Basic question:Why is nginx listening at 80 and 443?

Hi mates

I have a Flint and I don’t have the ddns 80 http nor https enable so I wonder why is nginx listening.

What does flint use nginx for?

Thanks in advance :grinning:

For the webinterface.


What @admon said.

The GL GUI & underlying OpenWrt OS LuCI interface (GL GUI → System → Advanced Settings) both use it.

root@flint:~# netstat -natp | grep nginx
tcp        0      0   *               LISTEN      4527/nginx.conf -g
tcp        0      0    *               LISTEN      4527/nginx.conf -g
tcp        0      0 :::443                  :::*                    LISTEN      4527/nginx.conf -g
tcp        0      0 :::80                   :::*                    LISTEN      4527/nginx.conf -g
root@flint:~# ps -w | grep -v grep | grep nginx
 4527 root      6876 S    nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf -g daemon off;
 4738 root     10080 S    nginx: worker process
 4739 root      9440 S    nginx: worker process
 4740 root      9592 S    nginx: worker process
 4741 root      9656 S    nginx: worker process
root@flint:~# ps -w | grep -v grep | grep gl-ngx-session
10326 root      3760 S    {gl-ngx-session} /usr/bin/lua /usr/sbin/gl-ngx-session
1 Like

Well I feel quite stupid :rofl::rofl::rofl:

Obviously the web interface :person_facepalming::person_facepalming:

Are this ports configurables? Just to learn. Should I change them?

And the opposite. Could I listen only in the 80 if y don’t use HTTPS in my LAN?

Thanks in advance

Yes and no. Don’t do it if you are a newbie.
Play around with some linux VM or sth. like that.

And I can predict the answer of @bring.fringe18 which will be … yes you can change and yes you should change because of security. :face_with_hand_over_mouth:

NOOOOOO! Don’t even think about touching those nginx confs. At best you’ll lock yourself out of the UIs, at worst you’ll be kicked offline until you attempt recovery via U-boot.

1 Like

Those confs pull system critical lua scripts including interfacing w/ the RPC daemon. There’s a fine line between bravery & stupidity. I’m not that stupid.

root@flint:~# cat /etc/nginx/conf.d/gl.conf
index gl_home.html;

lua_shared_dict shmem 12k;
lua_shared_dict nonces 16k;
lua_shared_dict sessions 16k;
lua_code_cache off;

init_by_lua_file /usr/share/gl-ngx/oui-init.lua;

server {
    listen 80;
    listen [::]:80;

    listen 443 ssl;
    listen [::]:443 ssl;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_tickets off;

    ssl_certificate /etc/nginx/nginx.cer;
    ssl_certificate_key /etc/nginx/nginx.key;

    resolver ipv6=off;

    rewrite ^/index.html / permanent;

    location = /rpc {
        content_by_lua_file /usr/share/gl-ngx/oui-rpc.lua;

    location = /upload {
        content_by_lua_file /usr/share/gl-ngx/oui-upload.lua;

    location = /download {
        content_by_lua_file /usr/share/gl-ngx/oui-download.lua;

    location /cgi-bin/ {
        include fastcgi_params;
        fastcgi_read_timeout 300;
        fastcgi_pass unix:/var/run/fcgiwrap.socket;

    location ~.*\.(html|png|jpg|svg)$ {
        add_header Cache-Control "private, no-store, no-cache, must-revalidate, proxy-revalidate";

    include /etc/nginx/gl-conf.d/*.conf;


Thanks both of you :clap::clap::clap::clap:

I’m not exactly a newbie, I’m a Linux administrator so I would do everything via SSH keeping the original files to reverse everything via SSH.

Anycase I don’t interfiere with the flint scripts so I will remain everything in peace :grinning:

The goal is simple but useful for my.

In my company the proxy only allows me outgoings connection to 80 and 443 so this is the reason I would like to change.
At this moment sometimes y use a SSH túnel to my raspberry in order to navigate using a shocks5 server.

I connect to 443 port and I do s NAT to 22 in the router.
I would like to do it directly using flint and shutdown the Raspi.

I know that is a pedestrian trick but it works :grinning:

I hope I could explain correctly. Sorry for my English.

I din’t tell your before because it difficult to explain for me in English.

Again thanks to both of you. You have feel me very comfortable here :grinning:

Throw this in your crontab (/etc/crontabs/root). /etc/sysupgrade.conf will let you add addn’l dirs/confs to the tarball… assuming you have a drive in that USB3 port mounted, of course.

0 3 1 * * find "/mnt/sda1/backup/tarballs" -type f -name "backup-*.tar.gz" | sort -r | awk 'NR > 52' | xargs rm -f; sysupgrade -b "/mnt/sda1/backup/tarballs/backup-${HOSTNAME}-$(cat /sys/class/net/eth0/address | tr '[:lower:]' '[:upper:]' | tr -d ':')-$(date).tar.gz"
1 Like

Are you sure that no other ports are allowed?
Often there are a few other ports because of daily business.

UDP 53
TCP 21
TCP 3389
UDP 161
TCP 8080
TCP 8443

Would be interesting to check those as well. :sunglasses:


So you’re currently using a RPi as a jump box because of the restricted network environment. Okay, wanting to take ngnix off :443 makes perfect sense then. Yeah, I’d do it in your particular case. LuCI is just a front end to uci anyways but I hate uci so I just go straight for editing the confs.

Don’t forget vim-full & vim-fuller are available in the opkg repos… so’s emacs but who in their right mind would run that?! /s

Your English is fine.

Cheers. It’s fun to ‘shoot the sh!t’ with you.

1 Like