Security changes - restricting uhttpd addresses

Luiz Angelo Daros de Luca luizluca at gmail.com
Tue Oct 25 11:53:45 PDT 2022


> The default uhttpd configuration has this:
>
> # HTTP listen addresses, multiple allowed
>         list listen_http        0.0.0.0:80
>         list listen_http        [::]:80
>
> Now, I know there's lots of practical reasons for this to be the case,
> and I know also that the firewall setup in OpenWrt is robust and
> isn't going to allow WAN-side access.
>
> Nevertheless, the security people are looking at this config
> statically, and not seeing that it's bound to the LAN interface IP
> only.

It might be easy to bind to the LAN interface in a simple product but
OpenWrt might have multiple interfaces.
It is much easier to let the firewall zones deal with that.

> As aside, they don't see the iptables tool in the system, and don't
> understand that that's been deprecated (although I since did add it
> for some unrelated legacy usage), and think there's no firewall at all.

22.03? Did you read the release notes? nftables.

> For my use, I've changed the default binding to the LAN IP, and also
> added another init.d script to check the current LAN address, and
> update the uhttpd config if need be and then restart it (and add
> a config hook to the network config). Obviously this isn't
> very satisfactory, open to better suggestions here.

It would be better to improve the uhttpd startup script, allowing it
to bind to a list of openwrt interfaces. It is always better to
reference an existing config than to duplicate it.
Or leave the original bind address.

> It might also be better if uhttpd could be configured to bind
> to a specific interface rather than knowing its IP upfront, but
> that might be impractical.

No, there are dozens of services that do just that.

Regards,

Luiz



More information about the openwrt-devel mailing list