Some useful tidbits to use when using the OpenWRT embedded web server (uHTTPD).

Embedded Lua

uHTTPd supports running Lua in-process, which can speed up Lua CGI scripts. It is unclear whether LuCI supports running in this embedded interpreter. LuCI seems to work fine (if not better) with the embedded Lua interpreter.

[email protected]:~# opkg install uhttpd-mod-lua
Installing uhttpd-mod-lua (18) to root...
Downloading http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages/uhttpd-mod-lua_18_ar71xx.ipk.
Configuring uhttpd-mod-lua.
[email protected]:~# uci set uhttpd.main.lua_prefix=/lua
[email protected]:~# uci set uhttpd.main.lua_handler=/root/test.lua
[email protected]:~# cat /root/test.lua
function handle_request(env)
        uhttpd.send("HTTP/1.0 200 OKrn")
        uhttpd.send("Content-Type: text/plainrnrn")
        uhttpd.send("Hello world.n")
end
[email protected]:~# /etc/init.d/uhttpd restart
[email protected]:~# wget -qO- http://127.0.0.1/lua/
Hello world.
[email protected]:~#

Tested on Backfire 10.03.1 with uHTTPd 28.

HTTPS Enable and Certificate Settings and Creation

First of all, you need to install the uhttpd-mod-tls package in order to pull into the system the ‘TLS plugin which adds HTTPS support to uHTTPd’. Then if listen_https is defined in the server configuration, the certificate and private key is missing. In this case (as of 10.03.1) you’ll need to install the luci-ssl meta-package which in turn will pull also the px5g script. With this utility the init script will generate the appropriate certifcate and key files when the server is started for the first time, either by reboot or by manual restart. The /etc/config/uhttpd file contains in the end a section detailing the certificate and key files creation parameters:

Name Type Required Default Description
days integer no 730 Validity time of the generated certificates in days
bits integer no 1024 Size of the generated RSA key in bits
country string no DE ISO country code of the certificate issuer
state string no Berlin State of the certificate issuer
location string no Berlin Location/city of the certificate issuer
commonname string no OpenWrt Common name covered by the certificate

Those will be needed only once, at the next restart.

Basic Authentication (httpd.conf)

For backward compatibility reasons, uhttpd uses the old Busybox httpd config file /etc/httpd.conf to define authentication areas and the associated usernames and passwords. This configuration file is not in UCI format and usually shipped or generated by external packages like webif (X-Wrt). Authentication realms are defined in the format prefix:username:password with one entry per line followed by a newline.

  • prefix is the URL part covered by the realm, e.g. /cgi-bin to request basic auth for any CGI program
  • username specifies the username a client has to login with
  • password defines the secret password required to authenticate

The password can be either in plain text format, MD5 encoded or in the form $p$user where user refers to an account in /etc/shadow or /etc/passwd. A plain text password can be converted to MD5 encoding by using the -m switch of the uhttpd executable:

[email protected]:~# uhttpd -m secret
$1$$ysVNzQc4CTMkp5daOdZ.3/

If the $p$- format is used, uhttpd will compare the client provided password against the one stored in the shadow or passwd database.
URL decoding

Note that this creates a empty salt!

URL decoding

Like Busybox HTTPd, the URL decoding of strings on the command line is supported through the -d switch:

[email protected]:/# uhttpd -d "An%20URL%20encoded%20String%21%0a"
An URL encoded String!