User Tools

Site Tools

Accessing Web Interface Securely

This guide shows how to make LAN access more secure (excluding remote access) to the configuration/analysis web interfaces (Foris, reForis, LuCI, Netdata) by taking advantage of the protection of an ssh tunnel (OpenSSH) and port forwarding. (Freely inspired by the guide on for the uHTTPd web server

1. Configure lighttpd to listen on port 80 for the machine from which we initiate the connection via ssh.

  # vi /etc/lighttpd/lighttpd.conf

change the following items:

  #server.bind                 = "localhost"

will become

  server.bind                 = "localhost"

this makes communication with the device that establishes the ssh connection mandatory

  #server.port                 = 81

will become

  server.port                 = 80

this forces lighttpd to listen on port 80 only

  $SERVER["socket"] == "[::]:80" {  }

will become

  $SERVER["socket"] == "[::1]:80" {  }

always enable IPv6 only for localhost (you can also comment if you don't use IPv6)

2. Saved lighttpd.conf, you need to rename the ssl-enable.conf file in /etc/lighttpd/conf.d/ in ssl-enable.conf.bak.The file is used to enable listening on port 443 to use https, but in our case it is superfluous; in addition it also enables connection from any device on the LAN, which makes our work useless. Renaming the file will no longer load the configuration it contains.

  # mv /etc/lighttpd/conf.d/ssl-enable.conf /etc/lighttpd/conf.d/ssl-enable.conf.bak

We have finally completed the part concerning the lighttpd web server. Now let's move on to creating the configuration for ssh on PC (or iOS or Android).

3. From the command line (e.g. bash), we proceed to configure the file ~ /.ssh/config

  $ vi ~/.ssh/config

4. Let's create the following section to connect to our Turris

  Host turris
  User root
  Port 22

This will tell the user to log in as root via port 22 of the router with OpenSSH protocol and then to create local port forwarding, which will direct all traffic from port 8000 of the PC to port 80 of the router and vice versa.

We are ready to enter the router administration web interface, we just have to

5. Start the connection with ssh from PC

  $ ssh turris

6. Open the browser and connect to the following address

The game is done!

Hardening the method

To make everything even safer and save some RAM memory (very little), you can deactivate lighttpd whenever we do not need it and activate it only when it is really necessary. So we will further limit the possibilities of accessing the web interface, even if the attacker had access to our private ssh key.

1. From the router run the following command to deactivate and stop lighttpd

  # service lighttpd disable
  # service lighttpd stop

2. When we need it we will execute

  # service lighttpd start (no enable otherwise the service will be activated 
  automatically at each restart)

Turris 💕