Turris logo

User Tools

Site Tools

This documentation is no longer maintained by the Turris team (although it can be used by the community to share content). The current official documentation is at docs.turris.cz.
You are here: Project: Turris » Archive and community documentation » Community documentation » Accessing Web Interface Securely

Accessing Web Interface Securely

This guide shows how to make LAN access more secure (excluding remote access) to the configuration/analysis web interfaces (Foris, reForis, LuCI, Netdata) by taking advantage of the protection of an ssh tunnel (OpenSSH) and port forwarding. (Freely inspired by the guide on openwrt.org for the uHTTPd web server https://openwrt.org/docs/guide-user/luci/luci.secure).

1. Configure lighttpd to listen on port 80 for the machine from which we initiate the connection via ssh. 

  # vi /etc/lighttpd/lighttpd.conf

change the following items: 

  #server.bind                 = "localhost"

will become 

  server.bind                 = "localhost"

this makes communication with the device that establishes the ssh connection mandatory 

  #server.port                 = 81

will become 

  server.port                 = 80

this forces lighttpd to listen on port 80 only 

  $SERVER["socket"] == "[::]:80" {  }

will become 

  $SERVER["socket"] == "[::1]:80" {  }

always enable IPv6 only for localhost (you can also comment if you don't use IPv6)

2. Saved lighttpd.conf, you need to rename the ssl-enable.conf file in /etc/lighttpd/conf.d/ in ssl-enable.conf.bak.The file is used to enable listening on port 443 to use https, but in our case it is superfluous; in addition it also enables connection from any device on the LAN, which makes our work useless. Renaming the file will no longer load the configuration it contains. 

  # mv /etc/lighttpd/conf.d/ssl-enable.conf /etc/lighttpd/conf.d/ssl-enable.conf.bak

We have finally completed the part concerning the lighttpd web server. Now let's move on to creating the configuration for ssh on PC (or iOS or Android).

3. From the command line (e.g. bash), we proceed to configure the file ~ /.ssh/config 

  $ vi ~/.ssh/config

4. Let's create the following section to connect to our Turris 

  Host turris
  Hostname 192.168.1.1
  User root
  Port 22
  LocalForward 127.0.0.1:8000 127.0.0.1:80

This will tell the user to log in as root via port 22 of the router with OpenSSH protocol and then to create local port forwarding, which will direct all traffic from port 8000 of the PC to port 80 of the router and vice versa.

We are ready to enter the router administration web interface, we just have to

5. Start the connection with ssh from PC 

  $ ssh turris

6. Open the browser and connect to the following address 

  http://127.0.0.1:8000/

The game is done!

Hardening the method

To make everything even safer and save some RAM memory (very little), you can deactivate lighttpd whenever we do not need it and activate it only when it is really necessary. So we will further limit the possibilities of accessing the web interface, even if the attacker had access to our private ssh key.

1. From the router run the following command to deactivate and stop lighttpd 

  # service lighttpd disable
  # service lighttpd stop

2. When we need it we will execute 

  # service lighttpd start (no enable otherwise the service will be activated 
  automatically at each restart)

Turris 💕

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International