Project

General

Profile

[OT] Filtering url coming from wireguard interface on a router based on OpenWrt 15.05

Added by jwh 21 days ago

Hello, I am using ligthttp-1.4.48 installed on a OpenWrt Gl.Inet Velica.

This router is configured as Wireguard Server

My need would be to limit navigation on wireguard wg0 interface (10.0.0.0/24) to only a couple of domains (and subdomains)

I am using the attached file... but the relevant configuration should be the following

$HTTP["remoteip"] =~ "^10\.0\.0\." {
    # Allow access to example1 and example2 URLs
    $HTTP["host"] =~ "(www\.example1\.com|www\.example2\.com)" {
        url.access-deny = ("")
    }
    else {
        # Deny access to all other URLs
        url.access-deny = ( "" )
    }
}

The problem is that it seems like the filter is NOT working. Does anyone have any suggestion or can propose some changes or different approach?

Thanks in advance


Replies (16)

RE: Filtering url coming from wireguard interface on a router based on OpenWrt 15.05 - Added by jwh 21 days ago

Honestly I also thought something extremely easier

$HTTP["remoteip"] =~ "^10\.0\.0\." { # Allow access to example1 and example2 URLs only
  $HTTP["host"] !~ "(www\.example1\.com|www\.example2\.com)" {
    url.access-deny = ( "" )
  }
}

But again no success.
I do not know lighttpd much, can it be somehow used to achieve my goal?

RE: Filtering url coming from wireguard interface on a router based on OpenWrt 15.05 - Added by gstrauss 21 days ago

It is easy to do. Please read the doc for mod_access and make some suggestions on improvements where you are confused.

Yes, it is a best security practice to explicitly allow the hosts you want, and then to default deny everything else. A common gotcha is that clients can connect using HTTP/1.0 and not provide a Host. Another common gotcha is that IP address can be provided for Host or provided in the TLS SNI.

Note: when using lighttpd conditions, the configuration applies only when the condition matches.

Configuration: File Syntax notes that you can use CIDR syntax $HTTP["remoteip"] == "10.0.0.0/24"

In addition to the configuration you have suggested, for layered security, I would suggest that you configure lighttpd to listen only on the 10.0.0.x interface (and also possibly 127.0.0.1, if needed)
FAQ: How-do-I-bind-to-more-than-one-address

Also for security, I highly recommend that you look into upgrading the OS on your device. OpenWRT 15.05 is old and no longer receiving security patches. Does GL.Inet provide updated images? In addition to security, upgrading will get you better wireguard support with a newer Linux kernel.

RE: Filtering url coming from wireguard interface on a router based on OpenWrt 15.05 - Added by jwh 20 days ago

Hey I really appreciate your support and suggestion, but I want to better explain my basic needs, hoping you can suggest if the solution is still doable thanks to rules on lighttpd.conf

First I answer to some of your questions: unfortunately latest version of official firmware is Version: 3.216, which is based on openwrt 19.07.8 for some other router, but on openwrt 15.05 chaos calmer for my model (i.e. Velica GL-B2200)

After this I explain my setup.
I have Velica installed in cascade to a main router "just" to act as a VPN wireguard Server where 4 wireguard client can connect.

NEED: All the clients connecting to VELICA using wifi shall be able to navigate on all the sites, the ones connected using wireguard shall be restricted to only example1 and example2.

Wireguard clients are configured with PBR pbr policy based routing to only forward the requests for the sites sites example1 and example2 on the tunnel but to be able to navigate on all the other domains using their own ISP (i.e. example1 and example2 using wireguard tunnel, all the rest using their ISP). And this is a first filter client's side.

Now my need was to implement a second filter (this time on server side).

I wanted to use Firewall, iptables, but it is NOT url based so I thought about proxying somehow.

And here is where I came to know about lightttpd (yet installed on my router).

