github/openNDS
1
1
Fork 0
mirror of https://github.com/openNDS/openNDS.git synced 2026-05-04 03:01:32 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #381 from nodogsplash/fas_key

Browse Source 
Add fasremotefqdn, faskey, bump to v4.0.0
This commit is contained in:
Rob White
2019-07-12 16:49:07 +01:00
committed by GitHub
parent 28541e787c 7df96a0610
commit 5336544bf1
31 changed files with 1410 additions and 919 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
ChangeLog
View File

@@ -1,11 +1,24 @@
nodogsplash (4.0.0)
* Introduce aes encryption of the query string passed to remote FAS, allowing authdir and client token to be transferred securely. Uses php-cli and php-openssl. These are required if encryption is enabled but are not dependencies [bluewavenet]
* Introduce fasremotefqdn, specifying the FQDN of the remote FAS. This facilitates simplified support for FAS operation on shared hosting systems [bluewavenet]
* Add a FAS php script supporting aes encrypted query string sent from NDS [bluewavenet]
* Numerous Documentation updates [bluewavenet]
* Remove unused pagesdir and imagesdir [mwarning]
* Add Preauth script that displays images from remote servers [bluewavenet]
* Use elegant check for valid ip addresses [mwarning]
* openwrt initscript - add missing macmechanism in the config file [lynxis]
-- Rob White <dot@blue-wave.net> Sun, 7 Jul 2019 08:29:00 +0000
nodogsplash (3.3.2)
* Fix Issue introduced in v3.3.0 with the addition of Improvements towards usable IPv6 support, that caused CPD on client devices to fail with "Too Many Redirects" error. NDS now terminates gracefully with a console error if fasremoteip is set AND fasport=80 [bluewavenet]
* Fix Issue introduced in v3.3.0 with the addition of Improvements towards usable IPv6 support, that caused CPD on client devices to fail with "Too Many Redirects" error. NDS now terminates gracefully with a console error if fasremoteip is not set AND fasport=80 [bluewavenet]
* Validate fasremoteip to ensure that if it is set, then it is a valid dotted format IPv4 address [bluewavenet]
* Numerous Documentation updates [bluewavenet]
* Numerous Documentation updates [bluewavenet]
* Fix to Known Issue on OpenWrt >18.x.x with v3.3.1. This was caused by misconfigured Makefile for libmicrohttpd; this has been fixed there [bluewavenet]
--Rob White <dot@blue-wave.net> Tue, 23 Apr 2019 11:49:00 +0000
-- Rob White <dot@blue-wave.net> Tue, 23 Apr 2019 11:49:00 +0000
nodogsplash (3.3.1)
@@ -33,7 +46,7 @@ nodogsplash (3.3.0)
nodogsplash (3.2.1)
* reset upload/download counter when a client has been authenticated a second time [mwarning]
* print sesssion duration as 0 in "ndsctl json" and "ndsctl clients" output when a session has not been started [mwarning]
* print session duration as 0 in "ndsctl json" and "ndsctl clients" output when a session has not been started [mwarning]
* rework html templater to speed up splash page generation [mwarning]
* FAS documentation updates [bluewavenet]
* Add CSS file and update splash and status html [bluewavenet]

1
Makefile
View File

@@ -44,6 +44,7 @@ install:
cp resources/status.html $(DESTDIR)/etc/nodogsplash/htdocs/
cp resources/splash.jpg $(DESTDIR)/etc/nodogsplash/htdocs/images/
cp forward_authentication_service/PreAuth/demo-preauth.sh $(DESTDIR)/etc/nodogsplash/login.sh
cp forward_authentication_service/fas-aes/fas-aes.php $(DESTDIR)/etc/nodogsplash/
checkastyle:
@command -v astyle >/dev/null 2>&1 || \

14
debian/changelog vendored
View File

@@ -1,3 +1,17 @@
nodogsplash (4.0.0-1) stable; urgency=medium
* Introduce aes encryption of the query string passed to remote FAS, allowing authdir and client token to be transferred securely. Uses php-cli and php-openssl. These are required if encryption is enabled but are not dependencies [bluewavenet]
* Introduce fasremotefqdn, specifying the FQDN of the remote FAS. This facilitates simplified support for FAS operation on shared hosting systems [bluewavenet]
* Add a FAS php script supporting aes encrypted query string sent from NDS [bluewavenet]
* Numerous Documentation updates [bluewavenet]
* Remove unused pagesdir and imagesdir [mwarning]
* Add Preauth script that displays images from remote servers [bluewavenet]
* Use elegant check for valid ip addresses [mwarning]
* openwrt initscript - add missing macmechanism in the config file [lynxis]
-- Rob White <dot@blue-wave.net> Sun, 7 Jul 2019 08:29:00 +0000
nodogsplash (3.3.2-1) stable; urgency=medium
* Fix Issue introduced in v3.3.0 with the addition of Improvements towards usable IPv6 support, that caused CPD on client devices to fail with "Too Many Redirects" error. NDS now terminates gracefully with a console error if fasremoteip is set AND fasport=80 [bluewavenet]

