Web Interface

Introduction

The switch provides a Web interface for management and status overview. Both HTTP and HTTPS access are supported and can be configured individually. A single Web session is possible at a time.

Configuration of Web services is done in the Web configuration context.

example:/#> configure
example:/config/#> management
example:/config/management/#> web
example:/config/management/web/#>

HTTP and HTTPS are managed in individual sub-contexts. The example below disable HTTP access, and changes the default port for HTTPS to 43434.

example:/config/management/web/#> http
example:/config/management/web/http/#> no enable
example:/config/management/web/http/#> end
example:/config/management/web/#> https
example:/config/management/web/https/#> port 43434
example:/config/management/web/https/#>

Session timeout

If enabled it sets the Web session timeout including the upload timeout for file upload. Value is in minutes. If not enabled the value 0 is stored in web session timeout and then the file upload will use a default timeout of 7200 sec, 120 min.

The example below shows how to set the Web session inactivity timeout to 5 minutes (default 10 minutes).

example:/#> configure
example:/config/#> management
example:/config/management/#> web
example:/config/management/web/#> session-timeout 5

Syntax

[no] session-timeout <1..1440>
Set auto logout delay in minutes, default 10 min.

Pre-Login Banner

If configured this will ensure that a pre-login banner is displayed on the login page of the Web interface. The message can be written and formatted free-form at the discretion of the administrator. Generally, these types of messages are composed to inform any potential unauthorized users that they are attempting to access a restricted area.

Utilizing this could help dissuade any potential intruders by providing a direct warning that accessing the device may be an illegal or prohibited activity. If a login banner has been present during a possible breach, the potential perpetrator will have an increased difficulty if attempting to claim any ignorance, since the individual was clearly warned that access was prohibited.

When configured, the login page will also display an acknowledgement checkbox that must be checked before the user is allowed to attempt a login. This is so that the user should not be able to accidentally overlook the message displayed in the banner.

Warning

Any pre-login banner message that is intended to be used for any potential legal matters should possibly be approved for use by the organizations legal team.

Westermo only provide the possibility to compose such a message, and is never involved and/or responsible for any of the contents and/or actions that may want to be pursued as a result.

The following is an example how this can be configured using the CLI. When configured using the CLI escape characters can be used to create line-breaks for instance. Remember to enclose the message like this "MESSAGE" or 'MESSAGE'.

example:/#> configure
example:/config/#> management
example:/config/management/#> web
example:/config/management/web/#> login-banner "This is an example message.\n\nThis is on a new line.\n\nRemember, this is just an example text, not to actually be used in a production environment."
example:/config/management/web/#>

If the overview show command is used the banner will be attempted to be displayed as it would appear format wise on the Web login:

example:/config/management/web/#> show


[...]

Login Banner                                                                  
▏This is an example message.                                                 ▕
▏                                                                            ▕
▏This is on a new line.                                                      ▕
▏                                                                            ▕
▏Remember, this is just an example text, not to actually be used in a        ▕
▏production environment.                                                     ▕
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
[...]

In order to see how the message was composed, including the escape characters, use the specific show login-banner command:

example:/config/management/web/#> show login-banner
"This is an example message.\n\nThis is on a new line.\n\nRemember, this is just an example text, not to actually be used in a production environment."

Syntax

[no] login-banner [MESSAGE]

Configure a banner to be displayed on the login page of the WEB.

This is a banner that will be displayed on the login page, before the user has logged in to the device. When this is configured the user will be forced to acknowledge the message before being allowed to log in.

Default: no login-banner (Disabled)

no
Remove any configured login-banner and disable it.
MESSAGE

Free-form message, remember to enclose the message like this "MESSAGE" or 'MESSAGE'.

When writing the message certain escape characters can also be included:

  • \b => Backspace
  • \t => Horizontal TAB
  • \n => New line
  • \r => Carriage Return

HTTP Settings

example:/#> configure
example:/config/#> management
example:/config/management/#> web
example:/config/management/web/#> http
example:/config/management/web/http/#>

Syntax of HTTP settings

[no] enable
Activate or deactivate Web access via HTTP
[no] port PORT
Port to run HTTP daemon (default 80)

HTTPS Settings

example:/#> configure
example:/config/#> management
example:/config/management/#> web
example:/config/management/web/#> https
example:/config/management/web/https/#>

For HTTPS, the switch auto-generates an individual Web server certificate upon first boot, after a factory reset, or if the Web server certificate has been deleted. In addition, it is possible to upload a custom certificate and specify the Web server to use it instead.

Syntax of HTTPS settings

[no] enable
Activate or deactivate Web access via HTTPS
[no] port PORT
Port to run HTTPS daemon (default 443)
[no] certificate LABEL
Set custom certificate to use, if not specified, the default certificate provided by the firmware will be used.

The example below shows how to specify a custom Web certificate, assuming the certificate has already been uploaded to the certificate repository (see label ‘server1’ below).

example:/config/management/web/https/#> do show cert full
TYPE     HASH     EXPIRES     NAME                 LABEL
CA-local e0145f8c Sep  4 2032 ACME CA              server1
Pub      eed11dc2 Dec 10 2024 server1              server1
Pub      4a23103e Jan 19 2038 zero-12-34-50.local  web-default
Key      N/A      N/A         server1              server1
Key      N/A      N/A         web-default          web-default
example:/config/management/web/https/#> certificate server1
example:/config/management/web/https/#>