Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:services:webserver:uhttpd [2019/08/26 08:26] – tag optimization, formatting optimization vgaeteradocs:guide-user:services:webserver:uhttpd [2024/05/25 18:59] – [Securing uHTTPd] stokito
Line 23: Line 23:
 | ''listen_https'' | list of port or address:port pairs | yes, if '''listen_http''' is not given | //(none)// | Specifies the ports and addresses to listen on for encrypted HTTPS access. The format is the same as for ''listen_http''. ** Read below for extra details** | | ''listen_https'' | list of port or address:port pairs | yes, if '''listen_http''' is not given | //(none)// | Specifies the ports and addresses to listen on for encrypted HTTPS access. The format is the same as for ''listen_http''. ** Read below for extra details** |
 | ''home'' | directory path | yes | ''/www'' | Defines the server document root | | ''home'' | directory path | yes | ''/www'' | Defines the server document root |
-| ''cert'' | file path | yes if ''listen_https'' is given, else no | ''/etc/uhttpd.crt'' | ASN.1/DER certificate used to serve HTTPS connections | +| ''cert'' | file path | yes if ''listen_https'' is given, else no | ''/etc/uhttpd.crt'' | ASN.1/DER or PEM certificate used to serve HTTPS connections. If you want to you use an intermediate certificate you concatenate it to one file (PEM only!). Some PEM formats may require the luci-ssl-openssl package. 
-| ''key'' | file path | yes if ''listen_https'' is given, else no | ''/etc/uhttpd.key'' | ASN.1/DER private key used to serve HTTPS connections |+| ''key'' | file path | yes if ''listen_https'' is given, else no | ''/etc/uhttpd.key'' | ASN.1/DER or PEM private key used to serve HTTPS connections. Some PEM formats may require the luci-ssl-openssl package. |
 | ''cgi_prefix'' | string | no | ''/cgi-bin'' | Defines the prefix for CGI scripts, relative to the document root. CGI support is disabled if this option is missing | | ''cgi_prefix'' | string | no | ''/cgi-bin'' | Defines the prefix for CGI scripts, relative to the document root. CGI support is disabled if this option is missing |
 | ''lua_prefix'' | string | no | //(none)// | Defines the prefix for dispatching requests to the embedded Lua interpreter, relative to the document root. Lua support is disabled if this option is missing | | ''lua_prefix'' | string | no | //(none)// | Defines the prefix for dispatching requests to the embedded Lua interpreter, relative to the document root. Lua support is disabled if this option is missing |
Line 37: Line 37:
 | ''no_symlinks'' | boolean | no | ''0'' | Do not follow symbolic links if enabled | | ''no_symlinks'' | boolean | no | ''0'' | Do not follow symbolic links if enabled |
 | ''no_dirlists'' | boolean | no | ''0'' | Do not generate directory listings if enabled | | ''no_dirlists'' | boolean | no | ''0'' | Do not generate directory listings if enabled |
-| ''rfc1918_filter'' | boolean | no | ''1'' | Reject requests from [[https://en.wikipedia.org/wiki/Private_network|RFC1918]] IP addresses directed to the servers public IPs i.e. allow only private IPs. This is a DNS rebinding countermeasure. |+| ''rfc1918_filter'' | boolean | no | ''1'' | Reject requests from [[https://en.wikipedia.org/wiki/Private_network|RFC1918]] IP addresses directed to the servers public IPs. This is a DNS rebinding countermeasure. |
 | ''http_keepalive'' | integer | no | ''20'' | connection reuse.  Some bugs have been seen, you //may// wish to disable this by setting to ''0'' (BB or later only) | | ''http_keepalive'' | integer | no | ''20'' | connection reuse.  Some bugs have been seen, you //may// wish to disable this by setting to ''0'' (BB or later only) |
 | ''max_requests'' | integer | no | ''3'' | Maximum number of concurrent requests. If this number is exceeded, further requests are queued until the number of running requests drops below the limit again. | | ''max_requests'' | integer | no | ''3'' | Maximum number of concurrent requests. If this number is exceeded, further requests are queued until the number of running requests drops below the limit again. |
Line 63: Line 63:
  
 ==== HTTPS Enable and Certificate Settings and Creation ==== ==== HTTPS Enable and Certificate Settings and Creation ====
-In order to speak HTTPS/TLS, uhttpd needs one of several cryptographic libraries. Such ''libuhttpd-...'' packages can be installed via opkg, e.g. ''libuhttpd-mbedtls'', ''libuhttpd-openssl'' or ''libuhttpd-wolfssl''.+In order to speak HTTPS/TLS, uhttpd needs one of several [[:docs:guide-user:services:tls:libs|cryptographic libraries]]. Such ''libuhttpd-...'' packages can be installed via opkg, e.g. ''libuhttpd-mbedtls'', ''libuhttpd-openssl'' or ''libuhttpd-wolfssl''.
  
