Hi Lonnie, I agree totally, security first. Redirection to http will be my choice, because the only thing which sometines people stuck, is that they try to enter only the IP in the browser, without leading https. Means, that if I could define a https redirecting, so that people are redirected to https, when they enter only the IP in the browser, this will be the best solution for us.
If I understood right to enable https redirection I have only to enable "http cgi", set same path for http server as for https server and enable https cgi. I tried it and worked. Do you think this combination can be used without risking loosing connection to web- interface or creating higher CPU load for the machine? Best regards Stefan Ulm Technical Department | Research & Development [email protected] DIVUS Headquarters Pillhof 51 . I-39057 Eppan (Südtirol) . Tel. +39 0471 633 662 . Fax. +39 0471 631 829 www.divus.eu . Privacy: http://www.divus.eu/media/DivusPrivacy.pdf -----Ursprüngliche Nachricht----- Von: Lonnie Abelbeck [mailto:[email protected]] Gesendet: Mittwoch, 28. September 2016 15:10 An: AstLinux Users Mailing List <[email protected]> Betreff: Re: [Astlinux-users] Access webinterface over http and https On Sep 28, 2016, at 6:48 AM, Michael Keuter <[email protected]> wrote: > >> Am 28.09.2016 um 13:35 schrieb Stefan Ulm <[email protected]>: >> >> Hi all, >> >> for our customers would be easier to access the webinterface for >> configuration over http. >> IN parallel for us from remote and for CLI-usage we require access to https >> in parallel. >> >> Is it possible to access over http and https in parallel to the webinterface? >> We use no internal LAN-Port, so the apu2 is a simple network device >> in the local network (no routing, no firewall over astlinux on apu2 >> >> Best regards >> >> Stefan Ulm >> Technical Department | Research & Development [email protected] > > Hi Stefan, > > for security reasons I would strongly advise not to use http for accessing > the webinterface. > There might be unkown bugs in the used libraries or applications (client or > server side). > You theoretical could have unkown malware in your internal network as well. > > And all for a bit more comfort . > You should educate your customer instead :-). > > Michael > http://www.mksolutions.info I agree with Michael, without HTTPS the 'admin' credentials are not secure. In this day and age of half-baked (or intentionally malicious) IoT devices, the LAN is not as safe as it once was presumed. Out of curiosity: Is explaining to the user with a web browser how to trust the self-signed certificate in AstLinux the problem ? But to answer your question, you can enable HTTP support for the web interface: Network tab -> -- HTTP Server Directory: /stat/var/www HTTP Server Options: _x_ HTTP CGI -- (reboot to apply) But, if your don't fully qualify URL, ex: http://pbx/ it will redirect you to HTTPS (redirect to HTTPS) pbx ~ # curl -LIk http://pbx/ -- HTTP/1.1 302 Found X-Powered-By: PHP/5.6.25 Location: https://pbx/status.php Content-type: text/html; charset=UTF-8 Date: Wed, 28 Sep 2016 12:43:08 GMT Server: lighttpd/1.4.41 HTTP/1.1 200 OK X-Powered-By: PHP/5.6.25 Content-Type: text/html; charset=utf-8 Date: Wed, 28 Sep 2016 12:43:08 GMT Server: lighttpd/1.4.41 -- (no redirect, uses HTTP) pbx ~ # curl -LIk http://pbx/status.php -- HTTP/1.1 200 OK X-Powered-By: PHP/5.6.25 Content-Type: text/html; charset=utf-8 Date: Wed, 28 Sep 2016 12:43:59 GMT Server: lighttpd/1.4.41 -- Lonnie PS: Since you are using an APU2 with three interfaces, why not (at least as an option) allow your product to also act as a gateway device (firewall enabled and two other NIC's are internal LAN's) so it would protect itself from the pre-existing LAN environment as well as protect other possible DIVUS products. ------------------------------------------------------------------------------ _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected]. ------------------------------------------------------------------------------ _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
