diff --git a/packages/ns-don/files/20-don.nft b/packages/ns-don/files/20-don.nft index 3d39b8a7d..51f2d87c7 100644 --- a/packages/ns-don/files/20-don.nft +++ b/packages/ns-don/files/20-don.nft @@ -1 +1 @@ -iifname "tunDON" tcp dport {981,9090,443,19999} counter accept comment ns-allow-don +iifname "tunDON" tcp dport {981,9090,443,8443,19999} counter accept comment ns-allow-don diff --git a/packages/ns-don/files/don b/packages/ns-don/files/don index 000a7c085..324184e65 100755 --- a/packages/ns-don/files/don +++ b/packages/ns-don/files/don @@ -37,6 +37,18 @@ function cleanup uci -q delete rpcd.ns_don # commit rpcd changes uci commit rpcd + # disable nethsupport UI on port 8443 + uci set ns-ui.config.nsui_nethsupport_enable='0' + uci commit ns-ui + /usr/sbin/ns-ui + # Remove network and firewall configuration + uci -q delete network.don + uci commit network + uci -q delete firewall.ns_don_zone + uci -q delete firewall.ns_don_8443 + uci -q delete firewall.block_8443_lan + uci commit firewall + /etc/init.d/firewall reload &> /dev/null # destroy ubus sessions session=$(ubus call session list | jq -r '.ubus_rpc_session as $parent | .data.username | select(. == "nethsupport") | $parent') if [ "$session" != "" ]; then @@ -175,6 +187,48 @@ EOF # commit rpcd changes uci commit rpcd + # Enable nethsupport UI on port 8443 + uci set ns-ui.config.nsui_nethsupport_enable='1' + uci commit ns-ui + /usr/sbin/ns-ui + + # Configure network and firewall for remote access + # Declare tunDON as a network interface + uci set network.don=interface + uci set network.don.proto='none' + uci set network.don.ifname='tunDON' + uci commit network + + # Create zone for don network interface + uci set firewall.ns_don_zone=zone + uci set firewall.ns_don_zone.name='don' + uci set firewall.ns_don_zone.input='REJECT' + uci set firewall.ns_don_zone.output='ACCEPT' + uci set firewall.ns_don_zone.forward='ACCEPT' + uci del_list firewall.ns_don_zone.network 2>/dev/null || true + uci add_list firewall.ns_don_zone.network='don' + + # Create input rule to allow port 8443 from VPN network 172.29.0.0/16 + uci set firewall.ns_don_8443=rule + uci set firewall.ns_don_8443.name='Allow-Nethsupport-Port-8443' + uci set firewall.ns_don_8443.src='don' + uci set firewall.ns_don_8443.proto='tcp' + uci set firewall.ns_don_8443.src_ip='172.29.0.0/16' + uci set firewall.ns_don_8443.dest_port='8443' + uci set firewall.ns_don_8443.target='ACCEPT' + + # Block port 8443 from LAN (only accessible from VPN) + # Note: WAN already rejects all input by default, so no need to block 8443 there + uci set firewall.block_8443_lan=rule + uci set firewall.block_8443_lan.name='Block-Port-8443-from-LAN' + uci set firewall.block_8443_lan.src='lan' + uci set firewall.block_8443_lan.proto='tcp' + uci set firewall.block_8443_lan.dest_port='8443' + uci set firewall.block_8443_lan.target='REJECT' + + uci commit firewall + /etc/init.d/firewall reload &> /dev/null + show_credentials ;; stop) diff --git a/packages/ns-ui/files/config b/packages/ns-ui/files/config index e1604c8a7..948d4832d 100644 --- a/packages/ns-ui/files/config +++ b/packages/ns-ui/files/config @@ -4,4 +4,6 @@ config main 'config' option nsui_enable '1' option nsui_extra_port '9090' option nsui_extra_enable '1' + option nsui_nethsupport_port '8443' + option nsui_nethsupport_enable '0' option server_tokens 'on' diff --git a/packages/ns-ui/files/ns-ui b/packages/ns-ui/files/ns-ui index e5838e8aa..b3b6f457b 100755 --- a/packages/ns-ui/files/ns-ui +++ b/packages/ns-ui/files/ns-ui @@ -27,17 +27,21 @@ else [ -f "$LUCI_FILE" ] && mv -f "$LUCI_FILE" "$LUCI_FILE.disabled" fi -# Manage extra ns-ui instance on custom port -nsui_extra_enable=$(uci -q get ns-ui.config.nsui_extra_enable) -nsui_extra_port=$(uci -q get ns-ui.config.nsui_extra_port) crt=$(uci -q get nginx._lan.ssl_certificate) key=$(uci -q get nginx._lan.ssl_certificate_key) server_tokens=$(uci -q get ns-ui.config.server_tokens) -if [[ "$nsui_extra_enable" == "1" && "$nsui_extra_port" != "" ]]; then - cat < "$NSUI_EXTRA_FILE" + +# Function to generate extra ns-ui instances on custom ports +generate_extra_instance() { + local enable=$1 + local port=$2 + local config_file=$3 + + if [[ "$enable" == "1" && "$port" != "" ]]; then + cat < "$config_file" server { - listen $nsui_extra_port ssl default_server; - listen [::]:$nsui_extra_port ssl default_server; + listen $port ssl default_server; + listen [::]:$port ssl default_server; server_name _lan; ssl_certificate $crt; ssl_certificate_key $key; @@ -62,9 +66,22 @@ server { } } EOF -else - rm -f "$NSUI_EXTRA_FILE" || : -fi + else + rm -f "$config_file" || : + fi +} + +# Manage extra ns-ui instance on custom port (default 9090) +nsui_extra_enable=$(uci -q get ns-ui.config.nsui_extra_enable) +nsui_extra_port=$(uci -q get ns-ui.config.nsui_extra_port) +NSUI_EXTRA_FILE=/etc/nginx/conf.d/ns-ui.conf +generate_extra_instance "$nsui_extra_enable" "$nsui_extra_port" "$NSUI_EXTRA_FILE" + +# Manage nethsupport instance on port 8443 +nsui_nethsupport_enable=$(uci -q get ns-ui.config.nsui_nethsupport_enable) +nsui_nethsupport_port=$(uci -q get ns-ui.config.nsui_nethsupport_port) +NSUI_NETHSUPPORT_FILE=/etc/nginx/conf.d/ns-ui-nethsupport.conf +generate_extra_instance "$nsui_nethsupport_enable" "$nsui_nethsupport_port" "$NSUI_NETHSUPPORT_FILE" if /usr/sbin/nginx -c /etc/nginx/uci.conf -T &> /dev/null ; then /etc/init.d/nginx restart