core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon opnsense

Can't control the address the Admin lighttpd is listening; it's on all alias IP addresses, too

Open noseshimself opened this issue 3 years ago • 7 comments

Describe the bug There is no way to restrict the admin httpd server to only one address. All I can select is an interface and that way it is squatting on all virtual IP addresses on that interface, too.

To Reproduce See https://proxy.mh.gerstel.com/system_advanced_admin.php

You can restrict it to an INTERFACE but not an ADDRESS

Expected behavior Exactly what is to be expected. But this is not what SHOULD be possible (e. g. use alias addresses for port forwarding with NAT so a remote server can be made to look like an internal server).

Describe alternatives you considered Stopping the web administration interface completely. Stupid. Modify the service configuration by hand every time the server is rebooted. Stupid. Write a bug report. Done.

Environment It's like that on every OpnSense system in the vicinity so I guess it was there forever.

noseshimself avatar May 30 '22 15:05 noseshimself

Instead of reporting spurious bugs you could just ask how to achieve what you want. There are a number of ways to do this properly. 😉

fichtner avatar May 30 '22 15:05 fichtner

Ok, how do I configure the lighttpd server in a way to listen to only the dedicated IP address for administration?

I still consider this not easily done exactly in this place a POLA ("see Principle of Least Astonishment") violation as this is the exact place I would expect this to be found.

noseshimself avatar Jun 02 '22 12:06 noseshimself

Bind to loopback interface, use NAT to port forward. Done :)

fichtner avatar Jun 02 '22 13:06 fichtner

Bind to loopback interface, use NAT to port forward. Done :)

How many additional options for breaking things is this giving me? I already hated doing these things on Cisco routers because when the brown mass hit the rotating parts panicking administrators have a tendency not to remember. There are good reasons for the KISS principle.

noseshimself avatar Jun 06 '22 22:06 noseshimself

I'm unsure if you are still seeking support or if this ticket can be closed?

fichtner avatar Jun 07 '22 06:06 fichtner

@noseshimself why not check the "Disable administration anti-lockout rule" (Firewall/Settings/Advanced) and then configure your own firewall rule allowing access only to the IP address you want to use? Technically your web GUI would still be bound to multiple IPs, but it would only be accessible through one of them?

g-a-c avatar Jul 14 '22 06:07 g-a-c

Because I want to avoid involutary in-the-foot-shooting when changing firewall rules on a firewall machine. And the client I implmented this specific DMZ for is using OPNSense appliances (real, hardware-based ones Deciso is earning money on) in a "one per service" setup (with an extra device just running squid, another one for OpenVPN and several as DNS servers) to have the same UI all over the place. If it wa not for this reason I would have the web proxy that is causing this headache on something much cheaper with firewalld in front of it.

noseshimself avatar Jul 20 '22 13:07 noseshimself

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Nov 26 '22 15:11 OPNsense-bot