Possible to redirect HTTP/80 Webinterface to HTTPS/443?

Discussion in 'Tomato Firmware' started by philess, Feb 12, 2013.

  1. philess

    philess Networkin' Nut Member

    Hey everyone,

    just wondering if it is possible and how to redirect all access to the Tomato Webinterface on port 80 to
    443 instead? I figure webservers like Apache have such "options" but i have no clue how that would
    on Tomato tho. It would be a tiny nice to have thing for customers who are too "dumb" to
    access port 443 directly, i would like to have them use only HTTPS without having to tell them
    over the phone what URL exactly to type in the browser... in case of emergencies etc.

    Using 9013.R1.1 VicTek mod btw.

    Any clues?
  2. gfunkdave

    gfunkdave LI Guru Member

    Using "https" in the url automatically connects on 443.

    If you mean redirecting an incoming http connection to https on 443, I don't think you can do it without rebuilding the webserver.
  3. koitsu

    koitsu Network Guru Member

    Your question makes sense yet does not make sense. Please read what I've written carefully.

    The http URI scheme implies TCP port 80 unless overridden (i.e. http://blah.com:1111/ for TCP port 1111)

    The https URI scheme implies TCP port 443 unless overridden (i.e. https://blah.com:12345/ for TCP port 12345)

    You cannot on Tomato redirect the HTTP interface to HTTPS, at least not natively. The only way to do this is to do what gfunkdave said -- you would have to modify the built-in webserver code to return an HTTP Location header of https://router/ when an incoming connection was on TCP port 80.

    As I'm sure someone will try to recommend this, I'll tell you up front: you cannot redirect it with iptables rules either (i.e. redirecting TCP port 80 to TCP port 443) because the URI scheme entered by the user into their browser won't match the protocol (i.e. they enter http://router/ which has an iptables rule set up to redirect TCP port 80 --> 443; their browser spits back weird cryptic errors because the webserver is sending back encrypted (HTTPS) traffic while the browser expects non-encrypted (HTTP) traffic).

    Otherwise, if you wanted to run an HTTPS server on port 80, you would have to tell your customers to visit https://router:80/ -- ask yourself which is easier: telling them "https colon slash slash router" or "https colon slash slash router colon eight zero"? Which is less likely to cause confusion?

    My advice is to step up to the plate and teach your users. As said, this is part of providing support, whether you like it or not. It's obvious you already have Local Access set to HTTPS under Administration -> Admin Access, and now you're wanting to cater to end user mistakes. Don't cater to mistakes -- instead, teach people to do the Right Thing.
  4. philess

    philess Networkin' Nut Member

    Thanks for the great replies!

    @koitsu Of course i understand that i cannot mix ports and url schemes... I just thought it would be nice
    to just tell people to enter a hostname in the browser without having to type either, https or :443.
    Because the browser defaults to http:// and port 80 of course, and then if the webserver at :80 would
    redirect to a https at :443 that would be nice to have :) Quite idiot proof i guess.

    Sure tho, nothing really important and not worth recompiling the webserver or w/e, i just
    thought it would be quite simple with a redirect file etc.
  5. koitsu

    koitsu Network Guru Member

    You're welcome to write the code for this; it would require modifying the webserver that's built in to Busybox to behave as I described above (for visits to TCP port 80, returning an HTTP Location: header of https://whatever).

    I'm not sure where you got the idea there is a "redirect file" that will do this for you -- there is no such thing. Busybox httpd does support a configuration file (such is not used on Tomato/TomatoUSB), however the config file format does not support HTTP headers nor redirection (you're welcome to write the code!). It supports transparent proxying but that is not what you want -- you want actual redirection to ensure use of HTTPS/SSL.

    In Tomato/TomatoUSB, there is some basic .asp support, however there is no index.asp so I don't know what the "initial" document is that's fetched for the main page. If the .asp support has the ability to examine environment variables and inject HTTP headers, then yes, you could make an .asp equivalent that would check the REQUEST_URI and SERVER_PORT (whatever the .asp equivalents of those are, if they're provided by Busybox's httpd to begin with -- I don't know, I don't do .asp), then issue an HTTP Location header of https://router/

    Remember: this is an embedded firmware designed with very different goals and limits in mind; it doesn't run, say, Apache.

    The Busybox httpd source is here: http://git.busybox.net/busybox/tree/networking/httpd.c?h=1_13_stable -- but I have no idea if that's the version used in "9013.R1.1 VicTek mod".

    The send_headers() function does offer the ability to pass it the numeric 302 (or more specifically HTTP_MOVED_TEMPORARILY) and have it inject an HTTP Location: header for you. You'll need to spend some time looking at the source. Remember: it's not as simple as just throwing a redirect call in there, because you'll need to compare SERVER_PORT (speaking in CGI terms here; I'm sure there is an internal variable within httpd that tracks this) against 80.

    Good luck.
  6. jerrm

    jerrm Network Guru Member

    If Tomato used busybox httpd, it would be pretty trivial, start an instance listening on port 80 with either a cgi shell script outputting a Location header, or if busybox httpd doesn't respond to the Location header, just serve up a simple html page with a refresh meta tag.

