SoftEtherVPN icon indicating copy to clipboard operation
SoftEtherVPN copied to clipboard
verified publisher icon SoftEtherVPN

How to turn off the default home page or web service?

Open he852100 opened this issue 6 years ago • 24 comments

The SoftEther VPN Server service has been started.

Let's get started by accessing to the following URL from your PC:

https://xxx:5555/ or https://xxx/

Note: IP address may vary. Specify your server's IP address. A TLS certificate warning will appear beca Capture+_2019-08-02-16-08-58

he852100 avatar Aug 02 '19 08:08 he852100

bump I also have this question. I tried setting DisableJsonRPCWebApi to true but that only disables the API and admin subdirectories. there's a need to disable this page else every one knows Softether is running on the server and introduces security risks

danyhm avatar Aug 10 '19 16:08 danyhm

Changing the following line to return NULL will disable the web page completely.

https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/blob/a81e4c2eb89896d3d12fd477bab90922eb79d843/src/Cedar/Protocol.c#L7305

I am going to add the switch to realize it on the public source code, but you can do it now in your computer.

dnobori avatar Aug 11 '19 04:08 dnobori

@dnobori Thank you very much. will the next version contain the config parameters?

Edit: I checked the code and it seems if it returns null the Http response is a forbidden page. is it possible to completely disable the Http response? like there's no HTTP server running at all.

danyhm avatar Aug 11 '19 07:08 danyhm

Very interesting feature. I searched a random search and found several websites.

he852100 avatar Aug 12 '19 12:08 he852100

There is a workaround, I can't shut down the web server, but I am able to replace the default welcome page, so that your server won't be identified and blocked by your government.

  1. Open your softether install directory
  2. create hamcore/wwwroot folder
  3. put your customized index.html into that folder
  4. restart vpn service

EdiWang avatar Aug 16 '19 14:08 EdiWang

禁用HTTP.这是必要的。它不会和httpd强夺资源吗?这台服务器还会向所有监听端口广播(443,992,1192,5555)。遭到攻击是必然的,攻击来自全世界。

he852100 avatar Aug 18 '19 02:08 he852100

@dnobori please add the config parameters(like there's no HTTP server running at all.) in the next version .. thank you

zhangzhezh avatar Aug 30 '19 16:08 zhangzhezh

Of course!

dnobori avatar Aug 30 '19 23:08 dnobori

There is a workaround, I can't shut down the web server, but I am able to replace the default welcome page, so that your server won't be identified and blocked by your government.

  1. Open your softether install directory
  2. create hamcore/wwwroot folder
  3. put your customized index.html into that folder
  4. restart vpn service

I tried this but it also broke the RPC interface which we use for internal automation.

unklstewy avatar Jan 08 '21 22:01 unklstewy

Of course!

@dnobori, has this been implemented yet, if so which build/version?

Best Regards, Casey A.

unklstewy avatar Jan 08 '21 22:01 unklstewy

@dnobori the code has been implemented, but even with DisableJsonRPCWebApi the internal ip address and port of the server are displayed to everyone on internet in the forbidden response

image

Is it possible not to even answer to the request with forbidden when DisableJsonRPCWebApi is set to true ?

I mean change the 6031 row to

if (server->DisableJsonRpcWebApi == false)
       HttpSendForbidden(c->FirstSock, h->Target, "");

?

fededim avatar Jun 11 '21 10:06 fededim

@fededim I think this will do the trick.

https://github.com/SoftEtherVPN/SoftEtherVPN/blob/4b05de1a9342e59c78d9d4698397990f4476413f/src/Cedar/Admin.c#L1323-L1337

diff --git a/src/Cedar/Admin.c b/src/Cedar/Admin.c
index 667e9344..b77609aa 100644
--- a/src/Cedar/Admin.c
+++ b/src/Cedar/Admin.c
@@ -1322,18 +1322,8 @@ void JsonRpcProcGet(CONNECTION *c, SOCK *s, HTTP_HEADER *h, char *url_target)

        if (reply_sent == false)
        {
-               BUF *html_buf = ReadDump("|vpnserver_api_doc.html");

