Commit Graph

23 Commits

Author SHA1 Message Date
Felix Fietkau
c835c9ebe5 uhttpd: use sha256 when generating certificates with openssl (FS#512)
Patch from attachment to FS#512

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-17 14:43:11 +01:00
Daniel Dickinson
98c86e2970 uhttpd: Add Basic Auth config
We add an 'httpauth' section type that contains the options:

prefix: What virtual or real URL is being protected
username: The username for the Basic Auth dialogue
password: Hashed (crypt()) or plaintext password for the Basic Auth dialogue

httpauth section names are given included as list
items to the instances to which they are to be applied.

Further any existing httpd.conf file (really whatever
is configured in the instance, but default of
/etc/httpd.conf) is appended to the per-instance httpd.conf

Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
2016-10-31 13:22:51 +01:00
Hannu Nyman
9097dc5ad8 uhttpd: create self-signed certificates with unique subjects
Add a partially random O= item to the certificate subject in order
to make the automatically generated certificates' subjects unique.

Firefox has problems when several self-signed certificates
with CA:true attribute and identical subjects have been
seen (and stored) by the browser. Reference to upstream bugs:
https://bugzilla.mozilla.org/show_bug.cgi?id=1147544
https://bugzilla.mozilla.org/show_bug.cgi?id=1056341
https://bugzilla.redhat.com/show_bug.cgi?id=1204670#c34

Certificates created by the OpenSSL one-liner fall into that category.

Avoid identical certificate subjects by including a new 'O=' item
with CommonName + a random part (8 chars). Example:
/CN=LEDE/O=LEDEb986be0b/L=Unknown/ST=Somewhere/C=ZZ

That ensures that the browser properly sees the accumulating
certificates as separate items and does not spend time
trying to form a trust chain from them.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-10-26 15:16:52 +02:00
Hannu Nyman
82132540a3 uhttpd: prefer px5g for certificate creation
Prefer the old default 'px5g' for certificate creation
as Firefox seems to dislike OpenSSL-created certs.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-10-26 15:16:51 +02:00
Hannu Nyman
3c4858eeb2 uhttpd: support using OpenSSL for certificate generation
Support the usage of the OpenSSL command-line tool for generating
the SSL certificate for uhttpd. Traditionally 'px5g' based on
PolarSSL (or mbedTLS in LEDE), has been used for the creation.

uhttpd init script is enhanced by adding detection of an installed
openssl command-line binary (provided by 'openssl-util' package),
and if found, the tool is used for certificate generation.

Note: After this patch the script prefers to use the OpenSSL tool
if both it and px5g are installed.

This enables creating a truly OpenSSL-only version of LuCI
without dependency to PolarSSL/mbedTLS based px5g.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-10-05 00:48:19 +02:00
John Crispin
fa69553900 branding: add LEDE branding
Signed-off-by: John Crispin <blogic@openwrt.org>
2016-03-24 22:40:13 +01:00
Felix Fietkau
565570cfd5 package/uhttpd: generate 2048 bit RSA key
RSA keys should be generated with sufficient length.
Using 1024 bits is considered unsafe.
In other packages the used key length is 2048 bits.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>

SVN-Revision: 48494
2016-01-25 17:42:25 +00:00
Luka Perkov
b18c9d271e uhttpd: add support for configuration option ubus_cors
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 47448
2015-11-10 22:28:45 +00:00
Felix Fietkau
1d6a530fe6 uhttpd: update to the latest version, adds support for redirect helper scripts
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 47419
2015-11-08 20:39:09 +00:00
John Crispin
00df239f60 uhttpd: update to latest git revision
adds URL alias support

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 47206
2015-10-19 10:08:01 +00:00
Jo-Philipp Wich
b345461070 uhttpd: fix keep-alive bug (#20607, #20661)
The two commits

  5162e3b0ee7bd1d0fd6e75e1ca7993a1834b5291
	"allow request handlers to disable chunked reponses"

and

  618493e378e2239f0d30902e47adfa134e649fdc
	"file: disable chunked encoding for file responses"

broke the chunked transfer encoding handling for proc responses in keep-alive
connections that followed a file response with http status 204 or 304.

The effect of this bug is that cgi responses following a 204 or 304 one where
sent neither in chunked encoding nor with a content-length header, causing
browsers to stall until the keep alive timeout was reached.

Fix the logic flaw by inverting the chunk prevention flag in the client state
and by testing the chunked encoding preconditions every time instead of
once upon client (re-)initialization.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 47161
2015-10-07 22:14:48 +00:00
Jo-Philipp Wich
4f58248a7d uhttpd: add support for enforcing https
Also set HTTPS environment variable for CGI programs on SSL connections.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 45852
2015-05-30 20:55:14 +00:00
Felix Fietkau
83cdd1623c uhttpd: make generating SSL keys more reliable against interrupted boots
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 44772
2015-03-15 10:32:10 +00:00
Jo-Philipp Wich
b977134dc7 uhttpd: relay stderr to syslog
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 44548
2015-02-26 13:44:05 +00:00
Jo-Philipp Wich
730589281e uhttpd: do not configure TLS parameters if libustream-ssl is not present
A quite frequent problem after sysupgrading from an older, SSL enabled build
is that ustream-ssl is not installed so uhttpd fails to come up again due to
https listening directives in the preserved configuration.

Skip key/cert and ssl listen options when libustream-ssl.so is not present.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 42284
2014-08-25 12:39:34 +00:00
Jo-Philipp Wich
e0a3e3d1b6 uhttpd: do not attempt to configure Lua handler if referenced file does not exist
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 40457
2014-04-11 16:13:27 +00:00
Jo-Philipp Wich
e444eb0bbd uhttpd: don't process ubus_* and lua_* options if corresponding plugin is not installed (#14618)
SVN-Revision: 39057
2013-12-15 15:32:37 +00:00
John Crispin
3cc0f479dc uhttp: make the service auto respawn if it crashes
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 38724
2013-11-11 12:19:02 +00:00
Felix Fietkau
59c05778f0 uhttpd: fix appending https ports to cmdline
Otherwise it is started only on non-secure ports.

Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@neratec.com>

SVN-Revision: 38171
2013-09-25 07:44:48 +00:00
John Crispin
f874094402 procd: convert various packages to procd style init.d scripts
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 38023
2013-09-17 21:45:30 +00:00
Jo-Philipp Wich
1150e299bb uhttpd: expose missing options to uci
SVN-Revision: 36932
2013-06-13 11:55:12 +00:00
Jo-Philipp Wich
160c2ef011 uhttpd: update to latest git head - introduces support for multiple index files - fixes build with only the TLS module selected
SVN-Revision: 33778
2012-10-15 18:19:57 +00:00
Felix Fietkau
405e21d167 packages: sort network related packages into package/network/
SVN-Revision: 33688
2012-10-10 12:32:29 +00:00