Enable HTTPS login for router

greendesk · October 1, 2017, 12:21am

Hello,

First off, I really appriciate these routers. They’re small, open sourced and quite durable.

One thing that sits high on my list of things to change is to enable HTTPS for the dashboard and enforce HTTPS when downloading/updating packages and connecting to a vpn.

Could someone point me in the correct direction and or share some info on how to enable https for the dashboard and whatnot? Also, are there any suggestions to help secure this great little tool?

thanks for any time put forth on the topic and have a wonderful day.

alzhao · October 1, 2017, 11:40pm

We have whole weeks holiday and will come back to you later. Please do reply again if this is not replied.

tomaz · October 16, 2017, 5:18pm

Update?

3zhvfkuehfd · April 17, 2018, 9:25am

I just got HTTPS and redirect from HTTP to work on the AR750 (v2.27):

ssh into your router with root
create certificate:

mkdir /etc/lighttpd/certs
cd /etc/lighttpd/certs
openssl req -new -x509 -keyout lighttpd.pem -out lighttpd.pem -days 3650 -nodes
chmod 400 lighttpd.pem

configure lighthttp

/etc/init.d/uhttpd disable
opkg update
opkg install lighttpd-mod-redirect
vi /etc/lighttpd/lighttpd.conf

add to end of file

$SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem"
}

$SERVER["socket"] == ":80" {
    $HTTP["host"] =~ "^(.*)$" {
        url.redirect = ( "^/(.*)" => "https://%1/$1" )
    }
}

restart webserver and check if it works

/etc/init.d/lighttpd restart

reboot

reboot

adambreen · October 18, 2018, 7:27am

This doesn’t seem to work on the GL-AR750S. Particularly, I noticed that the lighthttpd.conf file gets overwritten with its original contents, post-reboot. Even before rebooting, but after restarting lighthttpd, I couldn’t access the admin portal on https. I also tried changing the default port from 80 to 443.

alzhao · October 19, 2018, 12:41am

Check /etc/init.d/lighttpd and remove the two lines with ‘cp’ command.

Then lighttpd.conf will not be overwritten. This is a bug in script actually. The router wants to ensure web server is up but it failed to check correct version

darkermatter · February 13, 2019, 5:31pm

This is broken for me because it can’t load the OpenSSL module.

(plugin.c.229) dlopen() failed for: /usr/lib/lighttpd/mod_openssl.so Error loading shared library /usr/lib/lighttpd/mod_openssl.so: No such file or directory

The lighttpd SSL module opkg doesn’t seem to exist so I checked if SSL is compiled in:

root@GL-AR750S:/etc/lighttpd# lighttpd -v
lighttpd/1.4.48 (ssl) - a light and fast webserver

It is compiled in, but activating SSL gives the same error. I have libopenssl installed.

darkermatter · February 13, 2019, 5:59pm

I managed to fix it by downloading the lighttpd package from openwrt.org:

https://downloads.openwrt.org/releases/18.06.1/packages/mips_24kc/packages/lighttpd_1.4.48-3_mips_24kc.ipk

dagee71 · September 5, 2019, 9:54am

For GL-AR750S - Slate: It is all working like a charm
It is working almost out of the Box - https is up and running but not default
I did the following steps to make https the default:

ssh to the box
Install redirect
** opkg update
** opkg install lighttpd-mod-redirect
edit /etc/lighttpd/conf.d/30-openssl.conf

Original

#######################################################################
##  openssl Module
## ---------------

server.modules += ( "mod_openssl" )

$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine                 = "enable"
        ssl.pemfile                = "/etc/lighttpd/server.pem"
}

append the following:

else $HTTP[“scheme”] == “http” {
$HTTP[“host”] =~ “." {
url.redirect = (".” => “https://%0$0”)
}
}

Result:

#######################################################################
##  openssl Module
## ---------------

server.modules += ( "mod_openssl" )

$SERVER["socket"] == "0.0.0.0:443" {
        ssl.engine                 = "enable"
        ssl.pemfile                = "/etc/lighttpd/server.pem"
} else $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}

save 30-openssl.conf
restart lighttpd : /etc/init.d/lighttpd restart
check your Slate-Site

DONE

aindriu · May 30, 2020, 1:29pm

hi,

Sorry to drag up an old thread but I was trying to add an SSL/HTTPS access to the dashboard of one of these handy routers - mine being GL-MT300N-V2,

I followed the above steps and the files where there after reboot but I got the following error when browsing to GL-MT300N-V2 dashboard

MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

It seems as though the certificate is not accepted because it’s generated by itself?. Is there a way to get a recognized third party cert installed? I recently upgraded the firmware to 3.102 and see some new plugins like ACME (for issuing certificates)

David · May 31, 2020, 7:27am

Hello!
Can someone put a complete step by step on how to configure to access HTTPS
UI in AR750 & AR750S from scratch? I am having trouble getting it to work fine.
The “dagee71” solution doesn’t work for me.
I have 3.104 on AR-750S Firmware and 3.102 on AR750 .
Thank you!

Henry_Bruns · June 11, 2020, 10:30pm

Does the firmware update of gl router without https or its “only” the access to the admin menue on a unsecure way ? Because, the validatin methode of firmware are outdated too. See 750-3.100-1217, unsecure firmware validation check

gladly · July 6, 2020, 7:55pm

So there is no easy (for non technical people) way to enable only https for the web admin panel? I mean easier than the instructions above, like maybe a toggle button in the admin panel.

By the way, is the web admin panel (192.168.8.1) accessible via wan also or only lan by default? If I am connected to the internet via ISP or VPN and access web admin panel with http, can ISP or VPN see the password I unput for the admin panel and for wifi?

alzhao · July 8, 2020, 5:08am

You can enable ssh via ddns part.

By default, http only works on LAN side.

boardlord · April 15, 2021, 10:18am

Could anyone compile lighttpd-mod-redirect for FW 3.201 for Slate? This worked for me perfectly on the prev FW, but for the new one this package is not available…

@alzhao

boardlord · April 24, 2021, 5:27am

Just a gentle bump here

reflector · April 24, 2021, 5:36am

i’m using slate, clean install on 3.105 and upgraded to 3.201, settings kept.
able to login https just fine

boardlord · April 24, 2021, 5:53am

I can login with https as well! I’d need lighttpd-mod-redirect, so that on attempts to login via the Web UI I’ll get redirected automatically to https, making http login impossible.

Tried to install the lighttpd-mod-redirect package from Openwrt 19.07, but that made the Web UI inaccessible, had to uninstall it via ssh - so we’d need the gl inet guys to compile it for FW 3.201 for AR750S. It IS available for Beryl…

case · August 11, 2022, 9:49pm

Sorry to necro a thread, but are @dagee71 's instructions still the correct way to set up http redirects for the web interface? It seems to be working, but I get the error

sed: /etc/lighttpd/conf.d/10-port.conf: No such file or directory

when I restart lighttpd. Can this message be safely ignored? I’m using a Beryl with firmware 3.211. Thanks!

alzhao · August 12, 2022, 1:35am

You can omit that message.