uhttpd作为一个简单的web服务器,其代码量并不多,而且组织结构比较清楚。和其它网络服务器差不多,其main函数进行一些初始化(首先parse config-file,然后parse argv),然后进入一个循环,不断地监听,每当有一个客户请求到达时,则对它进行处理。
1、uhttpd uci配置参数说明
/etc/init.d/uhttpd脚本会使用procd的方式启动uhttpd进程,该工具后面可以带很多参数,如下:
root@zihome:~# uhttpd -h
uhttpd: option requires an argument -- h
Usage: uhttpd -p [addr:]port -h docroot
-f Do not fork to background
-c file Configuration file, default is '/etc/httpd.conf'
-p [addr:]port Bind to specified address and port, multiple allowed
-s [addr:]port Like -p but provide HTTPS on this port
-C file ASN.1 server certificate file
-K file ASN.1 server private key file
-h directory Specify the document root, default is '.'
-E string Use given virtual URL as 404 error handler
-I string Use given filename as index for directories, multiple allowed
-S Do not follow symbolic links outside of the docroot
-D Do not allow directory listings, send 403 instead
-R Enable RFC1918 filter
-n count Maximum allowed number of concurrent script requests
-N count Maximum allowed number of concurrent connections
-l string URL prefix for Lua handler, default is '/lua'
-L file Lua handler script, omit to disable Lua
-u string URL prefix for UBUS via JSON-RPC handler
-U file Override ubus socket path
-a Do not authenticate JSON-RPC requests against UBUS session api
-X Enable CORS HTTP headers on JSON-RPC api
-x string URL prefix for CGI handler, default is '/cgi-bin'
-i .ext=path Use interpreter at path for files with the given extension
-t seconds CGI, Lua and UBUS script timeout in seconds, default is 60
-T seconds Network timeout in seconds, default is 30
-k seconds HTTP keepalive timeout
-d string URL decode given string
-r string Specify basic auth realm
-m string MD5 crypt given string
openwrt上面还是通过uci来配置uhttpd,配置文件如下:
config uhttpd 'main'
list listen_http '0.0.0.0:80'
list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '10'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
option script_timeout '120'
option network_timeout '60'
option http_keepalive '60'
option tcp_keepalive '5'
option no_ubusauth '0'
option ubus_prefix '/ubus'
uHTTPd 配置项含义:
| 名 称 | 类 型 | 含 义 |
|---|---|---|
| listen_http | 字符串 | 定义服务器的 IP 和端口。指所监听的非加密的地址和端口。如果仅给出端口号,将同时服务于IPv4和IPv6请求。使用0.0.0.0:80仅绑定在 IPv4 接口,使用[::]:80 仅绑定 IPv6 |
| home | 目录路径 | 定义服务器的文档根目录 |
| max_requests | 整型数字 | 最大的并行请求数,如果大于这个值,后续的请求将进入排队队列中 |
| cert | 文件路径 | 用于 HTTPS 连接的 ASN.1/DER 证书。在提供 HTTS 连接时必须提供 |
| key | 文件路径 | 用于 HTTPS 连接的 ASN.1/DER 私钥。在提供 HTTPS 连接时必须提供 |
| cgi_prefix | 字符串 | 定义 CGI 脚本的相对于根目录的前缀。如果没有该选项,CGI功能将不支持 |
| script_timeout | 整型数字 | Lua 或CGI请求的最大等待时间秒值。如果没有输出产生,则超时后执行就结束了 |
