I have long wanted to "touch hands" Internet services by setting up a web server from scratch and releasing it to the Internet. In this article I want to share my experience of turning a home router from a highly functional device into an almost full-fledged server.
It all started with the fact that the TP-Link TL-WR1043ND router, which served faithfully, ceased to satisfy the needs of the home network, I wanted a 5GHz band and quick access to files on a drive connected to the router. After reviewing specialized forums (w4bsitXNUMX-dns.com, ixbt), sites with reviews and looking at the range of local stores, I decided to purchase Keenetic Ultra.
In favor of this particular device, good reviews from the owners worked:
- no problems with overheating (here I had to abandon Asus products);
- reliability in operation (here crossed out TP-Link);
- ease of setup (I was afraid not to cope and crossed out Microtik).
I had to come to terms with the cons:
- no WiFi6, I wanted to take equipment with a margin for the future;
- 4 LAN ports, I wanted more, but this is no longer a home category.
As a result, we got such a “server”:
- on the left is the optical terminal of Rostelecom;
- on the right is our experimental router;
- a 2 GB m.128 SSD lying around is connected to the router with a wire, placed in a USB3 box from aliexpress, now it is neatly fixed to the wall;
- in the foreground is an extension cord with independent shutdown of sockets, the wire from it goes to an inexpensive UPS;
- in the background is a twisted pair bundle - at the stage of apartment renovation, I immediately planned RJ45 sockets in the places where the equipment was supposed to be located, so as not to depend on WiFi debris.
So, we have the equipment, we need to configure it:
- the initial configuration of the router takes about 2 minutes, we specify the parameters for connecting to the provider (my optical terminal is switched to bridge mode, the PPPoE connection raises the router), the name of the WiFi network and the password - basically everything, the router starts up and works.
We set the forwarding of external ports to the ports of the router itself in the "Network Rules - Forwarding" section:
Now you can move on to the "advanced" part, which is what I wanted from the router:
- functionality of a small NAS for a home network;
- performing the functions of a web server for several private pages;
- personal cloud functionality for accessing personal data from anywhere in the world.
The first is implemented by built-in tools, without requiring much effort:
- we take the drive intended for this role (flash drive, memory card in the card reader, hard drive or SSD in the external box and format it in Ext4 using (I do not have a computer with linux at hand, there you can use the built-in tools). As I understand it, during operation, the system writes only logs to the flash drive, therefore, if they are limited after setting up the system, you can also use memory cards, if you plan to write a lot and often to the drive, SSD or HDD is better.
After that, we connect the drive to the router and observe it on the system monitor screen
We go by clicking on "USB drives and printers" in the "Applications" section and configure the share in the "Windows Network" section:
And we have a network resource that can be used from computers running Windows, connecting if necessary as a disk: net use y: \192.168.1.1SSD / persistent: yes
The speed of such an impromptu NAS is quite sufficient for home use, it uses the entire gigabit over the wire, over WiFi the speed is about 400-500 megabits.
Setting up the storage is one of the necessary steps to set up the server, then we need to:
— and a static IP address (you can do without this using Dynamic DNS, but I already had a static IP, so it turned out to be easier to use — , we get DNS hosting and mail on our domain);
— and add A-records pointing to your IP:
It takes several hours for the domain and DNS delegation settings to take effect, so we are simultaneously configuring the router.
First you need to install the Entware repository, from which we can install the necessary packages on the router. I took advantage , but did not upload the installation package via FTP, but created a folder directly on the previously connected network drive and copied the file there in the usual way.
Having gained access via SSH, change the password with the passwd command and install all the necessary packages with the opkg install [package names] command:
During the configuration, the following packages were installed on the router (the result of the output of the opkg list-installed command):
Package List
bash-5.0-3
busybox-1.31.1-1
ca-bundle-20190110-2
ca-certificates-20190110-2
coreutils-8.31-1
coreutils-mktemp-8.31-1
cron-4.1-3
curl-7.69.0-1
diffutils-3.7-2
dropbear-2019.78-3
entity-release-1.0-2
findutils-4.7.0-1
glib2-2.58.3-5
grep-3.4-1
ldconfig-2.27-9
libtr-2.4.48-2
libblkid-2.35.1-1
libc-2.27-9
libcurl-7.69.0-1
libffi-3.2.1-4
libgcc-8.3.0-9
libiconv-full-1.11.1-4
libintl-full-0.19.8.1-2
liblua-5.1.5-7
libmbedtls-2.16.5-1
libmount-2.35.1-1
libncurses-6.2-1
libncursesw-6.2-1
libndm-1.1.10-1a
libopenssl-1.1.1d-2
libopenssl-conf-1.1.1d-2
libpcap-1.9.1-2
libpcre-8.43-2
libpcre2-10.34-1
libpthread-2.27-9
libreadline-8.0-1a
librt-2.27-9
libslang2-2.3.2-4
libssh2-1.9.0-2
libsp-8.3.0-9
libstdcpp-8.3.0-9
libuid-2.35.1-1
libxml2-2.9.10-1
locales - 2.27-9
mc-4.8.23-2
ndmq-1.0.2-5a
nginx-1.17.8-1
openssl-util-1.1.1d-2
opkg — 2019-06-14-dcbc142e-2
opt-ndmsv2 - 1.0-12
php7-7.4.3-1
php7-mod-openssl-7.4.3-1
poorbox - 1.31.1-2
terminfo-6.2-1
zlib-1.2.11-3
zoneinfo-asia-2019c-1
zoneinfo-europe-2019c-1
Perhaps something superfluous got stuck here, but there is a lot of space on the drive, so I didn’t understand it.
After installing the packages, we set up nginx, I tried with two domains - the second one is configured with https, and while the stub is hanging. 81 and 433 internal ports instead of 80 and 443 are used, because the router admin panels hang on normal ports.
etc/nginx/nginx.conf
user nobody;
worker_processes 1;
#error_log /opt/var/log/nginx/error.log;
#error_log /opt/var/log/nginx/error.log notice;
#error_log /opt/var/log/nginx/error.log info;
#pid /opt/var/run/nginx.pid;
events {
worker_connections 64;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log /opt/var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 81;
server_name milkov.su www.milkov.su;
return 301 https://milkov.su$request_uri;
}
server {
listen 433 ssl;
server_name milkov.su;
#SSL support
include ssl.conf;
location / {
root /opt/share/nginx/html;
index index.html index.htm;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
</spoiler>
<spoiler title="etc/nginx/ssl.conf">
ssl_certificate /opt/etc/nginx/certs/milkov.su/fullchain.pem;
ssl_certificate_key /opt/etc/nginx/certs/milkov.su/privkey.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /opt/etc/nginx/dhparams.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_stapling on;In order for the site to work on https, I used the well-known dehydrated script by installing it by . This process did not cause any difficulties, it stumbled only on the fact that in the text of the script for working on my router /opt/etc/ssl/openssl.cnf:
[openssl_conf]
#engines=enginesAnd I note that the generation of dhparams.pem by the command “openssl dhparam -out dhparams.pem 2048” on my router takes more than 2 hours, if it were not for the progress indicator, I would lose patience and reboot.
After receiving the certificates, restart nginx with the "/opt/etc/init.d/S80nginx restart" command. In principle, this completes the setup, but there is no site yet - if we put the index.html file in the /share/nginx/html directory, we will see a stub.
index.html
<!DOCTYPE html>
<html>
<head>
<title>Тестовая страничка!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Тестовая страничка!</h1>
<p>Это простая статическая тестовая страничка, абсолютно ничего интересного.</p>
</body>
</html>To place information beautifully, it is easier for a non-professional like me to use ready-made templates, after a long search of various directories I found - there is a good selection of free templates that do not require mandatory attribution (which is rare on the Internet, most of the templates in the license require you to save a link to the resource from which they were obtained).
We choose a suitable template - there is one for a variety of cases, download the archive, and unpack it into the /share/nginx/html directory, you can do this already from your computer, then edit the template (minimum knowledge of HTML is required here so as not to violate the structure) and replace the graphics as shown in the figure below.
Summary: the router is quite suitable for hosting a light site on it, in principle - if a large load is not expected, you can , and experiment with more complex projects (I look at nextcloud / owncloud, it seems there are successful installations on such hardware). The ability to install packages increases its usefulness - for example, when it was necessary to protect the RDP port of a PC on the local network, put knockd on the router - and port forwarding to the PC was opened only after port knocking.
Why a router and not a regular PC? A router is one of the few computer hardware that works around the clock in many apartments, a home router is usually absolutely silent and a light site with less than a hundred visits per day will not bother him at all.
Source: habr.com