-               if (html_buf != NULL)
-               {
-                       AdminWebSendBody(s, 200, "OK", html_buf->Buf, html_buf->Size, "text/html; charset=UTF-8", NULL, NULL, h);
-
-                       FreeBuf(html_buf);
-               }
-               else
-               {
-                       AdminWebSend404Error(s, h);
-               }
+               AdminWebSend404Error(s, h);
        }

        if (a->LogFileList != NULL)

metalefty avatar Jun 11 '21 13:06 metalefty

@metalefty Hmm I am not an expert of Softether code but your code seems to be relative to JsonRpc which should not be my case since by setting DisableJsonRpcWebApi to true it should already be bypassed. I do not know if my change is enough, maybe I should add "else return false;" e.g.

if (server->DisableJsonRpcWebApi == false)
       HttpSendForbidden(c->FirstSock, h->Target, "");
else
       return false;

It would be useful to close directly the socket when the request is not one of the activated VPN protocols without returning any data, neither 403 neither 404, but let's wait for an aswer from @dnobori.

fededim avatar Jun 11 '21 14:06 fededim

Is there any update on this? Creating /homcore/wwwroot changes the page, but after this, no longer GUI mangers works and can connect to a server. Connecting via socks5 proxy or split tunnel failed too.

shakibamoshiri avatar Dec 24 '22 08:12 shakibamoshiri

There is a workaround, I can't shut down the web server, but I am able to replace the default welcome page, so that your server won't be identified and blocked by your government.

  1. Open your softether install directory
  2. create hamcore/wwwroot folder
  3. put your customized index.html into that folder
  4. restart vpn service

GOD PLZ, YOU R THE ONE! THANK U!

236212005 avatar Jan 06 '23 05:01 236212005

There is a workaround, I can't shut down the web server, but I am able to replace the default welcome page, so that your server won't be identified and blocked by your government.

  1. Open your softether install directory
  2. create hamcore/wwwroot folder
  3. put your customized index.html into that folder
  4. restart vpn service

BTW, DUDE DO U KNOW HOW TO DEPLOY SSL-CERTIFICATES?

236212005 avatar Jan 06 '23 05:01 236212005

Is there any update on this? Creating /homcore/wwwroot changes the page, but after this, no longer GUI mangers works and can connect to a server. Connecting via socks5 proxy or split tunnel failed too.

through socks5 is possible to access , but anther issued I found which in double vpn scenario cascade connection on hop-1 fails :(

shakibamoshiri avatar Jan 06 '23 06:01 shakibamoshiri

There is a workaround, I can't shut down the web server, but I am able to replace the default welcome page, so that your server won't be identified and blocked by your government.

  1. Open your softether install directory
  2. create hamcore/wwwroot folder
  3. put your customized index.html into that folder
  4. restart vpn service

BTW, DUDE DO U KNOW HOW TO DEPLOY SSL-CERTIFICATES?

follow

  • ./vpncmd

  • select 1 (server management)

  • ServerCertSet

    • first prompt: provide path for your cert file
    • second prompt: provide path for you private key file

  • ^D

shakibamoshiri avatar Jan 06 '23 07:01 shakibamoshiri

1- Stop vpnserver 2- Edit vpn_config file 3- Set DisableJsonRpcWebApi to true 4- Start vpnserver

danyhm avatar Jan 06 '23 07:01 danyhm

@dnobori the code has been implemented, but even with DisableJsonRPCWebApi the internal ip address and port of the server are displayed to everyone on internet in the forbidden response

image

Is it possible not to even answer to the request with forbidden when DisableJsonRPCWebApi is set to true ?

I mean change the 6031 row to

if (server->DisableJsonRpcWebApi == false)
       HttpSendForbidden(c->FirstSock, h->Target, "");

?

This is a very danger issue. Can we get a config option like "server_tokens off;" for nginx?

jackytsu avatar Apr 20 '23 01:04 jackytsu

Of course!

Hello @dnobori Is it done or not yet?

itsKV avatar Jun 11 '23 06:06 itsKV