| network_timeout | 整型数字 | 网络活动的最大等待时间,如果指定的秒数内没有网络活动发生,则程序终止,连接关闭 |
| tcp_keepalive | 整型数字 | tcp 心跳检测时间间隔,发现对端已不存在时则关闭连接。设置为 0 则关闭 tcp 心跳检测 |
| realm | 字符串 | 基本认证的域值,默认为主机名,是当客户端进行基本认证的提示内容 |
| config | 文件路径 | 用于基本认证的配置文件 |
| no_dirlists | 是否显示文件列表 | 正常情况可以直接通过浏览器查看文件,不安全可以使用该字段屏蔽浏览器查看 |
| max_requests | 最大请求数 | 同时处理的请求的最大数量。当这个数量被超过时,额外的请求将被放入队列中等待 |
| max_connections | 最大连接数 | 同时处理的最大TCP连接数量。当这个数量被超过时,额外的TCP连接尝试将被放入队列中等待 |
| ubus_prefix | ubus前缀 | 使用JSON-RPC访问,如http://192.168.18.1/ubus. |
| ubus_noauth | session认证 | 关闭后可以不用认证,直接访问http接口 |
/etc/init.d/uhttpd脚本在启动的时候会去获取/etc/config/uhttpd配置里面的信息然后进行启动,我们现在用到的参数如下:
root@zihome:/# ps | grep uhttp
1395 root 1556 S /usr/sbin/uhttpd -f -h /www -r openwrt -x /cgi-bin -t 120 -T 60 -k 60 -A 5 -n 3 -N 10 -R -p 0.0.0.0:80 -p [::]:80
31572 root 1520 S grep uhttp
https://openwrt.org/docs/guide-user/services/webserver/uhttpd
2、uhttpd的登录认证超时机制
登录做为web登录最基础的功能,其背后是由rpcd提供的session模式实现的。
session模式实现了创建、更新、退出、添加acl权限等功能。
具体使用可以查看rpcd的介绍:
'session' @3602a25d
"create":{"timeout":"Integer"}
"list":{"ubus_rpc_session":"String"}
"grant":{"ubus_rpc_session":"String","scope":"String","objects":"Array"}
"revoke":{"ubus_rpc_session":"String","scope":"String","objects":"Array"}
"access":{"ubus_rpc_session":"String","scope":"String","object":"String","function":"String"}
"set":{"ubus_rpc_session":"String","values":"Table"}
"get":{"ubus_rpc_session":"String","keys":"Array"}
"unset":{"ubus_rpc_session":"String","keys":"Array"}
"destroy":{"ubus_rpc_session":"String"}
"login":{"username":"String","password":"String","timeout":"Integer"
3、ubus over http功能
在openwrt默认的web应用中,很主要的一共功能点,就是展示和设置信息。因为ubus -v list里面覆盖了大部分我们需要的信息,所以如果可以通过一种简单的rpc方案,通过http直接访问ubus的内容那就方便了。
这就是ubus over http功能,web发送一个http请求,这个请求的结构根据ubus命令封装之后,直接从ubus接口里面获取内容返回给web页面。
因为ubus接口里面包含了太多的信息,我们不想把所有信息都暴露给web,所以有了rpcd里面的acls权限管理。权限管理里面说明了只能执行那些命令。
使用该功能需要在uci里面把配置打开
option ubus_prefix /ubus
之后可以用postman发送post请求
登录:
{
"jsonrpc":"2.0",
"id":1,
"method":"call",
"params":[
"00000000000000000000000000000000",
"session",
"login",
{
"username":"root",
"password":"admin"
}
]
}
此时会返回该账号的session,还有权限之类的
{
"jsonrpc": "2.0",
"id": 1,
"result": [
0,
{
"ubus_rpc_session": "e5333f3fe2ed4601be3b0a8da0a6998e",
"timeout": 300,
"expires": 300,
"acls": {
"access-group": {
"luci-access": [
"read",
"write"
],
"luci-app-firewall": [
"read",
"write"
],
...
"uci-access": [
"read",
"write"
],
"unauthenticated": [
"read"
]
},
"cgi-io": {
"backup": [
"read"
],
"download": [
"read"
],
"exec": [
"read"
],
"upload": [
"write"
]
},
"file": {
"/": [
"list"
],
"/*": [
"list"
],
"/bin/dmesg -r": [
"exec"
],
...
