LuCI & Foris should be HTTPS by default

jbacksch · November 16, 2016, 9:26pm

Hello,

why is HTTPS not default for LuCI and Fortis?

CU JB

Ondrej_Caletka · November 16, 2016, 9:31pm

It is. There is, however, quite nasty warning of untrusted certificate. That’s why unencrypted connection is also allowed.

As I stated before (see linked post), any ideas how to get rid of such warning are welcome.

jbacksch · November 16, 2016, 9:57pm

Hello Ondrej,

IMHO an unencrypted HTTP session should be disabled by default.
I would prefer an encrypted session with a warning.

CU JB

Ondrej_Caletka · November 16, 2016, 10:25pm

You are free to do it like that. But I doubt it is a sensible default for everyone. AFAIK there is no known attack vector that would make use of unencrypted HTTP in default setup – that means access only from LAN side and enforced Wi-Fi encryption.

jbacksch · December 16, 2016, 11:00pm

Hello,

any idea how to setup SSL only for LuCI and Fortis?

Disabling non SSL connections with

uci delete uhttpd.main.listen_http ; uci commit

does not work.

Regards Jörg

jbacksch · December 18, 2016, 6:32pm

Hello,

done by myself:

delete the file /etc/lighttpd/conf.d/ssl-enable.conf
in /etc/lighttpd/lighttpd.conf:

server.port = 443
ssl.engine = “enable”
ssl.pemfile = “/etc/lighttpd-self-signed.pem”
server.bind = “192.168.1.246” # optional

CU Jörg

milos · December 18, 2016, 8:03pm

Would be nice to have the lighttpd-mod-rewrite package so one could redirect the traffic to https.

quietsche · December 18, 2016, 8:40pm

Feel free to install the module:

root@kukuzi:~# opkg list lighttpd-mod-rewrite
lighttpd-mod-rewrite - 1.4.42-2 - URL rewriting module

milos · December 18, 2016, 8:55pm

opkg list lighttpd*
lighttpd - 1.4.42-2
lighttpd-mod-alias - 1.4.42-2
lighttpd-mod-cgi - 1.4.42-2
lighttpd-mod-fastcgi - 1.4.42-2
lighttpd-mod-setenv - 1.4.42-2

OK, I’ve had to run update first, now it’s available.

opkg list lighttpd-mod-rewrite
lighttpd-mod-rewrite - 1.4.42-2 - URL rewriting module

My bad. Thank you @quietsche.

Edit: The redirect to https finally solved with lighttpd-mod-redirect and adding the following into /etc/lighttpd/conf.d/ssl-enable.conf:

$SERVER["socket"] == ":80" {
	$HTTP["host"] =~ ".*" {
		url.redirect = (".*" => "https://%0$0")
	}
}

PS: Of course you need to restart the server after doing the changes with /etc/init.d/lighttpd restart

bortzmeyer · January 14, 2017, 3:39pm

Does not work for me. lighthtpd restarts fine, no error message, but no redirection either.

Ondrej_Caletka · January 18, 2017, 11:51am

I use this, which works for me:

# cat /etc/lighttpd/conf.d/https-redirect.conf
$HTTP["scheme"] == "http" {
    # capture vhost name with regex conditiona -> %0 in redirect pattern
    # must be the most inner block to the redirect rule
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}

bortzmeyer · January 19, 2017, 9:05pm

Works fine for me. Thanks.

FuelFlo · April 17, 2017, 10:30am

Hey,

when I try to implement that I get following error while restarting lighttpd:

2017-04-17 12:25:27: (server.c.1295) WARNING: unknown config-key: url.redirect (ignored)

And of course the redirect doesn’t work. Any Ideas how to fix that? (I have Turris OS version 3.6.2).

EDIT: sorry, problem was the missing module…I just installed: lighttpd-mod-rewrite and not lighttpd-mod-redirect. Now it works just fine.