FIRST QUESTION: Can it be used to "implement" some kind of url based firewall?
SECOND QUESTION: If answer is yes to the first question I think that the configuration in ligthttp.conf is simply the following but undortunately I am afraid it is not working for the intended scope

$HTTP["remoteip"] == "10.0.0.0/24" { # For remote IPs using wireguard interface this rule shall allow access to example1 and example2 URLs only
  $HTTP["host"] !~ "(www\.example1\.com|www\.example2\.com)" {
    url.access-deny = ( "" )
  }
}

(p.s. I also attach updated configuration file)

Are my needs achievable using lighttpd? Or? Any other suggested solution where I can dig in?

Thanks again

RE: Filtering url coming from wireguard interface on a router based on OpenWrt 15.05 - Added by gstrauss 20 days ago

As you posted, this should work. Have you verified that the client connection is being logged in the lighttpd access log with remote IP 10.0.0.0/24? (if you have access logging configured)

I see that you have debugging enabled in the lighttpd.conf. Have you looked in the lighttpd error log to see that lighttpd is evaluating the condition $HTTP["host"] !~ "(www\.example1\.com|www\.example2\.com)" and what the result is?

You have not shared your entire lighttpd config, so I can't see what else might affect the requests. How to get support contains commands to run.
The last matching condition in the config which sets url.access-deny is what is used to process the request. This behavior is described in Configuration: File Syntax: Conditional Configuration Merging

Another way to write your condition is as I described in a previous post: when remote IP is from 10.0.0.0/24, deny all access except explicitly allow access to www.example1.com and www.example2.com

$HTTP["remoteip"] == "10.0.0.0/24" { # For remote IPs using wireguard interface this rule shall allow access to example1 and example2 URLs only
  url.access-deny = ( "" )
  $HTTP["host"] ==  "www.example1.com" { url.access-allow = ("") }
  $HTTP["host"] ==  "www.example2.com" { url.access-allow = ("") }
}

Explicit allow will allow the request, even if there would be a match to your catch-all for url.access-deny. While you could use url.access-deny = () to set an empty list in the explictly allowed conditions, url.access-allow = ("") is a bit more descriptive, IMHO.

If you have other rules in your config which manipulate url.access-deny, then you might try moving this section to the end of your config, so that this is evaluated last.


Aside: even if GL.inet does not provide an updated firmware image, you might look into following OpenWRT instructions for how to upgrade.
https://openwrt.org/docs/guide-user/installation/generic.sysupgrade
Of course, please make a full backup of your system before experimenting.

RE: Filtering url coming from wireguard interface on a router based on OpenWrt 15.05 - Added by gstrauss 20 days ago

First I answer to some of your questions: unfortunately latest version of official firmware is Version: 3.216, which is based on openwrt 19.07.8 for some other router, but on openwrt 15.05 chaos calmer for my model (i.e. Velica GL-B2200)

https://dl.gl-inet.com/?model=b2200
lists firmware for your model with version: 3.216 and release notes (if you expand the dropdown) say:

System:

1. Based on openwrt 19.07.8 (AR150,MIFI,AR300M,USB150,N300,AR750,AR750S,X750,E750,XE300,MT1300,MT300N-V2,MV1000)
2. Based on QSDK11 (B1300,S1300,AP1300,B2200,AX1800)
3. Based on Siflower SDK (SF1200,SFT1200)

OpenWRT 19.07 should have lighttpd 1.4.55, which is better than lighttpd 1.4.48.

RE: Filtering url coming from wireguard interface on a router based on OpenWrt 15.05 - Added by jwh 20 days ago

Again thanks for your answer which I really appreciate.

Let's go step by step:

Good you told me this shall work so I understands I am NOT completely on the wrong way.
Unfortunately B2200 is NOT based on openwrt 19.07.8 (only these models are AR150,MIFI,AR300M,USB150,N300,AR750,AR750S,X750,E750,XE300,MT1300,MT300N-V2,MV1000) and B2200 is NOT there :-(

Answering to you other questions, I attach the complete configuration file and the error.txt

Looking at the error.txt I see that logging is only active when I try accessing the router itself at IP 10.0.0.1... nothing flows when I use other urls, like "www.google.it"

In this case I (as wireguard client) can navigate without any restrictions at all.

I hope attached files could help to better understand what is going on

RE: Filtering url coming from wireguard interface on a router based on OpenWrt 15.05 - Added by gstrauss 20 days ago

Your lighttpdConf contains
WRONG: $HTTP["remoteip"] =~ "10.0.0.0/24" {
When you use a regex, the regex you specify is what you get.

When you use an exact match, you can use CIDR notation.
RIGHT: $HTTP["remoteip"] == "10.0.0.0/24" {

Your lighttpdConf contains duplicated "mod_access".
If you ran the commands in How to get support you should have gotten a warning (before lighttpd 1.4.56).

RE: Filtering url coming from wireguard interface on a router based on OpenWrt 15.05 - Added by gstrauss 19 days ago

OpenWRT upstream supports GL.inet Velica GL-B2200: https://openwrt.org/toh/gl.inet/gl-b2200 with OpenWRT 22.03.05, though Bluetooth LE and Zigbee features are not supported in the image.
I think I saw that OpenWRT support for the GL-B2200 started with 22.03.

RE: Filtering url coming from wireguard interface on a router based on OpenWrt 15.05 - Added by jwh 19 days ago

So, first of all thanks a lot for your great support.

I could also think about installing OpenWRT 22.03.05 on my Velica (even if not offiacially release by Gl.Inet, not a problem for me), but probably my need CANNOT be achieved by using lighttpd?
What I mean is this: ok I adjusted the configuration according to your suggestions as there could be some syntax error, but again keeping the error.txt in tail, I see that the lighttpd only works when I connect to the server itself, e.g. when trying to access 1.0.0.1 it is blocked (being different from www.netflix.com or www.disney.com as I inserted in the configuration file, BUT id I navigate www.google.com or www.ebay.it, just to give an example, they are not filtered and I do not see any log in the screen, like it lightttpd ignores completely them.

Anyway Thanks thanks

RE: Filtering url coming from wireguard interface on a router based on OpenWrt 15.05 - Added by gstrauss 19 days ago

but probably my need CANNOT be achieved by using lighttpd?

Incorrect. You've run into numerous problems: You've been sloppy reading documentation, which is why I have repeated certain links. You were not precise between =~ and == with the CIDR match (ok, that happens). I hope you're not giving up yet and blaming lighttpd.

In your latest error.txt, I see that
2023-11-17 10:14:45: (configfile-glue.c.468) HTTP["host"] ( 10.0.0.1 ) compare to www.netflix.com

The "host" is being logged as "10.0.0.1".

Try setting debug.log-request-headers = "enable" and then check the error log to see what is being received by lighttpd. Is there a proxy prior to lighttpd which is sending an HTTP/1.0 request without a Host header?

BUT id I navigate www.google.com or www.ebay.it, just to give an example, they are not filtered and I do not see any log in the screen, like it lightttpd ignores completely them.

Listen carefully. You've enabled extensive debug logging (condition matching) in lighttpd. If something does not show up in the logs for condition matching, then lighttpd did not receive that request. Check your routing.

RE: Filtering url coming from wireguard interface on a router based on OpenWrt 15.05 - Added by jwh 19 days ago

Ok mate, there has been a big misunderstanding here. No need to blame lighttpd at all :-D
I am only wondering if it could be used for my scope. If I try opening a bottle with a shuttle and I do not manage, of course I do not blame the shuttle, but I could blame myself who tried doing some stupid stuff with a tool that is NOT intended for such a scope. Clear now?
So if you tell me lighttpd on a router can be used as a kind of url based firewall I just trust you and I can go further.

But please do not focus on little stuff. Ok for the error in =~ and , my bad. But I ignored it completely, also because for debugging purpose I'd also tried by completely removing such a condition on 10.0.0.0/24. I.e. I tried filtering everything coming from every IPs, but I was still able to navigate on all the site BUT 10.0.0.1 which is the web interface to configure the router itself.