659
debian/doc/nodogsplash.1 vendored
View File

@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "NODOGSPLASH" "1" "April 23, 2019" "3.3.2" "nodogsplash"
.TH "NODOGSPLASH" "1" "July 07, 2019" "4.0.0" "nodogsplash"
.SH NAME
nodogsplash \- nodogsplash Documentation
.
@@ -210,134 +210,84 @@ dpkg\-buildpackage \-b \-rfakeroot \-us \-uc
.UNINDENT
.sp
You will find the .deb packages in parent directory.
.SH HOW TO COMPILE NODOGSPLASH
.SS Linux/Unix
.SH HOW NODOGSPLASH (NDS) WORKS
.sp
Install libmicrohttpd including the header files (often call \-dev package).
A wireless router, typically running OpenWrt or some other Linux distribution, has two or more interfaces; NDS manages one of them. This will typically be br\-lan, the bridge to both the wireless and wired LAN; or could be for example wlan0 if you wanted NDS to work just on the wireless interface.
.SS Summary of Operation
.INDENT 0.0
.INDENT 3.5
By default, NDS blocks everything, but intercepts port 80 requests.
.sp
.nf
.ft C
git clone https://github.com/nodogsplash/nodogsplash.git
cd nodogsplash
make
.ft P
.fi
An initial port 80 request will be generated on a client device, either by the user manually browsing to an http web page, or automatically by the client device\(aqs built in Captive Portal Detection (CPD).
.sp
As soon as this initial port 80 request is received, NDS will redirect the client to either its own splash page, or a splash page on a configured Forwarding Authentication Service (FAS).
.sp
The user of the client device will then be expected to complete some actions on the splash page, such as accepting terms of service, entering a username and password etc. (this will of course be on either the basic NDS splash.html or the page presented by the FAS, depending on the NDS configuration).
.sp
Once the user on the client device has successfully completed the splash page actions, the page then links directly, with a query string, to an NDS virtual http directory provided by NDS\(aqs built in web server.
.sp
For security, NDS expects to receive the same valid token it allocated when the client issued its initial port 80 request. If the token received is valid, NDS then "authenticates" the client device, allowing access to the Internet.
.sp
However if Binauth is enabled, NDS first calls the Binauth script, passing if required a username and password to that script.
.sp
If the binauth script returns positively (ie return code 0), NDS then "authenticates" the client device, allowing access to the Internet.
.sp
In FAS secure modes (levels 1 and 2), the client token and other required information is kept securely hidden from the Client, ensuring verification cannot be bypassed.
.sp
When FAS is disabled, the token is supplied to the basic splash.html page served by NDS and passed back in clear text in the query string along with any username and password required for Binauth.
.UNINDENT
.UNINDENT
.sp
If you installed the libmicrohttpd to another location (e.g. /tmp/libmicrohttpd_install/)
replace path in the make call with
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
make CFLAGS="\-I/tmp/libmicrohttpd_install/include" LDFLAGS="\-L/tmp/libmicrohttpd_install/lib"
.ft P
.fi
FAS and Binauth can be enabled together.
This can give great flexibility with FAS providing authentication and Binauth providing post authentication processing closely linked to NDS.
.UNINDENT
.UNINDENT
.SS Rules for Customised Splash Pages
.sp
After compiling you can call \fBmake install\fP to install nodogsplash to /usr/
.SS OpenWrt
.sp
To compile nodogsplash please use the package definition from the feeds package.
It should be noted when designing a custom splash page that for security reasons many client device CPD implementations:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git clone git://git.openwrt.org/trunk/openwrt.git
cd openwrt
\&./scripts/feeds update
\&./scripts/feeds install
\&./scripts/feeds install nodogsplash
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Select the appropriate "Target System" and "Target Profile" in the menuconfig menu and build the image.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
make defconfig
make menuconfig
make
.ft P
.fi
.IP \(bu 2
Immediately close the browser when the client has authenticated.
.IP \(bu 2
Prohibit the use of href links.
.IP \(bu 2
Prohibit downloading of external files (including .css and .js, even if they are allowed in NDS firewall settings).
.IP \(bu 2
Prohibit the execution of javascript.
.UNINDENT
.UNINDENT
.SH FREQUENTLY ASKED QUESTIONS
.SS What\(aqs the difference between v0.9, v1, v2 and v3?
.UNINDENT
.SS Packet filtering
.sp
v0.9 and v1 are the same codebase with the same feature set.
If the documentation says something about v1, this is usually also valid
for v0.9.
.sp
v2 was developed before version v1 was released. In v2 the http code was replaced by libmicrohttpd and the template engine was rewritten. Many features became defunct because of this procedure.
.sp
v3 cleans up the source code and adds three major new features,
Nodogsplash considers four kinds of packets coming into the router over the managed interface. Each packet is one of these kinds:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP 1. 3
\fBFAS\fP, a forwarding authentication service. FAS supports development of "Credential Verification" running on any dynamic web serving platform, on the same device as Nodogsplash, on another device on the local network, or on an Internet hosted web server.
\fBBlocked\fP, if the MAC mechanism is block, and the source MAC address of the packet matches one listed in the BlockedMACList; or if the MAC mechanism is allow, and source MAC address of the packet does not match one listed in the AllowedMACList or the TrustedMACList. These packets are dropped.
.IP 2. 3
\fBPreAuth\fP, an implementation of FAS running on the same device as Nodogsplash and using Nogogsplash\(aqs own web server to generate dynamic web pages. Any scripting language or even a compiled application program can be used. This has the advantage of not requiring the resources of a separate web server.
\fBTrusted\fP, if the source MAC address of the packet matches one listed in the TrustedMACList. By default, these packets are accepted and routed to all destination addresses and ports. If desired, this behavior can be customized by FirewallRuleSet trusted\-users and FirewallRuleSet trusted\-users\-to\-router lists in the nodogsplash.conf configuration file, or by the EmptyRuleSetPolicy trusted\-users EmptyRuleSetPolicy trusted\-users\-to\-router directives.
.IP 3. 3
\fBBinAuth\fP, enabling an external script to be called for simple username/password authentication as well as doing post authentication processing such as setting session durations. This is similar to the old binvoucher feature, but more flexible.
.UNINDENT
.UNINDENT
\fBAuthenticated\fP, if the packet\(aqs IP and MAC source addresses have gone through the nodogsplash authentication process and has not yet expired. These packets are accepted and routed to a limited set of addresses and ports (see FirewallRuleSet authenticated\-users and FirewallRuleSet users\-to\-router in the nodogsplash.conf configuration file).
.IP 4. 3
\fBPreauthenticated\fP\&. Any other packet. These packets are accepted and routed to a limited set of addresses and ports (see FirewallRuleSet preauthenticated\-users and FirewallRuleSet users\-to\-router in the nodogsplash.conf configuration file). Any other packet is dropped, except that a packet for destination port 80 at any address is redirected to port 2050 on the router, where nodogsplash\(aqs built in libhttpd\-based web server is listening. This begins the \(aqauthentication\(aq process. The server will serve a splash page back to the source IP address of the packet. The user clicking the appropriate link on the splash page will complete the process, causing future packets from this IP/MAC address to be marked as Authenticated until the inactive or forced timeout is reached, and its packets revert to being Preauthenticated.
.UNINDENT
.sp
In addition, in v3, the ClientTimeout setting was split into PreauthIdleTimeout and AuthIdleTimeout and for the ClientForceTimeout setting, SessionTimeout is now used instead.
.SS Can I update from v0.9 to v1
Nodogsplash implements these actions by inserting rules in the router\(aqs iptables mangle PREROUTING chain to mark packets, and by inserting rules in the nat PREROUTING, filter INPUT and filter FORWARD chains which match on those marks.
