LAN HTTPS Reverse Proxy Gateway for OpenWrt
Manage nginx reverse proxy, automatic ACME certificate issuance, and local DNS resolution through a LuCI web UI โ providing HTTPS access for all your LAN services with zero manual configuration.
๐ Documentation ยท ๐ Report Bug ยท ๐ก Request Feature
| Feature | Description |
|---|---|
| ๐ Multi-domain | Add domains freely, each with an automatically issued TLS certificate |
| ๐ Wildcard certs | *.example.com โ one certificate covers all subdomains |
| ๐ Reverse proxy | Proxy any HTTP service on LAN or public networks |
| โก WebSocket | One-click Upgrade header injection for real-time apps |
| ๐งญ Auto DNS | Automatically add domain โ router IP resolution in dnsmasq |
| ๐ Auto renewal | Based on acme.sh, 90-day certificates auto-renew |
| ๐จ LuCI native | Three-page UI: status overview, certificate management, proxy rules |
| ๐ i18n | English + Chinese Simplified, easily extensible |
| Requirement | Details |
|---|---|
| Platform | OpenWrt 25.x (APK package manager) |
| Domain | A registered domain name |
| DNS API | Provider API credentials (Alibaba Cloud, Cloudflare, DNSPod, or GoDaddy) |
Auto-installed:
โโโ Makefile OpenWrt SDK build definition
โโโ src/
โ โโโ view/ LuCI JS frontend views (i18n via _())
โ โโโ bin/ Main service script โ /usr/sbin/https-gateway
โ โโโ rpcd/ RPC backend โ /usr/libexec/rpcd/https-gateway
โ โโโ config/ UCI default config โ /etc/config/https_gateway
โ โโโ init/ procd init โ /etc/init.d/https_gateway
โ โโโ uci-defaults/ First-boot script โ /etc/uci-defaults/
โ โโโ share/ LuCI menu + ACL JSON
โ โโโ i18n/ Translation files (POT + PO)
โ โโโ templates/ POT template (source strings)
โ โโโ zh_Hans/ Chinese Simplified translation
โโโ docs/ Documentation
โโโ tests/ Unit & integration tests (149 tests)
Download the .ipk matching your router's architecture from the Releases page:
| Architecture | Target Devices |
|---|---|
x86_64 |
Virtual machines, PC routers |
aarch64_cortex-a53 |
MediaTek MT7981/7986 (Filogic) |
aarch64_generic |
Rockchip ARM64 boards |
arm_cortex-a7_neon-vfpv4 |
Allwinner sunxi |
# Transfer to router
scp luci-app-https-gateway_*_x86_64.ipk root@192.168.0.1:/tmp/
# Install (OpenWrt 23.x with opkg)
ssh root@192.168.0.1 'opkg install /tmp/luci-app-https-gateway_*.ipk'
# Or OpenWrt 25.x with APK
ssh root@192.168.0.1 'apk add --allow-untrusted /tmp/luci-app-https-gateway_*.ipk'ROUTER=root@192.168.0.1
scp src/bin/https-gateway ${ROUTER}:/usr/sbin/
scp src/rpcd/https-gateway ${ROUTER}:/usr/libexec/rpcd/
scp src/config/https_gateway ${ROUTER}:/etc/config/
scp src/init/https_gateway ${ROUTER}:/etc/init.d/
scp src/uci-defaults/50-luci-https-gateway ${ROUTER}:/etc/uci-defaults/
scp src/share/menu.d/luci-app-https-gateway.json ${ROUTER}:/usr/share/luci/menu.d/
scp src/share/acl.d/luci-app-https-gateway.json ${ROUTER}:/usr/share/rpcd/acl.d/
ssh ${ROUTER} 'mkdir -p /www/luci-static/resources/view/https-gateway'
scp src/view/*.js ${ROUTER}:/www/luci-static/resources/view/https-gateway/
ssh ${ROUTER} 'chmod +x /usr/sbin/https-gateway /usr/libexec/rpcd/https-gateway /etc/init.d/https_gateway'
ssh ${ROUTER} '/etc/init.d/rpcd restart && /etc/init.d/https_gateway enable'cp src/bin/https-gateway files/usr/sbin/
cp src/rpcd/https-gateway files/usr/libexec/rpcd/
cp src/config/https_gateway files/etc/config/
cp src/init/https_gateway files/etc/init.d/
cp src/uci-defaults/50-luci-https-gateway files/etc/uci-defaults/
cp src/share/menu.d/*.json files/usr/share/luci/menu.d/
cp src/share/acl.d/*.json files/usr/share/rpcd/acl.d/
mkdir -p files/www/luci-static/resources/view/https-gateway
cp src/view/*.js files/www/luci-static/resources/view/https-gateway/# opkg (OpenWrt 23.x)
opkg install luci-app-https-gateway_1.0.1-1_all.ipk
# APK (OpenWrt 25.x)
apk add --allow-untrusted luci-app-https-gateway_1.0.1-1_all.apk- Navigate to LuCI โ Services โ HTTPS Gateway
- Enter email, select DNS provider, fill in API credentials
- Add a certificate (e.g.
*.example.com) - Add proxy rules (domain + path + upstream address)
- Enable gateway โ Save & Apply
- Click "Issue/Renew Certificates"
๐ก Tip: Start with staging mode enabled to test your setup without hitting Let's Encrypt rate limits.
Run the full test suite (no router required):
sh tests/run_all.sh| Suite | Tests | Coverage |
|---|---|---|
test_validation.sh |
47 | Domain, location, upstream regex validation |
test_nginx_conf.sh |
37 | nginx config generation, TLS, WebSocket |
test_dns_certs.sh |
25 | Certificate paths, wildcard matching, DNS sync |
test_integration.sh |
25 | JSON output, UCI validation, service states |
test_validate.sh |
15 | Legacy regex smoke tests |
The UI uses OpenWrt's standard PO/LMO i18n system:
- Source strings in English with
_()markers in JS views - Translations in
src/i18n/<lang>/https-gateway.po - Build produces
.lmobinary files for LuCI runtime
Available languages: English (base), ไธญๆ็ฎไฝ (zh_Hans)
To add a new language, copy src/i18n/templates/https-gateway.pot to src/i18n/<lang>/https-gateway.po and translate the msgstr entries.
To create a new release:
# Bump version in Makefile, then:
git tag v1.1.0
git push origin v1.1.0GitHub Actions will automatically:
- Download the OpenWrt SDK for each supported architecture
- Compile
.ipkpackages (x86_64, aarch64, arm) - Create a source tarball for manual SDK builds
- Publish a GitHub Release with all assets attached
| Arch | SDK Target | Typical Devices |
|---|---|---|
| x86_64 | x86/64 | VMs, soft routers |
| aarch64_cortex-a53 | mediatek/filogic | GL.iNet MT3000, Xiaomi AX series |
| aarch64_generic | rockchip/armv8 | NanoPi R4S/R5S, FriendlyElec |
| arm_cortex-a7 | sunxi/cortexa7 | Orange Pi, Banana Pi |
- Fork the repository
- Create a feature branch (
git checkout -b feat/amazing-feature) - Run tests (
sh tests/run_all.sh) - Commit your changes (
git commit -m 'feat: add amazing feature') - Push to the branch (
git push origin feat/amazing-feature) - Open a Pull Request
This project is licensed under the MIT License โ see the LICENSE file for details.
If this project helps you, consider giving it a โญ