    Tomato's httpd is a custom creation with a lot of hard coded functionality and little general purpose flexibility. I don't even think you can set an alternate root, not sure there is any way to have unauthenticated access to anything.
  7. koitsu

    koitsu Network Guru Member

    Use of <meta http-equiv="refresh"> will result in me publicly boycotting whatever firmware uses it. Surely you've had the "joy" of battling with your web browser when visiting web pages and having to click the Back button faster than the browser redirects you, just to get back to where you want -- you can thank Javascript redirections and <meta> redirections for that. Even the W3C has publicly denounced its use. Don't use <meta> to do redirections ever. Use proper HTTP status codes along with the HTTP Location: header. That's what it's for.
    I was under the impression it was Busybox httpd with some kind of offloaded .asp handler or modified to have mild asp support. Where does the source to the daemon live so I can look at it and provide an updated recommendation for philess?
  8. jerrm

    jerrm Network Guru Member

    If it were the firmware doing it, I'd agree - it's why I mentioned Location first. But for a rarely used purpose - make it easier to walk someone though it over the phone, fit it into the gui init script, and not have to use jffs/usb/entware/etc - I could live with it. If you're really against it, just serve up a link to the https site. It's all academic at this point.

    I just looked at it in from the git browser interface - http://repo.or.cz/w/tomato.git/tree...602665092bc8c97875a:/release/src/router/httpd. Looks like it started life as "micro_httpd/mini_httpd," but I'm not sure how much of the original is left. It is very Tomato specific, directly reading from nvram, etc.
  9. koitsu

    koitsu Network Guru Member

    Thanks jerrm, I'll take a look at the source code. *sigh* Too many httpd-related bits laying around in this mess of a firmware at this point, and can't clean them all up due to the inability to read out to Zarate to find out what the licensing rules are with his stuff. I'll look at the code when I have time.
  10. philess

    philess Networkin' Nut Member

    Just for future reference, i managed (ended up) doing this with installing lighttpd on port 80 and redirecting to Tomato on 443.
    This may not be very awesome, but if the router has just tiny bit of CPU/RAM/FLASH left, it can be worth it for some people.

    Very simple how-to:

    Make sure you have TomatoUSBĀ“s webinterface set to HTTPS ONLY.

    Install Optware

    Install lighttpd and mod-redirect:
    opkg install lighttpd lighttpd-mod-redirect
    Stop lighttpd:
    /opt/etc/init.d/S80lighttpd stop
    Edit the configfile at /opt/ect/lighttpd/lighttpd.conf like this:

    Below the "server_modules" paste this:
    server.modules = (
    At the very bottom, paste this:
    # redirect all HTTP access to HTTPS
    $HTTP["scheme"] == "http" {
        # capture vhost name with regex conditiona -> %0 in redirect pattern
        # must be the most inner block to the redirect rule
        $HTTP["host"] =~ ".*" {
            url.redirect = (".*" => "https://%0$0")
    Save the configfile. Check the configfile for errors:
    lighttpd -t -f /opt/lighttpd/lighttpd.conf
    It should return "Syntax OK".

    Start lighttpd and try to access your router at (or whatever the IP is obviously).
    lighttpd -f /opt/lighttpd/lighttpd.conf
    It should redirect automatically to https://

    To have lighttpd start automatically when the router (re)boots, add this to Scripts/Init:
    sleep 10
    /opt/etc/init.d/S80lighttpd restart
  11. RMerlin

    RMerlin Network Guru Member

    One method would be to create a folder in /jffs, put a single index.asp there that has a redirect meta, and manually launch an httpd instance from that folder, i.e.:

    cd /jffs/redir-www/
    httpd will serve pages from its current default directory, hence the need for cd.

    On the webui, make sure you only start it from https. That other instance you just launched through an init script will serve only that redirection page.

    That technique means you could in theory have different versions of the web interface served on different ports. No need for any Optware package. :)
    crashnburn likes this.
  12. philess

    philess Networkin' Nut Member

    Good idea RMerlin! Thanks for that hint. But now its too late, already got it running like this
    and also, i dont really want to get into ASP stuff etc :) lazy wins.
  13. RMerlin

    RMerlin Network Guru Member

    ASP in this case has nothing to do with Microsoft's scripting. It reflects the special Javascript backend used by these routers to interface the webui with the firmware. The page can contain your normal Javascript and HTML.
    crashnburn likes this.
  14. Elfew

    Elfew Network Guru Member

    so it could fix the problem with HTTPS access to the router via browser?
  15. jerrm

    jerrm Network Guru Member

    In what little testing I did, the default file had to be named "status-overview.asp," not a big deal -- but it always required a password, which would have to be re-entered once redirected to https. Not really a good solution if the purpose is to simplify access.

    Edit: This was on Shibby, not sure if other flavors are different.
    philess likes this.
  16. Elfew

    Elfew Network Guru Member

    it is fixed in victek raf last beta
    philess likes this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice