Issue with authentication for REST API using KeenDNS name

[em286]

Hi!
I'm trying to run some commands (specifically setting a policy for a network client) using Keenetic's REST API, which is working fine as long as I send requests to my internal IP address 192.168.1.1. But for my final goal I need to be able to run those commans from a cloud, which is why I need to be able to send https requests to my domain name registered on KeenDNS. 

The problem is that when I send auth requests to https://xxx.yyy.keenetic.name/auth the service wouldn't send back headers like X-NDM-Challenge and X-NDM-Realm in the response and I can't build an authorization header to proceed.

Are there any configurations or workarounds that would let me send REST API requests to my domain name instead of IP?
Thanks.

Edited Sunday at 05:40 PM by em286

[eralde]

14 hours ago, em286 said:

Hi!
I'm trying to run some commands (specifically setting a policy for a network client) using Keenetic's REST API, which is working fine as long as I send requests to my internal IP address 192.168.1.1. But for my final goal I need to be able to run those commans from a cloud, which is why I need to be able to send https requests to my domain name registered on KeenDNS. 

The problem is that when I send auth requests to https://xxx.yyy.keenetic.name/auth the service wouldn't send back headers like X-NDM-Challenge and X-NDM-Realm in the response and I can't build an authorization header to proceed.

Are there any configurations or workarounds that would let me send REST API requests to my domain name instead of IP?
Thanks.

Hi @em286
There is a way to do that using Entware nginx-ssl package. While it is not a very straightforward one, it should work.

1. Install Entware
2. Run opkg update && opkg upgrade && opkg-install nginx-ssl in the Entware shell
3. Adjust /opt/etc/nginx/nginx.conf to proxy /auth and /rci/ requests to the firmware web server (see configuration below; replace "Home" segment address in it with 192.168.1.1)
4. Configure xxx.yyy.keenetic.name to proxy requests to "This Keenetic Device" + nginx-ssl port

This way X-NDM-Challenge and X-NDM-Realm headers will be preserved:

$ curl -i https://rci.dev-3811.keenetic.link/auth
HTTP/2 401
server: Web server
date: Mon, 29 Dec 2025 07:51:34 GMT
set-cookie: ... Path=/; SameSite=Strict; Max-Age=300
www-authenticate: x-ndw2-interactive ...
x-ndm-realm: Keenetic Hopper
x-ndm-challenge: BJ****
x-ndm-product: Hopper

 

Spoiler

user nobody;
worker_processes 1;

events {
    worker_connections 1024;
}

http {
    include mime.types;
    default_type application/octet-stream;
    sendfile on;
    keepalive_timeout 65;

    server {
        listen 8080;
        server_name localhost;

        root /opt/share/nginx/html;
        index index.html;

        # Serve static files
        location / {
            try_files $uri $uri/ /index.html;
        }

        # Proxy RCI API requests to the Keenetic web server
        location /rci/ {
            proxy_pass http://192.168.38.11/rci/;
            proxy_set_header Origin "http://$host";
            proxy_set_header Referer "http://$host";
            proxy_set_header Host $host;
        }

        # Proxy authentication requests
        location /auth {
            proxy_pass http://192.168.38.11/auth;
            proxy_set_header Origin "http://$host";
            proxy_set_header Referer "http://$host";
            proxy_set_header Host $host;
        }
    }
}