Re: [Astlinux-users] Access webinterface over http and https

Wed, 28 Sep 2016 06:36:46 -0700 

Hi Lonnie,

I agree totally, security first.
Redirection to http will be my choice, because the only thing which sometines 
people stuck, is that they try to enter only the IP in the browser, without 
leading https.
Means, that if I could define a https redirecting, so that people are 
redirected to https, when they enter only the IP in the browser, this will be 
the best solution for us.

If I understood right to enable https redirection I have only to enable "http 
cgi", set same path for http server as for https server and enable https cgi.
I tried it and worked. Do you think this combination can be used without 
risking loosing connection to web- interface or creating higher CPU load for 
the machine?






Best regards

Stefan Ulm
Technical Department | Research & Development
stefan....@divus.eu

      
      


DIVUS Headquarters Pillhof 51 . I-39057 Eppan (Südtirol) . Tel. +39 0471 633 
662 . Fax. +39 0471 631 829
www.divus.eu . Privacy: http://www.divus.eu/media/DivusPrivacy.pdf

-----Ursprüngliche Nachricht-----
Von: Lonnie Abelbeck [mailto:li...@lonnie.abelbeck.com] 
Gesendet: Mittwoch, 28. September 2016 15:10
An: AstLinux Users Mailing List <astlinux-users@lists.sourceforge.net>
Betreff: Re: [Astlinux-users] Access webinterface over http and https


On Sep 28, 2016, at 6:48 AM, Michael Keuter <li...@mksolutions.info> wrote:

> 
>> Am 28.09.2016 um 13:35 schrieb Stefan Ulm <s....@divus.biz>:
>> 
>> Hi all,
>> 
>> for our customers would be easier to access the webinterface for 
>> configuration over http.
>> IN parallel for us from remote and for CLI-usage we require access to https 
>> in parallel.
>> 
>> Is it possible to access over http and https in parallel to the webinterface?
>> We use no internal LAN-Port, so the apu2 is a simple network device 
>> in the local network (no routing, no firewall over astlinux on apu2
>> 
>> Best regards
>> 
>> Stefan Ulm
>> Technical Department | Research & Development stefan....@divus.eu
> 
> Hi Stefan,
> 
> for security reasons I would strongly advise not to use http for accessing 
> the webinterface.
> There might be unkown bugs in the used libraries or applications (client or 
> server side).
> You theoretical could have unkown malware in your internal network as well.
> 
> And all for a bit more comfort .
> You should educate your customer instead :-).
> 
> Michael
> http://www.mksolutions.info

I agree with Michael, without HTTPS the 'admin' credentials are not secure.

In this day and age of half-baked (or intentionally malicious) IoT devices, the 
LAN is not as safe as it once was presumed.

Out of curiosity: Is explaining to the user with a web browser how to trust the 
self-signed certificate in AstLinux the problem ?


But to answer your question, you can enable HTTP support for the web interface:

Network tab ->
--
HTTP  Server Directory: /stat/var/www

HTTP  Server Options: _x_ HTTP  CGI
--
(reboot to apply)

But, if your don't fully qualify URL, ex: http://pbx/ it will redirect you to 
HTTPS

(redirect to HTTPS)
pbx ~ # curl -LIk http://pbx/
--
HTTP/1.1 302 Found
X-Powered-By: PHP/5.6.25
Location: https://pbx/status.php
Content-type: text/html; charset=UTF-8
Date: Wed, 28 Sep 2016 12:43:08 GMT
Server: lighttpd/1.4.41

HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.25
Content-Type: text/html; charset=utf-8
Date: Wed, 28 Sep 2016 12:43:08 GMT
Server: lighttpd/1.4.41
--

(no redirect, uses HTTP)
pbx ~ # curl -LIk http://pbx/status.php
--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.25
Content-Type: text/html; charset=utf-8
Date: Wed, 28 Sep 2016 12:43:59 GMT
Server: lighttpd/1.4.41
--

Lonnie

PS: Since you are using an APU2 with three interfaces, why not (at least as an 
option) allow your product to also act as a gateway device (firewall enabled 
and two other NIC's are internal LAN's) so it would protect itself from the 
pre-existing LAN environment as well as protect other possible DIVUS products.





------------------------------------------------------------------------------
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

------------------------------------------------------------------------------
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Reply via email to