OpenWrt provides a luci management interface that allows for configuration management in a graphical manner. We access the luci interface through the LAN network address using HTTP, and there will be a prompt for an insecure link. Generally, browsers provide an option to skip and ignore the warning.
However, when we access the luci interface through the WAN address, the latest version of Chrome will forcefully refuse to access insecure HTTP links. If the website does not support HTTPS access, the page will not be able to open, and we will not be able to access the luci interface through the external network.
First, note that if you want to access the luci interface through the WAN, you need to configure the firewall to allow it. For specific instructions, please refer to: https://blog.niekun.net/archives/1818.html
Then, we configure an SSL certificate for luci, so that Chrome browser will allow it.
First, install the relevant programs:
opkg update && opkg install openssl-util luci-app-uhttpd
Above, we installed the openssl suite and the uhttpd UI configuration interface, which allows for graphical configuration of uhttpd.
Next, we will generate the required SSL certificate files.
First, create the file
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
string_mask = utf8only
C = US
ST = VA
L = SomeCity
O = OpenWrt
OU = Home Router
CN = luci.openwrt
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
DNS.1 = luci.openwrt
IP.1 = 192.168.1.1
You can modify C (country), ST (state), L (location), O (organization), and OU (organization unit) to your desired content.
CN and DNS.1 must be the same address, as they represent the domain name represented by this certificate, corresponding to the IP. If you have configured the hosts for the luci interface address, you can define it as the corresponding domain name here. Afterwards, we can access the IP by visiting this domain name.
IP.1 is the luci web address, set it to the corresponding address.
After saving the configuration file, return to the ssl directory:
Execute the following command:
openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout mycert.key -out mycert.crt -config myconfig.conf
It will automatically create the mycert.key and mycert.crt files in the current directory.
Next, we will first access the luci web interface through the LAN, and at the top, we can see that a "services" menu has been added. Click on "uhttpd" to enter the configuration interface, and in the HTTPS Certificate and HTTPS Private Key fields, upload the crt and key files respectively:
Then click on "save and apply".
Restart the uhttpd service:
At this point, when we use Chrome to access the luci web interface through the WAN address, it will still prompt that the certificate has issues, but there will be an option to proceed and enter normally.
Next, we will add the SSL files we just generated to the backup list. By default, files under
/etc/config will be automatically backed up.
We go to System → Backup/Flash Firmware, click on the configuration column, and then add
/etc/ssl/mycert.key to the list. Click on save.
Afterwards, the backup we generate will include these files.
Disabling Forced HTTPS Redirection#
By default, uhttpd's settings will enable "Redirect all HTTP to HTTPS":
At this time, even accessing HTTP pages will automatically redirect to HTTPS pages. There is no problem accessing it locally, but after testing, when using frp for intranet penetration to access the luci page from the external network, it will show a "redirect too many times" warning, indicating an infinite redirection.
Because my frp configuration is set to HTTP to HTTPS, this requires frp to access the local HTTP service instead of HTTPS.
The solution is to uncheck the "Redirect all HTTP to HTTPS" option and then restart the router. This will allow normal access to the luci page through frp.
If you do not want to disable HTTPS redirection, you can also use the plugin_http2https plugin of frpc to convert local HTTPS to HTTP and then forward it to frps. For specific instructions, please refer to the tutorial: https://blog.niekun.net/archives/539.html