0

I have an ASUS RT-AC5300 router with Merlin firmware. I installed Entware on it, then followed this article to install lighttpd: Lighttpd-web-server-with-PHP-support-through-Entware
So the web server works fine through http, but after adding a section to the lighttpd.conf file, and trying to restart the web server, it doesn't start up.
This article: Enabling_https_via_SSL says that I need to add this section to the config file:

$SERVER["socket"] == ":443" {
  ssl.engine                  = "enable" 
  ssl.pemfile                 = "/opt/etc/lighttpd/certs/lighttpd.pem" 
}

After I added that section, but after restarting the web server it doesn't respond now on http either. The browser shows an error "ERR_CONNECTION_REFUSED".
I don't understand what $SERVER means in this config file. I have a feeling that it's a variable that is not defined in my case.
The certificate file .pem I created on my Mac, and placed into that directory.
I saw that in the case of Entware, the location of the original config file was at this location: "/opt/etc/lighttpd/lighttpd.conf" (there is an "/opt" in the front compared to the lighttpd Wiki page, and the /opt is the root folder of the USB stick plugged into the router.
My lighttpd version is 1.4.59:

admin@ASUS_Router:/tmp/home/root# lighttpd -v
lighttpd/1.4.59 (ssl) - a light and fast webserver

I would appreciate if anyone can help me with this.
Thanks.

Steven
  • 83
  • 3
  • 9

1 Answers1

0

With recent versions of lighttpd, OpenWRT and derivatives have lighttpd-mod-openssl as a package separate from lighttpd. You probably need to opkg install lighttpd-mod-openssl

From a command line prompt, run lighttpd -tt -f /etc/lighttpd/lighttpd.conf or lighttpd -tt -f /opt/etc/lighttpd/lighttpd.conf in your case. This will pre-flight the lighttpd config and will likely give you details on your issue.

gstrauss
  • 2,091
  • 1
  • 12
  • 16
  • I installed "lighttpd-mod-openssl", and added back the section `($SERVER["socket"] == ":443")` to my config file, and now the lighttpd server starts and the site is up via http. I checked with https, but it shows that the certificate is invalid. I tried recreating the .pem file from the router this time `(openssl req -x509 ...)`, but it shows error: "Error Loading extension section v3_ca". I need a section [ v3_ca ] in the /etc/ssl/openssl.cnf on the router, but that's read-only, that's why I created it on my Mac, and copied to the router, but not sure why is invalid. – Steven Oct 06 '21 at 14:40
  • This is a problem with *your* modifications, and not with lighttpd. You should first get things working with a basic certificate. Examples can be found in links from https://wiki.lighttpd.net/Docs_SSL – gstrauss Oct 07 '21 at 16:03
  • "but not sure why is invalid." You haven't checked that your openssl versions match between your machines, or that your changes to openssl.cnf are compatible. "Error Loading extension section v3_ca" is an error from openssl reading the openssl configuration file. – gstrauss Oct 07 '21 at 16:06
  • Try with basic certificate: I found app.zerossl.com, and created one. I downloaded the 2 files (.key and .crt) and followed the wiki, added 2 lines instead of 1 for .pem (ssl.pemfile = ...crt and ssl.privkey = ...key) I also have the ISP modem/router, I did a port forwarding of 443 to my ASUS, but it cannot reach the site (ERR_CONNECTION_TIMED_OUT). It still works fine on http. I thought it might be something wrong on Godaddy or my ISP router forwarding, but I tried locally on :443 and I got an error ERR_EMPTY_RESPONSE - should that be working that way too, or it needs hostname? – Steven Oct 08 '21 at 19:20
  • Also in the ASUS router's Administration menu > System tab, at the bottom I used to have an SSL certificate from Let's encrypt with domain asuscomm.com. I clicked manage and imported my files from zerossl.com, but it didn't help. The website should still show up as :443 right? It shows error ERR_EMPTY_RESPONSE – Steven Oct 08 '21 at 19:25
  • Your ISP might not allow connections from the public internet to port 443 on your router. Separately, your router might be configured by default not to allow connections from the internet unless you configure the router firewall to allow it. You should probably try to get https working to the router from your internal network -- so that you know that piece is working -- before trying to connect from the external, public internet. – gstrauss Oct 12 '21 at 16:24