problem accesing AC87 web gui through gninx

[djrm]

Hi everyone,

I'm setting a gninx proxy at home mainly to secure devices with no https support like cams and it works ok, however, trying to add a location for the router I'm able to reach the web gui, but the login doesn't work at all, even if I try to login without user and password the gui don't say the typical message " Invalid username or password" which is showed if I try the same login without the proxy.

Is there anyone who could help me to fix this issue?

This is what I have in the site conf file for your reference:

server {
    listen 8000 ssl ;
    access_log      /var/log/nginx/example.access.log;
    error_log       /var/log/nginx/example.error.log;
    server_name     example.com;
    location  / {
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_set_header Host $host;
            proxy_pass http://192.168.250.1:80/;
            proxy_read_timeout      90s;

}

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # man$
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # m$
}

Thanks in advance

 

[djrm]

OK, I have tested the same in a AC88U and works, so something should be different in these 2 routers....
@RMerlin , do you know if the login GUI is different in these 2 models? may be a different config of httpd?

Thanks

 

[RMerlin]

The login code is the same for all models.

BTW, proxying will create problems. I experimented with haproxy myself these past few days. It greatly improves SSL performance of the webui, however it conflicts with Asus's authentication scheme, as all clients will appear to come from the router's own IP. This means if two clients connect at the same time, the second client will kick out the first client, rather than display an error message that someone is already logged in.

 

[djrm]

The login code is the same for all models.

BTW, proxying will create problems. I experimented with haproxy myself these past few days. It greatly improves SSL performance of the webui, however it conflicts with Asus's authentication scheme, as all clients will appear to come from the router's own IP. This means if two clients connect at the same time, the second client will kick out the first client, rather than display an error message that someone is already logged in.

Well, there is an option in nginx to get the real ip from the client, so the proxy_pass send in the header the real ip instead. I'm configuring this reverse proxy not for improve the performance, but for security purposes as router would not be directly exposed to the wan, just accessed through the proxy in the lan.
Will keep looking on this to see if found any way to sort it out.

Thanks

 

[RMerlin]

Well, there is an option in nginx to get the real ip from the client, so the proxy_pass send in the header the real ip instead.

That won't work, because Asus's httpd ignores that header. It only works if you have a "real" web server in your backend, and you can have it parse that header when generating access logs.

 

[djrm]

That won't work, because Asus's httpd ignores that header. It only works if you have a "real" web server in your backend, and you can have it parse that header when generating access logs.

Thanks for this info and yep I have tried lot of different approaches and still unable to get it working for AC87 so will leave it