Hi mates
I have a Flint and I don’t have the ddns 80 http nor https enable so I wonder why is nginx listening.
What does flint use nginx for?
Thanks in advance 
For the webinterface.
2 Likes
What @admon said.
The GL GUI & underlying OpenWrt OS LuCI interface (GL GUI → System → Advanced Settings) both use it.
root@flint:~# netstat -natp | grep nginx
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4527/nginx.conf -g
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4527/nginx.conf -g
tcp 0 0 :::443 :::* LISTEN 4527/nginx.conf -g
tcp 0 0 :::80 :::* LISTEN 4527/nginx.conf -g
root@flint:~# ps -w | grep -v grep | grep nginx
4527 root 6876 S nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf -g daemon off;
4738 root 10080 S nginx: worker process
4739 root 9440 S nginx: worker process
4740 root 9592 S nginx: worker process
4741 root 9656 S nginx: worker process
root@flint:~# ps -w | grep -v grep | grep gl-ngx-session
10326 root 3760 S {gl-ngx-session} /usr/bin/lua /usr/sbin/gl-ngx-session
1 Like
Well I feel quite stupid 
Obviously the web interface 
Are this ports configurables? Just to learn. Should I change them?
And the opposite. Could I listen only in the 80 if y don’t use HTTPS in my LAN?
Thanks in advance
Yes and no. Don’t do it if you are a newbie.
Play around with some linux VM or sth. like that.
And I can predict the answer of @bring.fringe18 which will be … yes you can change and yes you should change because of security. 
NOOOOOO! Don’t even think about touching those nginx confs. At best you’ll lock yourself out of the UIs, at worst you’ll be kicked offline until you attempt recovery via U-boot.
1 Like
Those confs pull system critical lua scripts including interfacing w/ the RPC daemon. There’s a fine line between bravery & stupidity. I’m not that stupid.
root@flint:~# cat /etc/nginx/conf.d/gl.conf
index gl_home.html;
lua_shared_dict shmem 12k;
lua_shared_dict nonces 16k;
lua_shared_dict sessions 16k;
lua_code_cache off;
init_by_lua_file /usr/share/gl-ngx/oui-init.lua;
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SR P:!DSS:!CAMELLIA:!SEED";
ssl_session_tickets off;
ssl_certificate /etc/nginx/nginx.cer;
ssl_certificate_key /etc/nginx/nginx.key;
resolver 127.0.0.1 ipv6=off;
rewrite ^/index.html / permanent;
location = /rpc {
content_by_lua_file /usr/share/gl-ngx/oui-rpc.lua;
}
location = /upload {
content_by_lua_file /usr/share/gl-ngx/oui-upload.lua;
}
location = /download {
content_by_lua_file /usr/share/gl-ngx/oui-download.lua;
}
location /cgi-bin/ {
include fastcgi_params;
fastcgi_read_timeout 300;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
}
location ~.*\.(html|png|jpg|svg)$ {
add_header Cache-Control "private, no-store, no-cache, must-revalidate, proxy-revalidate";
}
include /etc/nginx/gl-conf.d/*.conf;
}
2 Likes
Jajaja
Thanks both of you 
I’m not exactly a newbie, I’m a Linux administrator so I would do everything via SSH keeping the original files to reverse everything via SSH.
Anycase I don’t interfiere with the flint scripts so I will remain everything in peace
The goal is simple but useful for my.
In my company the proxy only allows me outgoings connection to 80 and 443 so this is the reason I would like to change.
At this moment sometimes y use a SSH túnel to my raspberry in order to navigate using a shocks5 server.
I connect to 443 port and I do s NAT to 22 in the router.
I would like to do it directly using flint and shutdown the Raspi.
I know that is a pedestrian trick but it works
I hope I could explain correctly. Sorry for my English.
I din’t tell your before because it difficult to explain for me in English.
Again thanks to both of you. You have feel me very comfortable here
Throw this in your crontab (/etc/crontabs/root). /etc/sysupgrade.conf will let you add addn’l dirs/confs to the tarball… assuming you have a drive in that USB3 port mounted, of course.
0 3 1 * * find "/mnt/sda1/backup/tarballs" -type f -name "backup-*.tar.gz" | sort -r | awk 'NR > 52' | xargs rm -f; sysupgrade -b "/mnt/sda1/backup/tarballs/backup-${HOSTNAME}-$(cat /sys/class/net/eth0/address | tr '[:lower:]' '[:upper:]' | tr -d ':')-$(date).tar.gz"
1 Like
Are you sure that no other ports are allowed?
Often there are a few other ports because of daily business.
Possibilities:
UDP 53
TCP 21
TCP 3389
UDP 161
TCP 8080
TCP 8443
Would be interesting to check those as well. 
2 Likes
So you’re currently using a RPi as a jump box because of the restricted network environment. Okay, wanting to take ngnix off :443 makes perfect sense then. Yeah, I’d do it in your particular case. LuCI is just a front end to uci anyways but I hate uci so I just go straight for editing the confs.
Don’t forget vim-full & vim-fuller are available in the opkg repos… so’s emacs but who in their right mind would run that?! /s
Your English is fine.
Cheers. It’s fun to ‘shoot the sh!t’ with you.
1 Like