.sp
Updating to v1.0.0 and v1.0.1, this is a very smooth update with full compatibility.
.sp
Updating to 1.0.2 requires iptables v1.4.21 or above.
.SS Can I update from v0.9/v1 to v2.0.0
.sp
You can, if:
.INDENT 0.0
.IP \(bu 2
You don\(aqt use BinVoucher
.IP \(bu 2
You have iptables v1.4.21 or above
.UNINDENT
.SS Can I update from v0.9/v1/v2 to v3.0.0
.sp
You can, if:
.INDENT 0.0
.IP \(bu 2
You don\(aqt use BinVoucher
.IP \(bu 2
You have iptables v1.4.21 or above
.IP \(bu 2
You use the new options contained in the version 3 configuration file
.UNINDENT
.SS I would like to use QoS or TrafficControl on OpenWrt
.sp
The original pre version 1 feature has been broken since OpenWrt 12.09 (Attitude Adjustment), because the IMQ (Intermediate queueing device) is no longer supported.
.INDENT 0.0
.INDENT 3.5
\fBPull Requests are welcome!\fP
Because it inserts its rules at the beginning of existing chains, nodogsplash should be insensitive to most typical existing firewall configurations.
.UNINDENT
.UNINDENT
.SS Traffic control
.sp
However the OpenWrt package, SQM Scripts (Smart Queue Management), is fully compatible with Nodogsplash and if configured to operate on the Nodogsplash interface (br\-lan by default) will provide efficient IP connection based traffic control to ensure fair usage of available bandwidth.
.SS Is https capture supported?
Data rate control on an IP connection basis can be achieved using Smart Queue Management (SQM) configured separately, with NDS being fully compatible.
.sp
\fBNo\fP\&. Because all connections would have a critical certificate failure.
.sp
HTTPS web sites are now more or less a standard and to maintain security and user confidence it is essential that captive portals \fBDO NOT\fP attempt to capture port 443.
.sp
\fBCaptive Portal Detection\fP (CPD) has evolved as an enhancement to the network manager component included with major Operating Systems (Linux, Android, iOS/macOS, Windows). Using a pre\-defined port 80 web page (depending on the vendor) the network manager will detect the presence of a captive portal hotspot and notify the user. In addition, most major browsers now support CPD.
It should be noted that while setup options and binauth do accept traffic/quota settings, these values currently have no effect and are reserved for future development.
.SH THE SPLASH PAGE
.sp
As you will see mentioned in the "How Nodogsplash (NDS) Works" section, an initial port 80 request is generated on a client device, either by the user manually browsing to an http web page, or, more usually, automatically by the client device\(aqs built in Captive Portal Detection (CPD).
@@ -382,72 +332,10 @@ A script or executable file is called by NDS immediately (without serving splash
This not only enables a dialogue with the client user, for dissemination of information, user response and authentication but also full flexibility in design and implementation of the captive portal functionality from a self contained system through to, for example, a fully integrated multi site system with a common database.
.UNINDENT
.UNINDENT
.SH HOW NODOGSPLASH (NDS) WORKS
.sp
A wireless router, typically running OpenWrt or some other Linux distribution, has two or more interfaces; NDS manages one of them. This will typically be br\-lan, the bridge to both the wireless and wired LAN; or could be for example wlan0 if you wanted NDS to work just on the wireless interface.
.sp
\fBA simplified summary of operation is as follows\fP:
.INDENT 0.0
.INDENT 3.5
By default, NDS blocks everything, but intercepts port 80 requests.
.sp
An initial port 80 request will be generated on a client device, either by the user manually browsing to an http web page, or automatically by the client device\(aqs built in Captive Portal Detection (CPD).
.sp
As soon as this initial port 80 request is received, NDS will redirect the client to either its own splash page, or a splash page on a configured Forwarding Authentication Service (FAS).
.sp
The user of the client device will then be expected to complete some actions on the splash page, such as accepting terms of service, entering a username and password etc. (this will of course be on either the basic NDS splash.html or the page presented by the FAS, depending on the NDS configuration).
.sp
Once the user on the client device has successfully completed the splash page actions, the page then links directly, with a query string, to an NDS virtual http directory provided by NDS\(aqs built in web server.
.sp
For security, NDS expects to receive the same valid token it allocated when the client issued its initial port 80 request. If the token received is valid, NDS then "authenticates" the client device, allowing access to the Internet.
.sp
However if Binauth is enabled, NDS first calls the Binauth script, passing if required a username and password to that script.
.sp
If the binauth script returns positively (ie return code 0), NDS then "authenticates" the client device, allowing access to the Internet.
.sp
In FAS secure mode, it is the responsibility of the FAS to obtain the client token in a secure manner from NDS.
.sp
When FAS is disabled, the token is supplied to the basic splash.html page served by NDS and passed back in clear text in the query string along with any username and password required for Binauth.
.UNINDENT
.UNINDENT
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
FAS and Binauth can be enabled together.
This can give great flexibility with FAS providing authentication and Binauth providing post authentication processing closely linked to NDS.
.UNINDENT
.UNINDENT
.SS Packet filtering
.sp
Nodogsplash considers four kinds of packets coming into the router over the managed interface. Each packet is one of these kinds:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP 1. 3
\fBBlocked\fP, if the MAC mechanism is block, and the source MAC address of the packet matches one listed in the BlockedMACList; or if the MAC mechanism is allow, and source MAC address of the packet does not match one listed in the AllowedMACList or the TrustedMACList. These packets are dropped.
.IP 2. 3
\fBTrusted\fP, if the source MAC address of the packet matches one listed in the TrustedMACList. By default, these packets are accepted and routed to all destination addresses and ports. If desired, this behavior can be customized by FirewallRuleSet trusted\-users and FirewallRuleSet trusted\-users\-to\-router lists in the nodogsplash.conf configuration file, or by the EmptyRuleSetPolicy trusted\-users EmptyRuleSetPolicy trusted\-users\-to\-router directives.
.IP 3. 3
\fBAuthenticated\fP, if the packet\(aqs IP and MAC source addresses have gone through the nodogsplash authentication process and has not yet expired. These packets are accepted and routed to a limited set of addresses and ports (see FirewallRuleSet authenticated\-users and FirewallRuleSet users\-to\-router in the nodogsplash.conf configuration file).
.IP 4. 3
\fBPreauthenticated\fP\&. Any other packet. These packets are accepted and routed to a limited set of addresses and ports (see FirewallRuleSet preauthenticated\-users and FirewallRuleSet users\-to\-router in the nodogsplash.conf configuration file). Any other packet is dropped, except that a packet for destination port 80 at any address is redirected to port 2050 on the router, where nodogsplash\(aqs built in libhttpd\-based web server is listening. This begins the \(aqauthentication\(aq process. The server will serve a splash page back to the source IP address of the packet. The user clicking the appropriate link on the splash page will complete the process, causing future packets from this IP/MAC address to be marked as Authenticated until the inactive or forced timeout is reached, and its packets revert to being Preauthenticated.
.UNINDENT
.sp
Nodogsplash implements these actions by inserting rules in the router\(aqs iptables mangle PREROUTING chain to mark packets, and by inserting rules in the nat PREROUTING, filter INPUT and filter FORWARD chains which match on those marks.
.sp
Because it inserts its rules at the beginning of existing chains, nodogsplash should be insensitive to most typical existing firewall configurations.
.UNINDENT
.UNINDENT
.SS Traffic control
.sp
Data rate control on an IP connection basis can be achieved using Smart Queue Management (SQM) configured separately, with NDS being fully compatible.
.sp