Anyway when manually test the lighttpd config: lighttpd -tt -f /etc/lighttpd/lighttpd.conf I do not have any warning about =~ instead of ... I just have a warning on multiple load of mod_access

"BUT if I navigate www.google.com or www.ebay.it, just to give an example, they are not filtered and I do not see any log in the screen, like it lightttpd ignores completely them."

Exactly we finally arrived at the point. I listen you carefully and this is exactly the issue to fix (and issue is NOT on lighttpd). As nothing show up in the logs for condition matching(but the connection to the configuration page 1.0.0.1 2023-11-17 10:14:45: (configfile-glue.c.468) HTTP["host"] ( 10.0.0.1 ) compare to www.netflix.com), then lighttpd did not receive that request. And I need to understand the routing. I tried doing a port forwarding and redirecting all the traffic from wireguard to the server at port 80.

This is the rule

But not working anyway.

Now I get that I am not using the latest lighttpd (and I could try installing a newer version on OpenWrt). I just need to understand if my basic need is something that lighttpd can help me to achieve, nothing more than this. And sorry if you felt I blamed it. Not my intention of course

RE: Filtering url coming from wireguard interface on a router based on OpenWrt 15.05 - Added by gstrauss 19 days ago

If I try opening a bottle with a shuttle and I do not manage, of course I do not blame the shuttle, but I could blame myself who tried doing some stupid stuff with a tool that is NOT intended for such a scope. Clear now?

Yes: your knowledge of wireguard, routing, and proxies seems to be about as good as vinegar in your wine bottles.
You posting text as pictures is also very telling, and so this will be my last post in this conversation.

lighttpd is a server that can serve local web sites, and you can protect those websites using lighttpd configuration.
Among other things, lighttpd can also act as a reverse proxy to specific backend servers.

lighttpd is not wireguard.
lighttpd is not a layer 2 or layer 3 firewall.
lighttpd operates at layer 7.
lighttpd is not a generic proxy for web access to the internet.

If you found a website that showed you to set up that wireguard rule you shared, please provide a link.

RE: [OT] Filtering url coming from wireguard interface on a router based on OpenWrt 15.05 - Added by jwh 19 days ago

I do not really understand your being so anger.

What I told was a high level need for which I was not sure lighttpd could be used... artificial ignorance drove me here :-D

Then thank you for telling what lighttpd is or is not, appreciated and admit I was aware only of the sentence about wireguard.

You posting text as pictures is also very telling, and so this will be my last post in this conversation.

But anyway I do not see need to offend. I do not feel cool for this but I can quote with no problems if you like

RE: [OT] Filtering url coming from wireguard interface on a router based on OpenWrt 15.05 - Added by gstrauss 19 days ago

Then thank you for telling what lighttpd is or is not, appreciated and admit I was aware only of the sentence about wireguard.

That is because, by your own admission, you made no or very little effort to find out about lighttpd basics for yourself -- by reading basic documentation -- before posting.

RE: [OT] Filtering url coming from wireguard interface on a router based on OpenWrt 15.05 - Added by jwh 19 days ago

Unfortunately, with my poor knowledge in network I would have had big difficulty to understand if it suit my need or not by only reading documentation, so my idea (probably wrong) was: I first try to understand if I can use and then I try to understand how, by looking relevant documents.

I apologize if I made you waste your time... But at least were my needs clear from the beginning or was I also unclear in explaining? I just ask to improve.

Apologize for any misunderstanding. I stop here

RE: [OT] Filtering url coming from wireguard interface on a router based on OpenWrt 15.05 - Added by gstrauss 19 days ago

Unfortunately, with my poor knowledge in network I would have had big difficulty to understand if it suit my need or not by only reading documentation

That is where you fail because you did not try.

But at least were my needs clear from the beginning

No, because I can't read your mind and I understood www.example1.com and www.example2.com to be local virtual hosts, since that is how someone who spent a few minutes reading Configuration: Quick Start on the front page of WikiStart would use lighttpd. The example there is "www.example.org" and "www2.example.org" Again, you fail badly because you failed to try.

    (1-16/16)