[LEDE-DEV] uhttpd/luci authentication using SSL client certificates
Arjen de Korte
arjen+lede at de-korte.org
Mon Aug 28 04:34:45 PDT 2017
Citeren Simon Wunderlich <sw at simonwunderlich.de>:
> Hi guys,
>
> we would like to use SSL client certificates to authenticate to a
> OpenWRT/LEDE
> router using UHTTPD/LUCI. We use a private PKI/certificate chain and
> would only
> like to admit users to the WebUI which present a valid SSL client certificate
> through their web browser.
>
> I've found a note in the OpenWRT wiki [1] which looks like this should be
> possible in theory. Has anyone ever done this, and/or can give me some
> pointers? Would this be possible with uhttpd, or should I switch to a
> different webserver?
I don't think uhttpd can do this on its own (being a fairly
lightweight webserver). I don't know how others do this, but I reverse
proxy connections to the router through an Apache server I have
running anyway. The router only allows connections from the proxy.
This will allow you to do whatever authentication you desire (in
Apache), possibly using an existing authentication you'd might use for
your webserver. In my case I don't even bother to use encryption for
the webserver-router connection, since the webserver is plugged in
directly on a port of the router in its own dedicated VLAN (if someone
is able to tap into that connection, I have bigger problems to worry
about).
> Thank you!
> Simon
>
> [1] https://wiki.openwrt.org/doc/howto/secure.access#webui, at the bottom it
> says "to do: indicate how mandatory client certificate checking could be set
> up"
More information about the Lede-dev
mailing list