Calling /etc/init.d/uhttpd reload directly in the acme hotplug script
can inadvertently start a stopped instance.
Signed-off-by: Glen Huang <i@glenhuang.com>
Add a config option for json_script instead of unconditionally including
all json files in /etc/uhttpd in every uhttpd instance. This makes it
possible to configure a single instance with an unconditional redirect,
which currently renders all other uhttpd instances unusable.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Felix Fietkau <nbd@nbd.name>
Make the organization (O=) of the cert configurable via uci. If not
configured, use a combination of "OpenWrt" and an unique id like it was
done before.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Instead of doing uci commit and reload_config for each setting do it
only once when one of these options was changed. This should make it a
little faster when both conditions are taken.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Without this change the config is only committed, but the uhttpd daemon
is not reloaded. This reload is needed to apply the config. Without the
reload of uhttpd, the ubus server is not available over http and returns
a Error 404.
This caused problems when installing luci on the snapshots and
accessing it without reloading uhttpd.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
So we can ship px5g-wolfssl by default in the release image, but still
make the HTTPS for LuCI optional. This small change with addition of
`CONFIG_PACKAGE_px5g-wolfssl=y` into the buildbot's seed config for the
next release should provide optional HTTPS in the next release.
Disabling the current default automatic uhttpd's redirect to HTTPS
should make the HTTPS optional. That's it, user would either need to
switch to HTTPS by manually switching to https:// protocol in the URL or
by issuing the following commands to make the HTTPS automatic redirect
permanent:
$ uci set uhttpd.main.redirect_https=1
$ uci commit uhttpd
$ service uhttpd reload
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The uhttpd package takes care of creating self-signed certificates if
px5g is installed. This improves the security of router management as it
encrypts the LuCI connection.
The EC P-256 curve is faster than RSA which which improves the user
experience on embedded devices. EC P-256 is support for as old devices
as Android 4.4.
Signed-off-by: Paul Spooren <mail@aparcar.org>
With this change it is now possible to switch off single instances of
the uhttpd config. Until now it was only possible to switch all
instances of uhttpd on or off.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This adds the key_type and ec_curve options to enable the generation of
EC keys during initialization, using openssl or the new options added to
px5g.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This reverts commit c6aa9ff388.
Further testing has revealed that we will need to allow concurrent
requests after all, especially for situations where CGI processes
initiate further HTTP requests to the local host.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Update to latest git HEAD in order to support configuring multiple
concurrent Lua prefixes in a single uhttpd instance:
b741dec lua: support multiple Lua prefixes
Additionally rework the init script and update the default configuration
example to treat the lua_prefix option as key=value uci list, similar to
the interpreter extension mapping. Support for the old "option lua_prefix"
plus "option lua_handler" notation is still present.
Finally drop the sed postinstall hack in uhttpd-mod-lua to avoid mangling
files belonging to other packages. Since Lua prefixes have precedence
over CGI prefixes, simply register `/cgi-bin/luci` as Lua handler which
will only become active if both luci-base and uhttpd-mod-lua is installed.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
We enabled lua interpreter by default as it doesn't make any problem in the uhttpd config file and we modify the index page to use it.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
We add an 'httpauth' section type that contains the options:
prefix: What virtual or real URL is being protected
username: The username for the Basic Auth dialogue
password: Hashed (crypt()) or plaintext password for the Basic Auth dialogue
httpauth section names are given included as list
items to the instances to which they are to be applied.
Further any existing httpd.conf file (really whatever
is configured in the instance, but default of
/etc/httpd.conf) is appended to the per-instance httpd.conf
Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
Add a partially random O= item to the certificate subject in order
to make the automatically generated certificates' subjects unique.
Firefox has problems when several self-signed certificates
with CA:true attribute and identical subjects have been
seen (and stored) by the browser. Reference to upstream bugs:
https://bugzilla.mozilla.org/show_bug.cgi?id=1147544https://bugzilla.mozilla.org/show_bug.cgi?id=1056341https://bugzilla.redhat.com/show_bug.cgi?id=1204670#c34
Certificates created by the OpenSSL one-liner fall into that category.
Avoid identical certificate subjects by including a new 'O=' item
with CommonName + a random part (8 chars). Example:
/CN=LEDE/O=LEDEb986be0b/L=Unknown/ST=Somewhere/C=ZZ
That ensures that the browser properly sees the accumulating
certificates as separate items and does not spend time
trying to form a trust chain from them.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Prefer the old default 'px5g' for certificate creation
as Firefox seems to dislike OpenSSL-created certs.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Now that the uhttpd init script can generate certificates using openssl as
well, update the section name and related comment to be more generic.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Support the usage of the OpenSSL command-line tool for generating
the SSL certificate for uhttpd. Traditionally 'px5g' based on
PolarSSL (or mbedTLS in LEDE), has been used for the creation.
uhttpd init script is enhanced by adding detection of an installed
openssl command-line binary (provided by 'openssl-util' package),
and if found, the tool is used for certificate generation.
Note: After this patch the script prefers to use the OpenSSL tool
if both it and px5g are installed.
This enables creating a truly OpenSSL-only version of LuCI
without dependency to PolarSSL/mbedTLS based px5g.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
RSA keys should be generated with sufficient length.
Using 1024 bits is considered unsafe.
In other packages the used key length is 2048 bits.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
SVN-Revision: 48494
The two commits
5162e3b0ee7bd1d0fd6e75e1ca7993a1834b5291
"allow request handlers to disable chunked reponses"
and
618493e378e2239f0d30902e47adfa134e649fdc
"file: disable chunked encoding for file responses"
broke the chunked transfer encoding handling for proc responses in keep-alive
connections that followed a file response with http status 204 or 304.
The effect of this bug is that cgi responses following a 204 or 304 one where
sent neither in chunked encoding nor with a content-length header, causing
browsers to stall until the keep alive timeout was reached.
Fix the logic flaw by inverting the chunk prevention flag in the client state
and by testing the chunked encoding preconditions every time instead of
once upon client (re-)initialization.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 47161
A quite frequent problem after sysupgrading from an older, SSL enabled build
is that ustream-ssl is not installed so uhttpd fails to come up again due to
https listening directives in the preserved configuration.
Skip key/cert and ssl listen options when libustream-ssl.so is not present.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 42284