It should be noted that while setup options and binauth do accept traffic/quota settings, these values currently have no effect and are reserved for future development.
.SH FORWARDING AUTHENTICATION SERVICE (FAS)
.SS Overview
.sp
Nodogsplash (NDS) supports external (to NDS) authentication service via simple configuration options.
Nodogsplash (NDS) has the ability to forward requests to a third party authentication service (FAS). This is enabled via simple configuration options.
.INDENT 0.0
.TP
.B These options are:
@@ -457,9 +345,13 @@ Nodogsplash (NDS) supports external (to NDS) authentication service via simple c
.IP 2. 3
\fBfasremoteip\fP\&. If set, this is the remote ip address of the FAS, if not set it will take the value of the NDS gateway address.
.IP 3. 3
\fBfaspath\fP\&. This is the path to the login page on the FAS.
\fBfasremotefqdn\fP If set, this is the remote fully qualified domain name (FQDN) of the FAS
.IP 4. 3
\fBfas_secure_enable\fP\&. If set to "1", authaction and the client token are not revealed and it is the responsibility of the FAS to request the token from NDSCTL. If set to "0", the client token is sent to the FAS in clear text in the query string of the redirect along with authaction and redir.
\fBfaspath\fP\&. This is the path from the FAS Web Root (not the file system root) to the FAS login page.
.IP 5. 3
\fBfas_secure_enable\fP\&. This can have three values, "0", "1", or "2" providing different levels of security.
.IP 6. 3
\fBfaskey\fP Used in combination with fas_secure_enable level 2, this is a key phrase for NDS to encrypt the query string sent to FAS.
.UNINDENT
.UNINDENT
.sp
@@ -469,14 +361,32 @@ Nodogsplash (NDS) supports external (to NDS) authentication service via simple c
FAS (and Preauth/FAS) enables pre authentication processing. NDS authentication is the process that NDS uses to allow a client device to access the Internet through the Firewall. In contrast, Forward Authentication is a process of "Credential Verification", after which FAS, if the verification process is successful, passes the client token to NDS for access to the Internet to be granted.
.UNINDENT
.UNINDENT
.SS Using a Shared Hosting Server for a Remote FAS
.INDENT 0.0
.INDENT 3.5
A typical Internet hosted \fBshared\fP server will be set up to serve multiple domain names.
.sp
To access yours, it is important to configure the two options:
.INDENT 0.0
.INDENT 3.5
fasremoteip = the \fBip address\fP of the remote server
.sp
\fBAND\fP
.sp
fasremotefqdn = the \fBFully Qualified Domain name\fP of the remote server
.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
.SS Using FAS
.sp
\fBNote\fP:
All addresses (with the exception of fasremoteip) are relative to the \fIclient\fP device, even if the FAS is located remotely.
.sp
When FAS is enabled, NDS automatically configures access to the FAS service.
When FAS is enabled, NDS automatically configures firewall access to the FAS service.
.sp
The FAS service must serve an http splash of its own to replace the NDS splash.html.
.sp
Typically, the FAS service will be written in PHP or any other language that can provide dynamic web content.
.sp
FAS can then provide an action form for the client, typically requesting login, or self account creation for login.
@@ -484,12 +394,60 @@ FAS can then provide an action form for the client, typically requesting login,
The FAS can be on the same device as NDS, on the same local area network as NDS, or on an Internet hosted web server.
.SS Security
.sp
\fBIf FAS Secure is enabled\fP (fas_secure_enabled = 1, the default), NDS will supply only the gateway name, the client IP address and the originally requested URL in the query string in the redirect to FAS.
\fBIf FAS Secure is enabled\fP (Levels 1 (default), and 2), the client authentication token is kept secret until FAS verification is complete.
.INDENT 0.0
.INDENT 3.5
\fBIf set to "0"\fP the client token is sent to the FAS in clear text in the query string of the
redirect along with authaction and redir.
.sp
For example:
\fBIf set to "1"\fP
authaction and the client token are not revealed and it is the responsibility of the FAS to request the token from NDSCTL.
.sp
\fIhttp://fasremoteip:fasport/faspath?gatewayname=[gatewayname]&clientip=[clientip]&redir=[requested\-url]\fP
\fBIf set to "2"\fP
clientip, clientmac, gatewayname, client token, gatewayaddress, authdir and originurl are encrypted using faskey and passed to FAS in the query string.
.sp
The query string will also contain a randomly generated initialization vector to be used by the FAS for decryption.
.sp
The cipher used is "AES\-256\-CBC".
.sp
The "php\-cli" package and the "php\-openssl" module must both be installed for fas_secure level 2.
.sp
Nodogsplash does not depend on this package and module, but will exit gracefully if this package and module are not installed when this level is set.
.sp
The FAS must use the query string passed initialisation vector and the pre shared fas_key to decrypt the query string. An example FAS level 2 php script is preinstalled in the /etc/nodogsplash directory and also supplied in the source code.
.UNINDENT
.UNINDENT
.sp
\fBOption faskey must be set\fP if fas secure is set to level 2.
.INDENT 0.0
.INDENT 3.5
Option faskey is used to encrypt the data sent by NDS to FAS.
It can be any combination of A\-Z, a\-z and 0\-9, up to 16 characters with no white space.
.sp
This is used to create a sha256 digest that is in turn used to encrypt the data using the aes\-256\-cbc cypher.
.sp
A random initialisation vector is generated for every encryption and sent to FAS with the encrypted data.
.sp
Option faskey must be pre\-shared with FAS.
.UNINDENT
.UNINDENT
.SS Example FAS Query strings
.INDENT 0.0
.INDENT 3.5
\fBLevel 0\fP (fas_secure_enabled = 0), NDS sends the token and other information to FAS as clear text.
.sp
\fIhttp://fasremoteip:fasport/faspath?authaction=http://gatewayaddress:gatewayport/nodogsplash_auth/?clientip=[clientip]&gatewayname=[gatewayname]&tok=[token]&redir=[requested_url]\fP
.INDENT 0.0
.INDENT 3.5
Although the simplest to set up, a knowledgeable user could bypass FAS, so running fas_secure_enabled at level 1 or 2 is recommended.
.UNINDENT
.UNINDENT
.sp
\fBLevel 1\fP (fas_secure_enabled = 1), NDS sends only information required to identify, the instance of NDS, the client and the client\(aqs originally requested URL.
.sp
\fIhttp://fasremotefwdn:fasport/faspath?gatewayname=[gatewayname]&clientip=[clientip]&redir=[requested\-url]\fP
.INDENT 0.0
.INDENT 3.5
It is the responsibility of FAS to obtain the unique client token allocated by NDS as well as constructing the return URL to NDS.
.sp
The return url will be constructed by FAS from predetermined knowledge of the configuration of NDS using gatewayname as an identifier.
@@ -499,31 +457,36 @@ The client\(aqs unique access token will be obtained from NDS by the FAS making
For example, the following command returns just the token:
.sp
\fIndsctl json $clientip | grep token | cut \-c 10\- | cut \-c \-8\fP
.UNINDENT
.UNINDENT
.sp
If the client successfully authenticates in the FAS, FAS will return the unique token to NDS to finally allow the client access to the Internet.
\fBLevel 2\fP (fas_secure_enabled = 2), NDS sends enrypted information to FAS.
.sp
A Secure Internet based FAS is best implemented as a two stage process, first using a local FAS, that in turn accesses an https remote FAS using tools such as curl or wget.
\fIhttp://fasremotefwdn:fasport/faspath?fas=[aes\-256\-cbc data]&iv=[random initialisation vector]\fP
.INDENT 0.0
.INDENT 3.5
It is the responsibility of FAS to decrypt the aes\-256\-cbc data it receives, using the pre shared faskey and the random initialisation vector.
.UNINDENT
.UNINDENT
.sp
\fBIf FAS Secure is disabled\fP (fas_secure_enabled = 0), NDS sends the token and other information to FAS as clear text.
.sp
For example:
.sp
\fIhttp://fasremoteip:fasport/faspath?authaction=http://gatewayaddress:gatewayport/nodogsplash_auth/?clientip=[clientip]&gatewayname=[gatewayname]&tok=[token]&redir=[requested_url]\fP
.sp
Clearly in this case, a knowledgeable user could bypass FAS, so running fas_secure_enabled = 1, the default, is recommended.
.sp
\fBPost FAS processing\fP\&.
If the client is successfully verified by the FAS, FAS will return the unique token to NDS to finally allow the client access to the Internet.
.UNINDENT
.UNINDENT
.SS Post FAS processing
.sp
Once the client has been authenticated by the FAS, NDS must then be informed to allow the client to have access to the Internet.