"/usr/sbin/logread -e ^": [
"exec"
]
},
"ubus": {
"file": [
"list",
"read",
"stat",
"write",
"remove",
"exec"
],
"hostapd.*": [
"del_client"
],
"iwinfo": [
"assoclist",
"freqlist",
"txpowerlist",
"countrylist",
"scan"
],
"luci": [
"getFeatures",
"getConntrackList",
"getInitList",
"getLocaltime",
"getProcessList",
"getRealtimeStats",
"getTimezones",
"getLEDs",
"getUSBDevices",
"getSwconfigFeatures",
"getSwconfigPortState",
"getBlockDevices",
"getMountPoints",
"setInitAction",
"setLocaltime",
"setPassword",
"setBlockDetect",
"getConntrackHelpers"
],
"luci-rpc": [
"getBoardJSON",
"getDHCPLeases",
"getDSLStatus",
"getDUIDHints",
"getHostHints",
"getNetworkDevices",
"getWirelessDevices"
],
"network": [
"get_proto_handlers"
],
"network.interface": [
"dump"
],
"network.rrdns": [
"lookup"
],
"session": [
"access",
"login"
],
"system": [
"board",
"info",
"validate_firmware_image"
],
"uci": [
"changes",
"get",
"add",
"apply",
"confirm",
"delete",
"order",
"set",
"rename"
]
},
"uci": {
"*": [
"read",
"write"
],
...
"uhttpd": [
"read",
"write"
]
}
},
"data": {
"username": "root"
}
}
]
}
之后我们就可以使用这个session进行发送ubus请求,比如系统信息
{
"jsonrpc":"2.0",
"id":1,
"method":"call",
"params":[
"2cd182b0120310db8869b43d4340a307",
"system",
"board",
{
}
]
}
返回内容:
{
"jsonrpc": "2.0",
"id": 1,
"result": [
0,
{
"kernel": "4.14.275",
"hostname": "OpenWrt",
"system": "Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz",
"model": "VMware, Inc. VMware Virtual Platform",
"board_name": "vmware-inc-vmware-virtual-platform",
"release": {
"distribution": "OpenWrt",
"version": "19.07-SNAPSHOT",
"revision": "r11430-ecbbb37",
"target": "x86/64",
"description": "OpenWrt 19.07-SNAPSHOT r11430-ecbbb37"
}
}
]
}
可以看到返回的内容跟直接输入ubus call一致
root@OpenWrt:~# ubus call system board
{
"kernel": "4.14.275",
"hostname": "OpenWrt",
"system": "Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz",
"model": "VMware, Inc. VMware Virtual Platform",
"board_name": "vmware-inc-vmware-virtual-platform",
"release": {
"distribution": "OpenWrt",
"version": "19.07-SNAPSHOT",
"revision": "r11430-ecbbb37",
"target": "x86/64",
"description": "OpenWrt 19.07-SNAPSHOT r11430-ecbbb37"
}
}
当然如果不属于上面权限的ubus消息是无法发送的,比如
{
"jsonrpc":"2.0",
"id":1,
"method":"call",
"params":[
"2cd182b0120310db8869b43d4340a307",
"network.interface.lan",
"status",
{
}
]
}
返回没有权限
{
"jsonrpc": "2.0",
"id": 1,
"error": {
"code": -32002,
"message": "Access denied"
}
}
这些权限的配置都位于/usr/share/rpcd/acl.d/目录下面配置,我们可以自己按照规则增删。
上面json请求的结构体描述如下:
{ "jsonrpc": "2.0",
"id": <unique-id-to-identify-request>,
"method": "call",
"params": [
<ubus_rpc_session>, <ubus_object>, <ubus_method>,
{ <ubus_arguments> }
]
}
{ "jsonrpc": "2.0", "id": 1, "method": "call", "params": [ "c1ed6c7b025d0caca723a816fa61b668", "file", "read", { "path": "/etc/board.json" } ] }
how to use ubus over http in openwrt 12.09
:https://www.cnblogs.com/nicephil/p/6768381.html#e4bdbfe794a8e696b9e6b395_2
openwrt-rpcd服务ACL配置错误风险分析:https://www.cnblogs.com/hac425/p/9416854.html
https://openwrt.org/docs/techref/ubus#access_to_ubus_over_http
4、cgi框架
要运行cgi程序,首先意味着需fork出一个子进程,并通过execl函数替换进程空间为cgi程序;其次,数据传递,子进程替换了进程空间后,怎么获得原信息,有怎么把回馈数据传输给父进程(即uhttpd),父进程又怎么接收这些数据。
https://www.cnblogs.com/zmkeil/archive/2013/05/14/3078766.html
