EDIT: The solution to this need, helpfully pointed out by @AdSchellevis below, is to just add a new interface & bind it to localhost, then select only that interface for web-gui listening. No need to custom-edit any scripts under the hood, and preserves normal functionality of the web-gui remote access settings.
I'm sure this has been discussed at least a couple times in the forum but I can't find anything via search function --
I have a remotely-administered network environment where I don't trust any network interface, but I require remote web-gui administrative access. Rather than configuring a separate admin-only network interface or firewall rules to control web-gui access, instead I've restricted the web gui (e.g. lighttpd) to listen only on localhost:80.
I then use an SSH tunnel to connect to the Opnsense instance, and from there I can use (for example) http://localhost:9090 (http://localhost:9090) to access the Opnsense web-gui. Seems to work just fine, and it completely satisfies my security and convenience requirements. I don't have to worry about misconfigured firewall rules, interfaces going up or down (or being replaced,) or https certificates.
I accomplished this by just commenting out this line in the PHP script which gathers up the available interfaces while producing a lighttpd.conf file:
/usr/local/etc/inc/plugins.inc.d/webgui.inc
function webgui_configure_do($verbose = false, $interface = '')
{
global $config;
$interfaces = [];
if (!empty($config['system']['webgui']['interfaces'])) {
/* -----> LOCAL CUSTOMIZATION WILL NOT PERSIST THROUGH FIRMWARE UPGRADES. */
/* -----> Web GUI will listen ONLY on Localhost. This effectively allows WebGUI */
/* -----> access through an SSH tunnel ONLY. */
/* $interfaces = explode(',', $config['system']['webgui']['interfaces']); */
This works fine and persists across reboots. I'm aware that I'll need to manually re-do this work-around after major firmware updates. It's also a bit kludgey in that it breaks the web-gui functionality at System --> Settings --> Administration --> Web GUI --> Listen Interfaces. (It no longer matters what interfaces are or aren't selected there, the PHP configuration script will only put localhost:80 into the actual lighttpd.conf file, which is what I want.)
I bring all of this up to suggest that there are cases where intermediate-to-advanced network admins might want to configure a localhost-only listener for the web-GUI in a convenient and fully persistent manner through the web-GUI. (Where said config would be included in backups of /conf/config.xml, etc.)
I'd like to encourage the dev team to consider adding "localhost only for web-GUI listener" as an advanced feature, of course with appropriate strong warnings, and with the ability to revert to default "listen on all interfaces" behavior via the usual command-line reset method.
I can also see why devs might say, "yeah, no thanks, it's an edge case & adding it to the main GUI is going to cause more problems with many users than it solves for the few who want it." In that case, is such a feature something I could fairly easily implement if I wrote it up as an optional Opnsense plugin?
(I've never written a plugin but this might be a good & fairly simple use case to learn to write one.)
Already exists? Just add a loopback (Interfaces: Other Types: Loopback) with an (any) address and bind to that in the gui. As long as the configuration is guaranteed to be static (127.0.0.2), it should operate reliable.
Best regards,
Ad
Quote from: AdSchellevis on February 17, 2024, 05:11:11 PM
Already exists? Just add a loopback (Interfaces: Other Types: Loopback) with an (any) address and bind to that in the gui.
Right! Why didn't I think of that?!
A much simpler & cleaner method of going about it. Worst case, there's still direct CLI access via SSH or even the RS232 console.
Appreciate your reply.