.sp
.INDENT 0.0
.INDENT 3.5
This is done by accessing NDS at a special virtual URL.
This is of the form:
\fIhttp://gatewayaddress:gatewayport/nodogsplash_auth/?tok=[token]&redir=[landing_page_url]\fP
.sp
This is most commonly done using an html form of method GET.
This is most commonly achieved using an html form of method GET.
The parameter redir can be the client\(aqs originally requested URL sent by NDS, or more usefully, the URL of a suitable landing page.
.UNINDENT
.UNINDENT
.sp
However, be aware that many client CPD processes will \fBautomatically close\fP the landing page as soon as Internet access is detected.
Be aware that many client CPD processes will \fBautomatically close\fP the landing page as soon as Internet access is detected.
.sp
\fBManual Access of NDS Virtual URL\fP
.sp
@@ -536,16 +499,20 @@ This will be of the form:
FAS should then serve a suitable error page informing the client user that they are already logged in.
.SS Running FAS on your Nodogsplash router
.sp
A FAS service will run quite well on uhttpd (the web server that serves Luci) on an OpenWrt supported device with 8MB flash and 32MB ram but shortage of ram may well be an issue if more than two or three clients log in at the same time.
FAS has been tested using uhttpd, lighttpd, ngnix, apache and libmicrohttpd.
.sp
\fBRunning on OpenWrt with uhttpd/PHP\fP:
.sp
A FAS service may run quite well on uhttpd (the web server that serves Luci) on an OpenWrt supported device with 8MB flash and 32MB ram but shortage of ram will be an issue if more than two or three clients log in at the same time.
.sp
For this reason a device with a minimum of 8MB flash and 64MB ram is recommended.
.sp
\fBRunning on uhttpd with PHP\fP:
\fIAlthough port 80 is the default for uhttpd, it is reserved for Captive Portal Detection so cannot be used for FAS. uhttpd can however be configured to operate on more than one port.\fP
.sp
Although port 80 is the default for uhttpd, it is reserved for Captive Portal Detection so cannot be used for FAS. uhttpd can however be configured to operate on more than one port. We will use port 2080 in this example.
We will use port 2080 in this example.
.INDENT 0.0
.INDENT 3.5
Install the modules php7 and php7\-cgi on OpenWrt for a simple example. Further modules may be required depending on your requirements.
Install the module php7\-cgi. Further modules may be required depending on your requirements.
.UNINDENT
.UNINDENT
.sp
@@ -572,70 +539,23 @@ your FAS files being placed in /www/myfas/
.UNINDENT
.UNINDENT
.UNINDENT
.SS Using the FAS Example Script
.sp
\fBNote 1\fP:
.INDENT 0.0
.INDENT 3.5
A typical Internet hosted Apache/PHP \fBshared\fP server will be set up to serve multiple domain names.
You can run the FAS example script locally on the same OpenWrt device that is running NDS (A minimum of 64MB of ram may be enough, but 128MB is recommended).
.sp
To access yours, use:
.INDENT 0.0
.INDENT 3.5
fasremoteip = the \fBip address\fP of the remote server
.sp
and, for example,
.sp
faspath = /domainname/pathto/myfas/fas.php
.sp
or
.sp
faspath = /accountname/pathto/myfas/fas.php
.UNINDENT
.UNINDENT
.sp
If necessary, contact your hosting service provider.
.UNINDENT
.UNINDENT
.sp
\fBNote 2:\fP
.INDENT 0.0
.INDENT 3.5
The configuration file /etc/config/nodogsplash contains the line "option enabled 1".
.sp
If you have done something wrong and locked yourself out, you can still SSH to your router and stop NoDogSplash (ndsctl stop) to fix the problem.
.UNINDENT
.UNINDENT
.SS Using the simple example files
.sp
Assuming you want to run the FAS example demo locally under uhttpd on the same OpenWrt device that is running NDS, configured as above, do the following.
Assuming you have installed your web server of choice, configured it for port 2080 and added PHP support using the package php7\-cgi, you can do the following.
.INDENT 0.0
.INDENT 3.5
(Under other operating systems you may need to edit the nodogsplash.conf file in /etc/nodogsplash instead, but the process is very similar.)
.UNINDENT
.UNINDENT
.sp
First you should obtain the demo files by downloading the Nodogsplash zip file from
.INDENT 0.0
.INDENT 3.5
\fI\%https://github.com/nodogsplash/nodogsplash/\fP
.UNINDENT
.UNINDENT
.sp
Then extract the php files from the folder
.INDENT 0.0
.INDENT 3.5
"forward_authentication_service/nodog/"
.UNINDENT
.UNINDENT
.sp
\fBOpenWrt and uhttpd:\fP
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
Create a folder /www/nodog/
Install the packages php7\-cli and php7\-mod\-openssl
.IP \(bu 2
Place the files fas.php, landing.php, css.php, querycheck.php, tos.php, users.dat in /www/nodog/
Create a folder /[server\-web\-root]/nds/
.IP \(bu 2
Place the file fas\-aes.php in /[server\-web\-root]/nds/
.sp
(You can find it in the /etc/nodogsplash directory.)
.IP \(bu 2
Edit the file /etc/config/nodogsplash
.UNINDENT
@@ -646,27 +566,29 @@ adding the lines:
.INDENT 3.5
\fBoption fasport \(aq2080\(aq\fP
.sp
\fBoption faspath \(aq/nodog/fas.php\(aq\fP
\fBoption faspath \(aq/nds/fas\-aes.php\(aq\fP
.sp
\fBoption fas_secure_enabled \(aq0\(aq\fP
\fBoption fas_secure_enabled \(aq2\(aq\fP
.sp
\fBoption faskey \(aq1234567890\(aq\fP
.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
.INDENT 0.0
.IP \(bu 2
Restart uhttpd using the command "service uhttpd restart".
.IP \(bu 2
Restart NDS using the command "service nodogsplash restart".
.UNINDENT
.UNINDENT
.UNINDENT
.sp
The value of option faskey can be changed, but must also be pre\-shared with FAS by editing the example script to match the new value.
.SH PREAUTH OPTION
.SS Overview
.sp
\fBPreAuth\fP is a pre\-authentication process that enables NDS to directly serve dynamic web content generated by a script or executable program.
\fBPreAuth\fP is an implementation of FAS \fIwithout the resource utilisation of a separate web server\fP, particularly useful for legacy devices with limited flash and RAM capacity.
.sp
This is implemented using \fBFAS\fP, but \fIwithout the resource utilisation of a separate web server\fP, particularly useful for legacy devices with limited flash and RAM capacity.
\fBPreAuth\fP is a pre\-authentication process that enables NDS to directly serve dynamic web content generated by a script or executable program.
.sp
\fBNOTE:\fP
.INDENT 0.0
@@ -762,6 +684,25 @@ The script then generates html code to send to NDS to serve a second "Thankyou"
On tapping "Continue" for the second time, the client user is given access to the Internet.
.sp
This is a simple example of a script to demonstrate how to use PreAuth as a built in FAS. The script could of course ask for any response from the client and conduct its own authentication procedures \- entirely at the discretion of the person setting up their own captive portal functionality.
.SS PreAuth with Remote Images
.sp
An additional example PreAuth script, demo\-preauth\-remote\-image.sh, is available in the source code:
.INDENT 0.0
.INDENT 3.5
\fIhttps://github.com/nodogsplash/nodogsplash/archive/master.zip\fP
.UNINDENT
.UNINDENT
.sp
and extracting from the folder:
.INDENT 0.0
.INDENT 3.5
"forward_authentication_service/PreAuth/"
.UNINDENT
.UNINDENT
.sp
This is an enhancement of the preinstalled login.sh, giving an example of how to display images pulled in from remote web servers, both http and https.
.sp
The example displays the NodogSplash avatar image dynamically retreived from Github.
.SS Writing A Preauth Script
.sp
A Preauth script can be written as a shell script or any other language that the system has an interpreter for. It could also be a complied program.
@@ -1347,9 +1288,9 @@ uci commit nodogsplash
.fi
.UNINDENT
.UNINDENT
.SS The Splash Page
.SS The Default Click and Go Splash Page
.sp
The default simple splash page can be found at:
The default default splash page can be found at:
.INDENT 0.0
.INDENT 3.5
\fB/etc/nodogsplash/htdocs/splash.html\fP
@@ -1380,8 +1321,6 @@ An href link example that my prove to be problematical:
.UNINDENT
.INDENT 0.0
.IP \(bu 2
\fI$imagesdir\fP The directory in nodogsplash\(aqs web hierarchy where images to be displayed in the splash page must be located.
.IP \(bu 2
\fI$tok\fP, \fI$redir\fP, \fI$authaction\fP, and \fI$denyaction\fP are available and should be used to write the splash page to use a GET\-method HTML form instead of using $authtarget as the value of an href attribute to communicate with the nodogsplash server.
.UNINDENT
.INDENT 0.0
