-
-
Notifications
You must be signed in to change notification settings - Fork 784
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Prevent WAN access to Web GUI #295
Comments
Apologies if this is a newbiosh answer.. I don't understand this very well.. You can control this through lighttpd config (found at /etc/l;ighttpd/lighttpd.conf) By default lighttpd listens on any ipaddress configured on the system and responds to a request on port 80 . Check this by running
This means that lighttpd (ie the web server) is listening on any ip address and will respond to any http request. If you don't want that, then yo need to specify the listening address in the lighttpd.conf file. Sorry for the formatting etc.. I hope it is useful.. The first block the greyed out block below this starting with $HTTP["scheme"] is the generic redirect of all http traffic to the address set in <b.b.b.b> to https (refer the FAQ for a better explanation of how to do this up). The bolded line is the directory path to where your certificate is stored. The next line of code sets lighttpd to listen for HTTPS requests to the UI on interface with ip address <a.a.a.a> on port ### (whatever number you choose). =============================================================================[ server.modules = ( #server.document-root = "/var/www/html"
index-file.names = ( "index.php", "index.html", "index.lighttpd.html" ) compress.cache-dir = "/var/cache/lighttpd/compress/" default listening port for IPv6 falls back to the IPv4 portinclude_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port A script that will configure lighttpd to listen natively on the LAN side and redirect HTTP requests to HTTPS, and then listen on HTTPS only on the WAn side will look something like this:
|
This works, but ideally it should be a check-box in the UI "Allow WAN access to Web UI". After all, this project is about creating an easy to use Wireless AP solution with the Pi |
IMHO it would be best to expose the "bind configuration" in the web interface. So you can configure there, at which address (and port – but this is something you can already configure) it should listen. |
The web UI is protected with an encrypted password, so it's not really accessible on the WAN side as described. However, it's a potential security issue for installs with default passwords. I think @quamby's suggestion using lighttpd.conf is the best approach here, and I agree with @rugk that giving the user control of the bind address on the System > Advanced tab makes sense. |
Hi there,
I've set up a clean Raspberry Pi 3B+ with a fresh Raspbian Lite.
Installed hostapd and dnsmasq according to
https://github.com/SurferTim/documentation/blob/6bc583965254fa292a470990c40b145f553f6b34/configuration/wireless/access-point.md
I did not set up a bridge device, because I prefer the Pi to function as a DHCP/NAT device. Everything seems to work properly, clients connect to the AP, receive IP addresses, and are able to browse online.
However, upon testing, I found that the RaspAP web portal is accessible from the WAN side. This seems to be a potential security issue.
I was unable to find any option the GUI to disable this behavior. Have I perhaps misconfigured something, or are there simple config options that I have overlooked? One possible workaround I've managed to come across is to set up an iptables rule to prevent port 80 access from WAN.
The text was updated successfully, but these errors were encountered: