Month: August 2024

To enable OpenWrt to automatically restore a previous backup during the first reboot after flashing

To enable OpenWrt to automatically restore a previous backup during the first reboot after flashing, you can integrate the backup file and the restore script into the firmware during the build process. Here’s how to do it:

1. Create the files Directory

In the root directory of your OpenWrt source tree, create a directory named files. Any files placed in this directory will be directly copied into the final firmware with the same directory structure.

mkdir -p ~/openwrt/files

2. Add the Backup File and Script

2.1 Place the Backup File

Copy the backup file you’ve prepared (e.g., backup.tar.gz) into the files/etc/backup/ directory:

mkdir -p ~/openwrt/files/etc/backup
cp /path/to/your/backup.tar.gz ~/openwrt/files/etc/backup/

Replace /path/to/your/backup.tar.gz with the actual path to your backup file.

2.2 Add the Auto-Restore Script

Create an auto-restore script and place it in the files/etc/init.d/ directory, for example, named restore_backup:

mkdir -p ~/openwrt/files/etc/init.d
nano ~/openwrt/files/etc/init.d/restore_backup

In the editor, add the following script content:

#!/bin/sh

# Define the backup file path
BACKUP_FILE="/etc/backup/backup.tar.gz"

# Check if the backup file exists
if [ -f "$BACKUP_FILE" ]; then
    # Restore the backup
    sysupgrade -r $BACKUP_FILE
    echo "Backup successfully restored"

    # Delete the backup file and the script itself
    rm -f $BACKUP_FILE
    rm -f /etc/init.d/restore_backup
    echo "Backup file and restore script deleted"
else
    echo "Backup file not found"
fi

Save and exit the editor.

3. Set Script Permissions and Startup

To ensure the restore script runs on system startup, create a 99_restore_backup script in the files/etc/uci-defaults/ directory:

mkdir -p ~/openwrt/files/etc/uci-defaults
nano ~/openwrt/files/etc/uci-defaults/99_restore_backup

In this file, add the following:

#!/bin/sh

# Ensure the restore script is executable
chmod +x /etc/init.d/restore_backup

# Enable the restore script to run on startup
/etc/init.d/restore_backup enable

# Delete this initialization script
rm -f /etc/uci-defaults/99_restore_backup

Save and exit the editor.

4. Compile the OpenWrt Firmware

After completing the above steps, compile the OpenWrt firmware. This will generate a firmware image that includes your backup file and the auto-restore script.

5. Flash and Test the Firmware

Flash the generated firmware to your device and verify that the device automatically restores the backup upon the first boot and deletes the script and backup file afterward.

These steps will help you integrate an automatic backup restore feature into your OpenWrt firmware.

Only to one directory on an internal server

the Nginx configuration and explanation for allowing external access only to the /report directory on an internal server, while blocking access to other directories:

Configuration Example

server {
    listen 80;
    server_name your-domain.com;

    # Allow access only to the /report directory
    location /report {
        proxy_pass http://192.168.1.1;  # Replace with the actual internal server address
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Optional: Handle path rewriting if needed
        rewrite ^/report(/.*)?$ $1 break;
    }

    # Deny access to other paths
    location / {
        deny all;
    }

    # Handle other path requests if necessary
    # You can add additional location blocks for specific path requests
}

Explanation

  1. Allowing Access to /report:
  • The location /report block forwards requests to the internal server http://192.168.1.1.
  • The rewrite directive (optional) handles path rewriting to ensure that the /report prefix is not added to the internal server’s request path.
  1. Denying Access to Other Paths:
  • The location / block with the deny all; directive blocks access to all other paths. This means that external users will receive a 403 Forbidden error when trying to access other paths.

Considerations

  • Access Control:
    If your Nginx server is exposed to the public internet and needs to control access to multiple directories or services, make sure to implement appropriate security measures, such as IP whitelisting and authentication mechanisms.
  • Logging:
    You can configure Nginx’s access and error logs to monitor and troubleshoot access issues. Log configuration is typically done within the server block.
  • SSL/TLS:
    If your site is exposed on the public internet, it’s recommended to use SSL/TLS to encrypt traffic and protect data transmission.
  • Nginx Configuration Testing:
    Before applying any changes, run nginx -t to test the syntax of the configuration file. Make sure there are no errors before reloading the Nginx configuration.

With this configuration, external users will only be able to access the /report directory, while access to other paths will be blocked.