Using OLS 1.6.16, cannot log into non-HTTP WebAdmin

#1
Aloha smart people,

I have configured a listener for WebAdmin, set Secure to Yes, listening on port 7080, and listening only to localhost IP [::1]. I could add an additional listener for 127.0.0.1, but it doesn't affect this bug report. WebAdmin is therefore impossible to access directly from the Internet, which is the whole point. To access WebAdmin, I ssh to the server from my workstation in this way:

ssh -L 7080:localhost:7080 nonrootuser@example.com

WebAdmin is then accessible from my workstation by browsing to https://localhost:7080 through the magic of ssh tunneling. BTW, I highly recommend this access control. Hint: PHPAdmin can be secured in a similar way.

Problem/Bug: Because the only network traffic uses localhost on the server and on the workstation, and through the secure ssh tunnel, using HTTPS is superfluous. Therefore I experimented with using HTTP instead by setting Secure to No. Just because I want to learn all about OLS. Unfortunately, attempts to log in to WebAdmin then fail and simply respond with the login page again. I'm then locked out until I use shell access to edit /usr/local/lsws/admin/conf/admin_config/conf.

Caveat: I _know_ that this is a very edgy edge case, but I didn't see it here in the forums nor on GitHub Issues, so thought it should be reported anyhow.

PS - I don't know if that last step is truly sufficient. I haven't looked into what admin_config.conf0 and admin_config.conf0,v.

Mahalo,
Steve
 
#3
Hi,

1. If you set web admin listener to listen to localhost interface only, then you of course not able to access via public network.
2. Feel free to check solutions here to secure phpMyAdmin https://docs.litespeedtech.com/cloud/images/wordpress/#how-do-i-secure-phpmyadmin.
3. I test the HTTP only for web admin without secure ssh tunnel and it works.
Mahalo for your timely response.

Your #1 is actually the point, because I don't want the admin site to be exposed to the internet. At all. Rather, I only want it exposed to localhost, for security. This part works great using HTTPS.

Your #2 is appreciated, and I hope it helps others who read this later on! I still prefer how I protect it by limiting it to local host, though. I was a security architect in a previous life, and I've seen things...

Your #3 I never tested that way, because I didn't want to expose the WebAdmin to the internet, even with HTTPS, let alone HTTP. I'm surprised by your results. I'll stand up a throw-away OLS instance in a throw-away VM or VPS and try it myself to confirm. If I can replicate your result of logging in using non-secure HTTP that way, then try to do so via an ssh tunnel. Perhaps my last attempt was contaminated by some other config. I'll try to pin it down and get back on that in a few days I hope.
 
Top