Security changes - restricting uhttpd addresses
Luiz Angelo Daros de Luca
luizluca at gmail.com
Tue Oct 25 11:53:45 PDT 2022
> The default uhttpd configuration has this:
>
> # HTTP listen addresses, multiple allowed
> list listen_http 0.0.0.0:80
> list listen_http [::]:80
>
> Now, I know there's lots of practical reasons for this to be the case,
> and I know also that the firewall setup in OpenWrt is robust and
> isn't going to allow WAN-side access.
>
> Nevertheless, the security people are looking at this config
> statically, and not seeing that it's bound to the LAN interface IP
> only.
It might be easy to bind to the LAN interface in a simple product but
OpenWrt might have multiple interfaces.
It is much easier to let the firewall zones deal with that.
> As aside, they don't see the iptables tool in the system, and don't
> understand that that's been deprecated (although I since did add it
> for some unrelated legacy usage), and think there's no firewall at all.
22.03? Did you read the release notes? nftables.
> For my use, I've changed the default binding to the LAN IP, and also
> added another init.d script to check the current LAN address, and
> update the uhttpd config if need be and then restart it (and add
> a config hook to the network config). Obviously this isn't
> very satisfactory, open to better suggestions here.
It would be better to improve the uhttpd startup script, allowing it
to bind to a list of openwrt interfaces. It is always better to
reference an existing config than to duplicate it.
Or leave the original bind address.
> It might also be better if uhttpd could be configured to bind
> to a specific interface rather than knowing its IP upfront, but
> that might be impractical.
No, there are dozens of services that do just that.
Regards,
Luiz
More information about the openwrt-devel
mailing list