7 replies to this topic

[satopenpli]

I've got multiple network sites at different physical locations, each using separate /44 public IPv6, announced over BGP. Each site is P2P connected over Wireguard tunnels and dynamically routed using Bird.
As it stands, OpenWebif of OpenPLI boxes running at these sites is only accessible from the same network, trying to access it from another site gives "403.6 IP address rejected" error, even though actual connection is allowed in site firewall, trusted and VPN encrypted.

 

Anyway, I see OpenWebif is trying to play poor men's firewall role, limiting connections from same subnet, or using some silly algorithm when "Enable access from VPNs" is checked.

But it's not something end user device should do, OpenWebif has no idea of underlying network topology to police incoming connections. Any attempt to run such heuristics on end user box is a feels-good bandaid, it can't work reliably and only gives a false sense of security.

 

Any way to disable this check?

[neo]

You'll need to discuss that with the people who make OpenWebif: https://github.com/E...lugin-OpenWebif. But I doubt they are going to change anything, it has been discussed in the past.

 

It is related to the fact a box indeed isn't a security device, yet hords of people open up the webif to the internet so that they have access to streams.

 

We block ssh access for the same reason, until the user sets a unique root password.

Edited by neo, 22 June 2023 - 13:01.

[WanWizard]

And it is the other way around: "Enable access from VPNs" disables the local subnet check. I have to set that on every box as I have all of them on a seperate subnet.

[satopenpli]

And it is the other way around: "Enable access from VPNs" disables the local subnet check. I have to set that on every box as I have all of them on a seperate subnet.

I browsed OpenWebif source, access heuristics are even worse than I thought.
But at least particular source code comment ("...access is from private address space (Usually VPN)..") is honest, although assumption is inaccurate.

User visible option itself is completely misleading ("Enable access from VPNs").

 

https://github.com/E...pserver.py#L353

 

In IPv6 use of private address space and NAT is actually discouraged, so such check is mostly useless anyway.

 

OpenPLi wiki is also incorrect in this regard, quoting ... "VPN access (= any subnet from private address space)", when in fact VPN and private addressing are completely orthogonal and nonrelated things.

https://wiki.openpli.org/Webif

[satopenpli]

Anyway, my workaround for now:

1. config.OpenWebif.auth=true in enigma settings
2. reverse proxy access to OpenWebif using nginx, while embedding credentials:
   proxy_set_header Authorization "Basic STR" where STR is base64 encoded root:box_password string

This way I can control access in a proper way, using either firewall rules or fully fledged HTTP auth solution, instead of half-baked and incorrect hack forced by OpenWebif.

[WanWizard]

It would be handy to have an option to disable it completely, not only for private addresses. So you don't need those hacks.

 

There will always be people ignorant enough to add a port forward on their router to the box, without thinking about the consequences. No feature will prevent that.

[adriankoooo]

So I had problem with this function, because my VPN address is not in the classic is_private range (I am using tailscale with ip range 100.xxx.xxx...). Instead of accepting this I searched a solution.

 

First, I checked my Openwebif plugin version. It was 1.5.2. Downloaded the source from here.

 

The file we want to modify is /plugin/httpserver.py. In that file I removed is_private (search for it in the file, there will be 2 result) check function:

  # #2: Auth is disabled and access is from private address space (Usually VPN) and access for VPNs has been granted
  if (not request.isSecure() and config.OpenWebif.auth.value is False) or (request.isSecure() and config.OpenWebif.https_auth.value is False):
      if config.OpenWebif.vpn_access.value is True:  # Removed the is_private check
          return self.resource.getChildWithDefault(path, request)

and second:

def login(self, user, passwd, peer):
  if user == "root" and config.OpenWebif.no_root_access.value:
   # Override "no root" for logins from local/private networks
   samenet = False
   networks = getAllNetworks()
   if networks:
    for network in networks:
     if ipaddress.ip_address(six.text_type(peer)) in ipaddress.ip_network(six.text_type(network), strict=False):
      samenet = True
   if not samenet: #I modified this line
    return False

Save the file and upload to your STB in directory:

 

 /usr/lib/enigma2/python/Plugins/Extensions/OpenWebif/

 

 

You have a file here named httpserver.pyo, rename it to httpserver.pyo_original. After you restart your enigma2 your newly uploaded httpserver.py will be compiled to httpserver.pyo.

 

[WanWizard]

If you have pyo files, then you're using an old Python2 image, and you have to be careful which version of the webif you take, as not all changes will be pyhton3, and not necessarily backwards compatible.