 In the server configuration, the ''listen_https'' option needs to be defined as explained above. In the server configuration, the ''listen_https'' option needs to be defined as explained above.
Line 69: Line 69:
 uhttpd requires an X.509 certificate and a private key. You can create and copy them manually to the place specified in the configuration. uhttpd requires an X.509 certificate and a private key. You can create and copy them manually to the place specified in the configuration.
  
-There is an alternative: In this case (as of 10.03.1) you'll need to install the ''luci-ssl'' meta-package which in turn will pull also the ''px5g'' script. With this utility the init script will generate the appropriate certificate and key files when the server is started for the first time, either by reboot or by manual restart.+There is an alternative: In this case (as of 10.03.1) you'll need to install the ''luci-ssl'' meta-package which in turn will pull also the ''px5g'' script. With this utility the init script will generate the appropriate self signed certificate and key files when the server is started for the first time, either by reboot or by manual restart.
  
 The ''/etc/config/uhttpd'' file contains in the end a section detailing the certificate and key files creation parameters: The ''/etc/config/uhttpd'' file contains in the end a section detailing the certificate and key files creation parameters:
Line 82: Line 82:
  
 Those will be needed only once, at the next restart. Those will be needed only once, at the next restart.
 +
 +If you are hosting the website to internet you may want to [[:docs:guide-user:services:tls:certs|obtain LetsEncrypt certificates]].
  
 ===== Basic Authentication (httpd.conf) ===== ===== Basic Authentication (httpd.conf) =====
Line 93: Line 95:
   * ''password'' defines the secret password required to authenticate   * ''password'' defines the secret password required to authenticate
  
-The password can be either in plain text format, MD5 encoded or in the form ''$p$user'' where ''user'' refers to an account in ''/etc/shadow'' or ''/etc/passwd''.+The password can be either in plain text format, [[https://en.wikipedia.org/wiki/Crypt_(Unix)|crypt(1) MD5]] encoded or in the form ''$p$user'' where ''user'' refers to an account in ''/etc/shadow'' or ''/etc/passwd''.
  
 A plain text password can be converted to MD5 encoding by using the ''-m'' switch of the //uhttpd// executable: A plain text password can be converted to MD5 encoding by using the ''-m'' switch of the //uhttpd// executable:
Line 103: Line 105:
  
 If the ''$p$...'' format is used, //uhttpd// will compare the client provided password against the one stored in the ''shadow'' or ''passwd'' database. If the ''$p$...'' format is used, //uhttpd// will compare the client provided password against the one stored in the ''shadow'' or ''passwd'' database.
 +
 +Example:
 +<code - /etc/httpd.conf>
 +/dashboard/:admin:$1$$ysVNzQc4CTMkp5daOdZ.3/
 +/:root:$p$root
 +/:alice:P@$$w0rd
 +</code>
 +
 +  * Here the ''/dashboard/'' path is protected but allowed for user ''admin'' with the password ''secret'' that is hashed with crypt(1) MD5.
 +  * The root path ''/'' is allowd to the user ''root'' and it's password will be taken from ''/etc/passwd''
 +  * Also the ''/'' path is allowed for the user ''alice'' and shes password is ''P@$$w0rd'' which is not hashed and stored in clear text.
  
 ===== URL decoding ===== ===== URL decoding =====
Line 126: Line 139:
  
 ===== Securing uHTTPd ===== ===== Securing uHTTPd =====
 +See [[:docs:guide-user:luci:luci.secure]] for more details.
 +
 By default, uHTTPd is bind to ''0.0.0.0'' which also includes the WAN port of your router. To bind uHTTPd to the LAN port only you have to change the ''listen_http'' and ''listen_https'' options to your LAN IP address. By default, uHTTPd is bind to ''0.0.0.0'' which also includes the WAN port of your router. To bind uHTTPd to the LAN port only you have to change the ''listen_http'' and ''listen_https'' options to your LAN IP address.
  
  • Last modified: 2024/12/16 09:26
  • by stokito