@@ -1450,7 +1389,215 @@ Prohibit the execution of javascript.
.UNINDENT
.UNINDENT
.sp
Also, note that any images you reference should reside in the subdirectory that is defined by \fI$imagesdir\fP (default: "images").
Also, note that any images you reference should reside in the subdirectory /etc/nodogsplash/htdocs/images/.
.SH FREQUENTLY ASKED QUESTIONS
.SS What\(aqs the difference between v0.9, v1, v2, v3 and v4?
.sp
\fBv0.9 and v1\fP are the same codebase with the same feature set.
If the documentation says something about v1, this is usually also valid
for v0.9.
.sp
\fBv2\fP was developed before version v1 was released. In v2 the http code was replaced by libmicrohttpd and the template engine was rewritten. Many features became defunct because of this procedure.
.sp
\fBv3\fP cleans up the source code and adds three major new features,
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
\fBFAS\fP
.UNINDENT
.INDENT 0.0
.INDENT 3.5
A forwarding authentication service. FAS supports development of "Credential Verification" running on any dynamic web serving platform, on the same device as Nodogsplash, on another device on the local network, or on an Internet hosted web server.
.UNINDENT
.UNINDENT
.INDENT 0.0
.IP \(bu 2
\fBPreAuth\fP
.UNINDENT
.INDENT 0.0
.INDENT 3.5
An implementation of FAS running on the same device as Nodogsplash and using Nogogsplash\(aqs own web server to generate dynamic web pages. Any scripting language or even a compiled application program can be used. This has the advantage of not requiring the resources of a separate web server.
.UNINDENT
.UNINDENT
.INDENT 0.0
.IP \(bu 2
\fBBinAuth\fP
.UNINDENT
.INDENT 0.0
.INDENT 3.5
Enabling an external script to be called for simple username/password authentication as well as doing post authentication processing such as setting session durations. This is similar to the old binvoucher feature, but more flexible.
.UNINDENT
.UNINDENT
.sp
In addition, in v3, the ClientTimeout setting was split into PreauthIdleTimeout and AuthIdleTimeout and for the ClientForceTimeout setting, SessionTimeout is now used instead.
.UNINDENT
.UNINDENT
.sp
\fBv4\fP continues to add enhancements towards improving NDS as a Captive Portal Engine that can be used in the development of custom solutions.
.INDENT 0.0
.INDENT 3.5
Two major new features are introduced.
.INDENT 0.0
.IP \(bu 2
\fBFAS FQDN\fP
.UNINDENT
.INDENT 0.0
.INDENT 3.5
Enabling simple configuration for a FAS running on a remote shared web hosting server.
.UNINDENT
.UNINDENT
.INDENT 0.0
.IP \(bu 2
\fBFAS secure level 2\fP
.UNINDENT
.INDENT 0.0
.INDENT 3.5
Enabling aes256cbc encryption on NDS data transferred to remote FAS, thus preventing knowledgable client users from bypassing verification.
.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
.SS Can I update from v0.9 to v1?
.sp
Updating to v1.0.0 and v1.0.1, this is a very smooth update with full compatibility.
.sp
Updating to 1.0.2 requires iptables v1.4.21 or above.
.SS Can I update from v0.9/v1 to v2.0.0?
.sp
You can, if:
.INDENT 0.0
.IP \(bu 2
You don\(aqt use BinVoucher
.IP \(bu 2
You have iptables v1.4.21 or above
.UNINDENT
.SS Can I update from v0.9/v1/v2 to v3.0.0?
.sp
You can, if:
.INDENT 0.0
.IP \(bu 2
You don\(aqt use BinVoucher
.IP \(bu 2
You have iptables v1.4.21 or above
.IP \(bu 2
You use the new options contained in the version 3 configuration file
.UNINDENT
.SS Can I update from v0.9/v1/v2/v3 to v4.0.0?
.sp
You can, if:
.INDENT 0.0
.IP \(bu 2
You don\(aqt use BinVoucher
.IP \(bu 2
You have iptables v1.4.21 or above
.IP \(bu 2
You use the new options contained in the version 4 configuration file
.UNINDENT
.SS How do I use QoS or TrafficControl on OpenWrt?
.sp
The original pre version 1 feature has been broken since OpenWrt 12.09 (Attitude Adjustment), because the IMQ (Intermediate queueing device) is no longer supported.
.INDENT 0.0
.INDENT 3.5
\fBPull Requests are welcome!\fP
.sp
However the OpenWrt package, SQM Scripts (Smart Queue Management), is fully compatible with Nodogsplash and if configured to operate on the Nodogsplash interface (br\-lan by default) will provide efficient IP connection based traffic control to ensure fair usage of available bandwidth.
.UNINDENT
.UNINDENT
.SS Is https capture supported?
.sp
\fBNo\fP\&. Because all connections would have a critical certificate failure.
.INDENT 0.0
.INDENT 3.5
HTTPS web sites are now more or less a standard and to maintain security and user confidence it is essential that captive portals \fBDO NOT\fP attempt to capture port 443.
.UNINDENT
.UNINDENT
.SS What is CPD / Captive Portal Detection?
.sp
CPD (Captive Portal Detection) has evolved as an enhancement to the network manager component included with major Operating Systems (Linux, Android, iOS/macOS, Windows).
.INDENT 0.0
.INDENT 3.5
Using a pre\-defined port 80 web page (which one gets used depends on the vendor) the network manager will detect the presence of a captive portal hotspot and notify the user. In addition, most major browsers now support CPD.
.UNINDENT
.UNINDENT
.sp
\fBIt should be noted\fP when designing a custom splash page that for security reasons many client device CPD implementations:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
Immediately close the browser when the client has authenticated.
.IP \(bu 2
Prohibit the use of href links.
.IP \(bu 2
Prohibit downloading of external files (including .css and .js, even if they are allowed in NDS firewall settings).
.IP \(bu 2
Prohibit the execution of javascript.
.UNINDENT
.UNINDENT
.UNINDENT
.SH HOW TO COMPILE NODOGSPLASH
.SS Linux/Unix
.sp
Install libmicrohttpd including the header files (often call \-dev package).
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git clone https://github.com/nodogsplash/nodogsplash.git
cd nodogsplash
make
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
If you installed the libmicrohttpd to another location (e.g. /tmp/libmicrohttpd_install/)
replace path in the make call with
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
make CFLAGS="\-I/tmp/libmicrohttpd_install/include" LDFLAGS="\-L/tmp/libmicrohttpd_install/lib"
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
After compiling you can call \fBmake install\fP to install nodogsplash to /usr/
.SS OpenWrt
.sp
To compile nodogsplash please use the package definition from the feeds package.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
git clone git://git.openwrt.org/trunk/openwrt.git
cd openwrt
\&./scripts/feeds update
\&./scripts/feeds install
\&./scripts/feeds install nodogsplash
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Select the appropriate "Target System" and "Target Profile" in the menuconfig menu and build the image.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
make defconfig
make menuconfig
make
.ft P
.fi
.UNINDENT
.UNINDENT
.SH DEBUGGING NODOGSPLASH
.INDENT 0.0
.INDENT 3.5
@@ -1498,11 +1645,15 @@ For extensive suggestions on debugging iptables, see for example, Oskar Andreass
.UNINDENT
.SH TODO LIST
.sp
Not all features are finished or working as properly or as efficiently as they should.
Not all features are finished or working as properly or as efficiently as they should. Other features have not been thought of yet!
.sp
Features should be aimed at providing tools to allow NDS to be used as flexible Captive Portal engine, rather than building in specific solutions.
.sp
Here is a list of things that need to be improved:
.INDENT 0.0
.IP \(bu 2
While (un\-) block/trust/allow via the ndsctl tool take effect, the state object of the client in NDS is not affected.
.sp
Both systems still need to be connected (in src/auth.c).
.IP \(bu 2
Include blocked and trusted clients in the client list \- so that they can be managed.
@@ -1514,6 +1665,8 @@ Implement Traffic control on a user by user basis. This functionality was origin
The code in src/http_microhttpd.c has evolved from previous versions and possibly has some missed edge cases. It would benefit from a rewrite to improve maintainability as well as performance.
.IP \(bu 2
ip version 6 is not currently supported by NDS. It is not essential or advantageous to have in the short term but should be added at some time in the future.
.IP \(bu 2
Automatic Offline mode. Either for forced offline use, or automatic detection of a failed Internet feed could be implemented. Some thought and discussion has been put into this and it is quite possible to achieve.
.UNINDENT
.INDENT 0.0
.IP \(bu 2

