttpd-mod-alias - 1.4.42-2
lighttpd-mod-cgi - 1.4.42-2
lighttpd-mod-fastcgi - 1.4.42-2
lighttpd-mod-setenv - 1.4.42-2
OK, I’ve had to run update first, now it’s available.
opkg list lighttpd-mod-rewrite
lighttpd-mod-rewrite - 1.4.42-2 - URL rewriting module
My bad. Thank you @quietsche.
Edit: The redirect to https finally solved with lighttpd-mod-redirect and adding the following into /etc/lighttpd/conf.d/ssl-enable.conf
:
$SERVER["socket"] == ":80" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
PS: Of course you need to restart the server after doing the changes with /etc/init.d/lighttpd restart
Does not work for me. lighthtpd restarts fine, no error message, but no redirection either.
I use this, which works for me:
# cat /etc/lighttpd/conf.d/https-redirect.conf
$HTTP["scheme"] == "http" {
# capture vhost name with regex conditiona -> %0 in redirect pattern
# must be the most inner block to the redirect rule
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
Works fine for me. Thanks.
Hey,
when I try to implement that I get following error while restarting lighttpd:
2017-04-17 12:25:27: (server.c.1295) WARNING: unknown config-key: url.redirect (ignored)
And of course the redirect doesn’t work. Any Ideas how to fix that? (I have Turris OS version 3.6.2).
EDIT: sorry, problem was the missing module…I just installed: lighttpd-mod-rewrite and not lighttpd-mod-redirect. Now it works just fine.