Android app not connecting since SSL

bence · March 6, 2023, 5:17pm

I have configured Nginx on Beryl AX to forward port 80 to 443 so only HTTPS access is available to the web interface. This is probably the reason why the Android app doesn’t connect to the router anymore.
I am not familiar with how it works, but I guess it uses some API on HTTP, which could be using HTTPS by default since that is available out of the box. Not a big deal, I can live without the app, just a suggestion.

Alternatively is there maybe a detailed config for Nginx that forwards the web access, but leave the API alone on 80?

Cheers

yuxin.zou · March 7, 2023, 2:31am

What is the firmware version of your router?
Some features of version 4.1 still have problems adapting to the https api, e.g. tor. Therefore the app uses the http interface. If you upgrade the firmware to version 4.2, the app should use https.

You can modify /etc/nginx/conf.d/gl.conf to modify the port settings of nginx.

bence · March 7, 2023, 6:35am

I am using firmware 4.2 and I did modify /etc/nginx/conf.d/gl.conf, since then the app does not connect.

yuxin.zou · March 7, 2023, 9:58am

Do you want to use https on port 80? That is not supported by the app at the moment.
In a later firmware release we will provide the ability to change the access port so that the app can use https on any port.

bence · March 7, 2023, 10:59am

I don’t want to use port 80, I redirected port 80 to 443 like this:

server {
   listen 80 default_server;
   server_name _;
   return 301 https://$host$request_uri;
}

Works great on web, but the app does not connect.

razor225 · March 7, 2023, 2:01pm

The mobile app doesn’t work when I’m in the guest Wi-Fi. Is that expected? @Leo

bence · March 7, 2023, 2:14pm

That makes sense, I wouldn’t expect a “guest” device to have access to an admin app. A guest doesn’t have access to anything on the local lan.

bence · March 8, 2023, 9:54am

@yuxin.zou ,

I found that app shows me all the logs and contrary to your statement it is not even trying to communicate over https:

2023-03-08 10:46:16.582732
*** Request ***
uri: http://192.168.8.1/cgi-bin/api/router/hello
data:
null

2023-03-08 10:46:16.582946
*** Request ***
uri: http://192.168.8.1/rpc
data:
{"jsonrpc":"2.0","method":"call","params":["","ui","check_initialized",{}],"id":1}

...

2023-03-08 10:46:16.787424
*** DioError ***:
uri: http://192.168.8.1/rpc
DioError [DioErrorType.response]: Http status error [301]
uri: http://192.168.8.1/rpc
Request Data: {"jsonrpc":"2.0","method":"call","params":["","ui","check_initialized",{}],"id":1}
Response Text:
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.17.7</center>
</body>
</html>



2023-03-08 10:46:16.787624
出现异常
2023-03-08 10:46:17.025148
*** DioError ***:
uri: http://192.168.8.1/cgi-bin/api/router/hello
DioError [DioErrorType.other]: HandshakeException: Handshake error in client (OS Error: 
	CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate(handshake.cc:393))

2023-03-08 10:46:17.027128
*** Request ***
uri: http://192.168.76.1/cgi-bin/api/router/hello
data:
null

yuxin.zou · March 9, 2023, 7:33am

check_initialized API used get firmware version. So it is need use http.
We will discuss it when we provide the ability to change the access port.