4
docs/source/conf.py
View File

@@ -60,9 +60,9 @@ author = 'The Nodogsplash Contributors'
# built documents.
#
# The short X.Y version.
version = '3.3.3-beta'
version = '4.0.0'
# The full version, including alpha/beta/rc tags.
release = '3.3.3-beta'
release = '4.0.0'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.

9
docs/source/customize.rst
View File

@@ -58,10 +58,10 @@ Finally you must tell UCI to commit your changes to the configuration file:
uci commit nodogsplash
The Splash Page
***************
The Default Click and Go Splash Page
************************************
The default simple splash page can be found at:
The default default splash page can be found at:
``/etc/nodogsplash/htdocs/splash.html``
@@ -79,7 +79,6 @@ replaced by their values:
(You should instead use a GET-method HTML form to send this information to the nodogsplash server; see below.)
* *$imagesdir* The directory in nodogsplash's web hierarchy where images to be displayed in the splash page must be located.
* *$tok*, *$redir*, *$authaction*, and *$denyaction* are available and should be used to write the splash page to use a GET-method HTML form instead of using $authtarget as the value of an href attribute to communicate with the nodogsplash server.
*$authaction* and *$denyaction* are virtual urls used to inform NDS that a client should be authenticated or deauthenticated and are of the form:
@@ -128,4 +127,4 @@ It should be noted when designing a custom splash page that for security reasons
* Prohibit the execution of javascript.
Also, note that any images you reference should reside in the subdirectory that is defined by *$imagesdir* (default: "images").
Also, note that any images you reference should reside in the subdirectory /etc/nodogsplash/htdocs/images/.

85
docs/source/faq.rst
View File

@@ -1,34 +1,52 @@
Frequently Asked Questions
###########################
What's the difference between v0.9, v1, v2 and v3?
**************************************************
What's the difference between v0.9, v1, v2, v3 and v4?
******************************************************
v0.9 and v1 are the same codebase with the same feature set.
**v0.9 and v1** are the same codebase with the same feature set.
If the documentation says something about v1, this is usually also valid
for v0.9.
v2 was developed before version v1 was released. In v2 the http code was replaced by libmicrohttpd and the template engine was rewritten. Many features became defunct because of this procedure.
**v2** was developed before version v1 was released. In v2 the http code was replaced by libmicrohttpd and the template engine was rewritten. Many features became defunct because of this procedure.
v3 cleans up the source code and adds three major new features,
**v3** cleans up the source code and adds three major new features,
1. **FAS**, a forwarding authentication service. FAS supports development of "Credential Verification" running on any dynamic web serving platform, on the same device as Nodogsplash, on another device on the local network, or on an Internet hosted web server.
* **FAS**
2. **PreAuth**, an implementation of FAS running on the same device as Nodogsplash and using Nogogsplash's own web server to generate dynamic web pages. Any scripting language or even a compiled application program can be used. This has the advantage of not requiring the resources of a separate web server.
A forwarding authentication service. FAS supports development of "Credential Verification" running on any dynamic web serving platform, on the same device as Nodogsplash, on another device on the local network, or on an Internet hosted web server.
3. **BinAuth**, enabling an external script to be called for simple username/password authentication as well as doing post authentication processing such as setting session durations. This is similar to the old binvoucher feature, but more flexible.
* **PreAuth**
In addition, in v3, the ClientTimeout setting was split into PreauthIdleTimeout and AuthIdleTimeout and for the ClientForceTimeout setting, SessionTimeout is now used instead.
An implementation of FAS running on the same device as Nodogsplash and using Nogogsplash's own web server to generate dynamic web pages. Any scripting language or even a compiled application program can be used. This has the advantage of not requiring the resources of a separate web server.
Can I update from v0.9 to v1
****************************
* **BinAuth**
Enabling an external script to be called for simple username/password authentication as well as doing post authentication processing such as setting session durations. This is similar to the old binvoucher feature, but more flexible.
In addition, in v3, the ClientTimeout setting was split into PreauthIdleTimeout and AuthIdleTimeout and for the ClientForceTimeout setting, SessionTimeout is now used instead.
**v4** continues to add enhancements towards improving NDS as a Captive Portal Engine that can be used in the development of custom solutions.
Two major new features are introduced.
* **FAS FQDN**
Enabling simple configuration for a FAS running on a remote shared web hosting server.
* **FAS secure level 2**
Enabling aes256cbc encryption on NDS data transferred to remote FAS, thus preventing knowledgable client users from bypassing verification.
Can I update from v0.9 to v1?
*****************************
Updating to v1.0.0 and v1.0.1, this is a very smooth update with full compatibility.
Updating to 1.0.2 requires iptables v1.4.21 or above.
Can I update from v0.9/v1 to v2.0.0
***********************************
Can I update from v0.9/v1 to v2.0.0?
************************************
You can, if:
@@ -36,8 +54,8 @@ You can, if:
* You have iptables v1.4.21 or above
Can I update from v0.9/v1/v2 to v3.0.0
**************************************
Can I update from v0.9/v1/v2 to v3.0.0?
***************************************
You can, if:
@@ -45,20 +63,43 @@ You can, if:
* You have iptables v1.4.21 or above
* You use the new options contained in the version 3 configuration file
I would like to use QoS or TrafficControl on OpenWrt
****************************************************
Can I update from v0.9/v1/v2/v3 to v4.0.0?
******************************************
You can, if:
* You don't use BinVoucher
* You have iptables v1.4.21 or above
* You use the new options contained in the version 4 configuration file
How do I use QoS or TrafficControl on OpenWrt?
**********************************************
The original pre version 1 feature has been broken since OpenWrt 12.09 (Attitude Adjustment), because the IMQ (Intermediate queueing device) is no longer supported.
**Pull Requests are welcome!**
However the OpenWrt package, SQM Scripts (Smart Queue Management), is fully compatible with Nodogsplash and if configured to operate on the Nodogsplash interface (br-lan by default) will provide efficient IP connection based traffic control to ensure fair usage of available bandwidth.
However the OpenWrt package, SQM Scripts (Smart Queue Management), is fully compatible with Nodogsplash and if configured to operate on the Nodogsplash interface (br-lan by default) will provide efficient IP connection based traffic control to ensure fair usage of available bandwidth.
Is https capture supported?
******************************
***************************
**No**. Because all connections would have a critical certificate failure.
HTTPS web sites are now more or less a standard and to maintain security and user confidence it is essential that captive portals **DO NOT** attempt to capture port 443.
HTTPS web sites are now more or less a standard and to maintain security and user confidence it is essential that captive portals **DO NOT** attempt to capture port 443.
**Captive Portal Detection** (CPD) has evolved as an enhancement to the network manager component included with major Operating Systems (Linux, Android, iOS/macOS, Windows). Using a pre-defined port 80 web page (depending on the vendor) the network manager will detect the presence of a captive portal hotspot and notify the user. In addition, most major browsers now support CPD.
What is CPD / Captive Portal Detection?
***************************************
CPD (Captive Portal Detection) has evolved as an enhancement to the network manager component included with major Operating Systems (Linux, Android, iOS/macOS, Windows).
Using a pre-defined port 80 web page (which one gets used depends on the vendor) the network manager will detect the presence of a captive portal hotspot and notify the user. In addition, most major browsers now support CPD.
**It should be noted** when designing a custom splash page that for security reasons many client device CPD implementations:
* Immediately close the browser when the client has authenticated.
* Prohibit the use of href links.
* Prohibit downloading of external files (including .css and .js, even if they are allowed in NDS firewall settings).
* Prohibit the execution of javascript.

