redirect HTTP webui to HTTPS

[Laxarus]

Hello,
384.19
I wanted to tinker with this but couldn't manage to get it working.

For local access, if the "Authentication Method" method is only HTTPS

AiCloud is off.
HTTP Lan port: 80
HTTPS Lan port: 443

but when I enter http://192.168.1.1, it doesn't redirect me to https page instead it gives error. I have to manually enter https://192.168.1.1 to access webui.

Is there any automatic redirect feature for http requests?

 

[Agoldstein54]

i dont think so within the GUI, but i do know that there is a feature on certain browsers, or at least apps you can download that force https "everywhere". but frankly id recommend just making a bookmark for the right URL

 

[Linux_Chemist]

What's your browser? For what it's worth, Firefox (at least the latest alpha, I can't speak for other versions) has an option in settings under Privacy and Security called HTTPS-only mode. You can also set it via about:config.Set it as on for all windows and your issue disappears. (It's actually very useful now and can do away with https-everywhere and other variant addons/webextensions.)

If you load up anything on http like your http://192.168.1.1 it will redirect you automatically to https so long as you are indeed using 80 for http and 443 for https. On the otherhand, If you encounter a site that you need http for (say the https version doesn't exist like explosm.net), you get a popup like this (see attached) and can click "Continue to http site" to view it as normal

 

[Laxarus]

Hmm, thanks for the clarifications. I gather this feature is not natively supported by merlin fw. It would have been nice to have it instead of tweaking the browser. There is also "HTTPS Everywhere" addon for browsers if I want to go through that route.

 

[Linux_Chemist]

I find the whole thing incredibly fiddly tbh. I want httpd to not even bother creating an http instance, but it insists on coming back even if killed.
I would love a project switching everything over to lighttpd or rip it all out and just switch to being able to change all settings and updating the firmware exclusively over ssh.

Bottom line is, if you enter http and want https, I think that's a browser level issue... Although.......I wonder what would happen...well, I can't see all the repercussions of this , but you could do this command on your router. It assumes the interface for your local stuff is br0 (it may not be):

iptables -t nat -A PREROUTING -i br0 -d 192.168.1.1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:443

This will make any connections over tcp port 80 to the router from your LAN be redirected to your router on port 443 instead (assuming I wrote that right).
This is probably a terrible idea - browser is the way to go - because if you have something that relies on you accessing port 80 on the router, that's gonna force 443 and stop you, BUT, if you don't have anything using 80, it'll work and it's one suggestion (If it works, we'll find somewhere to put this command so it survives the router rebooting).

EDIT: It probably won't work actually, http won't magically change to https in transit, nevermind. Browser it is

 

[Agoldstein54]

Hmm, thanks for the clarifications. I gather this feature is not natively supported by merlin fw. It would have been nice to have it instead of tweaking the browser. There is also "HTTPS Everywhere" addon for browsers if I want to go through that route.

i actually used to use that extension, but i also used to use a separate ad blocker extension. however, i decided to scrap both of those and i switched to adguard, the full app which functions on the whole OS not just browser which is paid. it combines all those features and in my opinion very worth it because you can ad multiple filters from various sources, all sorts of stuff. just fyi

 

[Laxarus]

iptables -t nat -A PREROUTING -i br0 -d 192.168.1.1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.1:443

That is what I was thinking of doing. Making a script with an iptables command. Though like you I am also suspicious how it will change http to https.

For example, synology has an option to redirect traffic to https. I was looking for something similar.

How to use iptables in linux to forward http and https traffic to a transparent proxy

I have a Ubuntu linux system acting as a gateway system with two interfaces on it. One interface is for the local network and one interface is for the internet. I am able to route traffic through i...

stackoverflow.com

i actually used to use that extension, but i also used to use a separate ad blocker extension. however, i decided to scrap both of those and i switched to adguard, the full app which functions on the whole OS not just browser which is paid. it combines all those features and in my opinion very worth it because you can ad multiple filters from various sources, all sorts of stuff. just fyi

I also use adguard home on raspi 4 hassos and I agree with you.

 

[gattaca]

^^^^ Yeap. As an enhanced security measure (and to pass port scan audits) we disabled all traffic on port 80 and only allow 443 on a server level - that way it's not even listening. I recall doing this years ago in standard linux setups running apache... but that's long since evaporated. I sort of thought by changing the GUI setup to only use HTTPS, that might have done it but I never checked to see if it was still running on port 80. I guess you are saying it is.. even on the LAN. IDK how to do this for these router setups.