Hi,
we're using a dedicated management VLAN and want to restrict access to the Web UI to this VLAN.
After changing the "Listen Interfaces" in System->Administation for the Web UI to anything else but "All", the webgui does not survive a reboot. The lighttpd process does not start:
$ ps auxw | grep lighttpd
root 37063 0.0 0.0 432 260 0 R+ 15:45 0:00.00 grep lighttpd
$
$ grep -3 webgui /conf/config.xml
<nextgid>2000</nextgid>
<timezone>Europe/Vienna</timezone>
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
<webgui>
<protocol>https</protocol>
<ssl-certref>6797c09c58f44</ssl-certref>
<port/>
<ssl-ciphers/>
<interfaces>lan,wan,management</interfaces>
<compression/>
</webgui>
<disablenatreflection>yes</disablenatreflection>
<usevirtualterminal>1</usevirtualterminal>
<disableconsolemenu>1</disableconsolemenu>
Both LAN, WAN and management interfaces obviously exist in the system.
I can manually start the web ui via configctl:
$ configctl webgui restart
OK
$ ps auxw | grep lighttpd
root 87536 0.0 0.9 20188 8796 - S 15:50 0:00.00 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
root 98794 0.0 0.0 432 268 0 R+ 15:51 0:00.00 grep lighttpd
The only way I can make the web ui start up after a reboot is by resetting the "Listen Interfaces" back to "All":
$ grep -3 webgui /conf/config.xml
[...]
<webgui>
<protocol>https</protocol>
<ssl-certref>6797c09c58f44</ssl-certref>
<port/>
<ssl-ciphers/>
<interfaces/>
<compression/>
</webgui>
[...]
For what it's worth, all the interfaces (LAN, WAN, management) are tagged for a dedicated VLAN, so maybe that's the problem.
This happens with version 24.7, haven't tried with 25.x yet.
Use firewall rules instead to restrict the access to the WebGUI.
yes, thanks, but this would only be some kind of a workaround.
It would, for example, occupy a prominent port on the WAN interface (443), which is unfortunately not possible. And I also don't want to use a port other than 443 for the web UI, because that would make integration into the rest of our infrastructure more difficult.
Just bind the webgui to a loopback interface and create a NAT rule that forwards it only from the Management VLAN.
https://docs.opnsense.org/manual/settingsmenu.html
Its also recommended here for your situation.
thanks again. The manual page you mention says this about the "Listen Interfaces" for the Web GUI:
"Can be used to limit interfaces on which the Web GUI can be accessed. This allows freeing the interface for other services, such as HAProxy."
And this is actually quite exactly what I need.
But I really like the workaround with loopback. While this adds some complexity, this is a very good and simple enough workaround, and I'll just do that. Thanks for bringing it up!
well, unfortunately it turns out that you cannot change the web UI's listen interface to loopback, at least not in the settings page:
hmm.png
I think you misunderstood. You do not use the default loopback (lo0) for that.
You create an additional eg (lo1) and bind to that. You can create one in interfaces:devices:loopback.
Then assign it and give it some IP, e.g. 192.168.200.1/32
Now I get you, thanks!