176
docs/source/fas.rst
View File

@@ -3,18 +3,33 @@ Forwarding Authentication Service (FAS)
Overview
********
Nodogsplash (NDS) supports external (to NDS) authentication service via simple configuration options.
Nodogsplash (NDS) has the ability to forward requests to a third party authentication service (FAS). This is enabled via simple configuration options.
These options are:
1. **fasport**. This enables Forwarding Authentication Service (FAS). Redirection is changed from splash.html to a FAS. The value is the IP port number of the FAS.
2. **fasremoteip**. If set, this is the remote ip address of the FAS, if not set it will take the value of the NDS gateway address.
3. **faspath**. This is the path to the login page on the FAS.
4. **fas_secure_enable**. If set to "1", authaction and the client token are not revealed and it is the responsibility of the FAS to request the token from NDSCTL. If set to "0", the client token is sent to the FAS in clear text in the query string of the redirect along with authaction and redir.
3. **fasremotefqdn** If set, this is the remote fully qualified domain name (FQDN) of the FAS
4. **faspath**. This is the path from the FAS Web Root (not the file system root) to the FAS login page.
5. **fas_secure_enable**. This can have three values, "0", "1", or "2" providing different levels of security.
6. **faskey** Used in combination with fas_secure_enable level 2, this is a key phrase for NDS to encrypt the query string sent to FAS.
.. note::
FAS (and Preauth/FAS) enables pre authentication processing. NDS authentication is the process that NDS uses to allow a client device to access the Internet through the Firewall. In contrast, Forward Authentication is a process of "Credential Verification", after which FAS, if the verification process is successful, passes the client token to NDS for access to the Internet to be granted.
Using a Shared Hosting Server for a Remote FAS
**********************************************
A typical Internet hosted **shared** server will be set up to serve multiple domain names.
To access yours, it is important to configure the two options:
fasremoteip = the **ip address** of the remote server
**AND**
fasremotefqdn = the **Fully Qualified Domain name** of the remote server
Using FAS
*********
@@ -22,9 +37,10 @@ Using FAS
**Note**:
All addresses (with the exception of fasremoteip) are relative to the *client* device, even if the FAS is located remotely.
When FAS is enabled, NDS automatically configures access to the FAS service.
When FAS is enabled, NDS automatically configures firewall access to the FAS service.
The FAS service must serve an http splash of its own to replace the NDS splash.html.
Typically, the FAS service will be written in PHP or any other language that can provide dynamic web content.
FAS can then provide an action form for the client, typically requesting login, or self account creation for login.
@@ -34,46 +50,86 @@ The FAS can be on the same device as NDS, on the same local area network as NDS,
Security
********
**If FAS Secure is enabled** (fas_secure_enabled = 1, the default), NDS will supply only the gateway name, the client IP address and the originally requested URL in the query string in the redirect to FAS.
**If FAS Secure is enabled** (Levels 1 (default), and 2), the client authentication token is kept secret until FAS verification is complete.
For example:
**If set to "0"** the client token is sent to the FAS in clear text in the query string of the
redirect along with authaction and redir.
`http://fasremoteip:fasport/faspath?gatewayname=[gatewayname]&clientip=[clientip]&redir=[requested-url]`
**If set to "1"**
authaction and the client token are not revealed and it is the responsibility of the FAS to request the token from NDSCTL.
It is the responsibility of FAS to obtain the unique client token allocated by NDS as well as constructing the return URL to NDS.
**If set to "2"**
clientip, clientmac, gatewayname, client token, gatewayaddress, authdir and originurl are encrypted using faskey and passed to FAS in the query string.
The return url will be constructed by FAS from predetermined knowledge of the configuration of NDS using gatewayname as an identifier.
The query string will also contain a randomly generated initialization vector to be used by the FAS for decryption.
The client's unique access token will be obtained from NDS by the FAS making a call to the ndsctl tool.
The cipher used is "AES-256-CBC".
For example, the following command returns just the token:
The "php-cli" package and the "php-openssl" module must both be installed for fas_secure level 2.
`ndsctl json $clientip | grep token | cut -c 10- | cut -c -8`
Nodogsplash does not depend on this package and module, but will exit gracefully if this package and module are not installed when this level is set.
If the client successfully authenticates in the FAS, FAS will return the unique token to NDS to finally allow the client access to the Internet.
The FAS must use the query string passed initialisation vector and the pre shared fas_key to decrypt the query string. An example FAS level 2 php script is preinstalled in the /etc/nodogsplash directory and also supplied in the source code.
A Secure Internet based FAS is best implemented as a two stage process, first using a local FAS, that in turn accesses an https remote FAS using tools such as curl or wget.
**Option faskey must be set** if fas secure is set to level 2.
**If FAS Secure is disabled** (fas_secure_enabled = 0), NDS sends the token and other information to FAS as clear text.
Option faskey is used to encrypt the data sent by NDS to FAS.
It can be any combination of A-Z, a-z and 0-9, up to 16 characters with no white space.
For example:
This is used to create a sha256 digest that is in turn used to encrypt the data using the aes-256-cbc cypher.
`http://fasremoteip:fasport/faspath?authaction=http://gatewayaddress:gatewayport/nodogsplash_auth/?clientip=[clientip]&gatewayname=[gatewayname]&tok=[token]&redir=[requested_url]`
A random initialisation vector is generated for every encryption and sent to FAS with the encrypted data.
Clearly in this case, a knowledgeable user could bypass FAS, so running fas_secure_enabled = 1, the default, is recommended.
Option faskey must be pre-shared with FAS.
**Post FAS processing**.
Example FAS Query strings
*************************
**Level 0** (fas_secure_enabled = 0), NDS sends the token and other information to FAS as clear text.
`http://fasremoteip:fasport/faspath?authaction=http://gatewayaddress:gatewayport/nodogsplash_auth/?clientip=[clientip]&gatewayname=[gatewayname]&tok=[token]&redir=[requested_url]`
Although the simplest to set up, a knowledgeable user could bypass FAS, so running fas_secure_enabled at level 1 or 2 is recommended.
**Level 1** (fas_secure_enabled = 1), NDS sends only information required to identify, the instance of NDS, the client and the client's originally requested URL.
`http://fasremotefwdn:fasport/faspath?gatewayname=[gatewayname]&clientip=[clientip]&redir=[requested-url]`
It is the responsibility of FAS to obtain the unique client token allocated by NDS as well as constructing the return URL to NDS.
The return url will be constructed by FAS from predetermined knowledge of the configuration of NDS using gatewayname as an identifier.
The client's unique access token will be obtained from NDS by the FAS making a call to the ndsctl tool.
For example, the following command returns just the token:
`ndsctl json $clientip | grep token | cut -c 10- | cut -c -8`
**Level 2** (fas_secure_enabled = 2), NDS sends enrypted information to FAS.
`http://fasremotefwdn:fasport/faspath?fas=[aes-256-cbc data]&iv=[random initialisation vector]`
It is the responsibility of FAS to decrypt the aes-256-cbc data it receives, using the pre shared faskey and the random initialisation vector.
If the client is successfully verified by the FAS, FAS will return the unique token to NDS to finally allow the client access to the Internet.
Post FAS processing
*******************
Once the client has been authenticated by the FAS, NDS must then be informed to allow the client to have access to the Internet.
This is done by accessing NDS at a special virtual URL.
This is of the form:
`http://gatewayaddress:gatewayport/nodogsplash_auth/?tok=[token]&redir=[landing_page_url]`
This is done by accessing NDS at a special virtual URL.
This is of the form:
`http://gatewayaddress:gatewayport/nodogsplash_auth/?tok=[token]&redir=[landing_page_url]`
This is most commonly done using an html form of method GET.
The parameter redir can be the client's originally requested URL sent by NDS, or more usefully, the URL of a suitable landing page.
This is most commonly achieved using an html form of method GET.
The parameter redir can be the client's originally requested URL sent by NDS, or more usefully, the URL of a suitable landing page.
However, be aware that many client CPD processes will **automatically close** the landing page as soon as Internet access is detected.
Be aware that many client CPD processes will **automatically close** the landing page as soon as Internet access is detected.
**Manual Access of NDS Virtual URL**
@@ -89,15 +145,19 @@ FAS should then serve a suitable error page informing the client user that they
Running FAS on your Nodogsplash router
**************************************
A FAS service will run quite well on uhttpd (the web server that serves Luci) on an OpenWrt supported device with 8MB flash and 32MB ram but shortage of ram may well be an issue if more than two or three clients log in at the same time.
FAS has been tested using uhttpd, lighttpd, ngnix, apache and libmicrohttpd.
**Running on OpenWrt with uhttpd/PHP**:
A FAS service may run quite well on uhttpd (the web server that serves Luci) on an OpenWrt supported device with 8MB flash and 32MB ram but shortage of ram will be an issue if more than two or three clients log in at the same time.
For this reason a device with a minimum of 8MB flash and 64MB ram is recommended.
**Running on uhttpd with PHP**:
*Although port 80 is the default for uhttpd, it is reserved for Captive Portal Detection so cannot be used for FAS. uhttpd can however be configured to operate on more than one port.*
Although port 80 is the default for uhttpd, it is reserved for Captive Portal Detection so cannot be used for FAS. uhttpd can however be configured to operate on more than one port. We will use port 2080 in this example.
We will use port 2080 in this example.
Install the modules php7 and php7-cgi on OpenWrt for a simple example. Further modules may be required depending on your requirements.
Install the module php7-cgi. Further modules may be required depending on your requirements.
To enable FAS with php in uhttpd you must add the lines:
@@ -114,51 +174,23 @@ The two important NDS options to set will be:
2. faspath. Set to, for example, /myfas/fas.php,
your FAS files being placed in /www/myfas/
**Note 1**:
A typical Internet hosted Apache/PHP **shared** server will be set up to serve multiple domain names.
Using the FAS Example Script
****************************
To access yours, use:
You can run the FAS example script locally on the same OpenWrt device that is running NDS (A minimum of 64MB of ram may be enough, but 128MB is recommended).
fasremoteip = the **ip address** of the remote server
and, for example,
faspath = /domainname/pathto/myfas/fas.php
or
faspath = /accountname/pathto/myfas/fas.php
If necessary, contact your hosting service provider.
**Note 2:**
The configuration file /etc/config/nodogsplash contains the line "option enabled 1".
If you have done something wrong and locked yourself out, you can still SSH to your router and stop NoDogSplash (ndsctl stop) to fix the problem.
Using the simple example files
******************************
Assuming you want to run the FAS example demo locally under uhttpd on the same OpenWrt device that is running NDS, configured as above, do the following.
Assuming you have installed your web server of choice, configured it for port 2080 and added PHP support using the package php7-cgi, you can do the following.
(Under other operating systems you may need to edit the nodogsplash.conf file in /etc/nodogsplash instead, but the process is very similar.)
First you should obtain the demo files by downloading the Nodogsplash zip file from
* Install the packages php7-cli and php7-mod-openssl
https://github.com/nodogsplash/nodogsplash/
* Create a folder /[server-web-root]/nds/
Then extract the php files from the folder
* Place the file fas-aes.php in /[server-web-root]/nds/
"forward_authentication_service/nodog/"
**OpenWrt and uhttpd:**
* Create a folder /www/nodog/
* Place the files fas.php, landing.php, css.php, querycheck.php, tos.php, users.dat in /www/nodog/
(You can find it in the /etc/nodogsplash directory.)
* Edit the file /etc/config/nodogsplash
@@ -166,10 +198,14 @@ Then extract the php files from the folder
``option fasport '2080'``
``option faspath '/nodog/fas.php'``
``option faspath '/nds/fas-aes.php'``
``option fas_secure_enabled '0'``
``option fas_secure_enabled '2'``
* Restart uhttpd using the command "service uhttpd restart".
``option faskey '1234567890'``
* Restart NDS using the command "service nodogsplash restart".
The value of option faskey can be changed, but must also be pre-shared with FAS by editing the example script to match the new value.

18
docs/source/howitworks.rst
View File

@@ -3,7 +3,8 @@ How Nodogsplash (NDS) works
A wireless router, typically running OpenWrt or some other Linux distribution, has two or more interfaces; NDS manages one of them. This will typically be br-lan, the bridge to both the wireless and wired LAN; or could be for example wlan0 if you wanted NDS to work just on the wireless interface.
**A simplified summary of operation is as follows**:
Summary of Operation
********************
By default, NDS blocks everything, but intercepts port 80 requests.
@@ -21,7 +22,7 @@ A wireless router, typically running OpenWrt or some other Linux distribution, h
If the binauth script returns positively (ie return code 0), NDS then "authenticates" the client device, allowing access to the Internet.
In FAS secure mode, it is the responsibility of the FAS to obtain the client token in a secure manner from NDS.
In FAS secure modes (levels 1 and 2), the client token and other required information is kept securely hidden from the Client, ensuring verification cannot be bypassed.
When FAS is disabled, the token is supplied to the basic splash.html page served by NDS and passed back in clear text in the query string along with any username and password required for Binauth.
@@ -30,6 +31,19 @@ A wireless router, typically running OpenWrt or some other Linux distribution, h
FAS and Binauth can be enabled together.
This can give great flexibility with FAS providing authentication and Binauth providing post authentication processing closely linked to NDS.
Rules for Customised Splash Pages
*********************************
It should be noted when designing a custom splash page that for security reasons many client device CPD implementations:
* Immediately close the browser when the client has authenticated.
* Prohibit the use of href links.
* Prohibit downloading of external files (including .css and .js, even if they are allowed in NDS firewall settings).
* Prohibit the execution of javascript.
Packet filtering
****************

6
docs/source/index.rst
View File

@@ -28,16 +28,16 @@ Contents:
overview
install
compile
faq
splash
howitworks
splash
fas
preauth
binauth
traffic
ndsctl
customize
faq
compile
debug
todo

20
docs/source/preauth.rst
View File

@@ -4,9 +4,9 @@ PreAuth Option
Overview
********
**PreAuth** is a pre-authentication process that enables NDS to directly serve dynamic web content generated by a script or executable program.
**PreAuth** is an implementation of FAS *without the resource utilisation of a separate web server*, particularly useful for legacy devices with limited flash and RAM capacity.
This is implemented using **FAS**, but *without the resource utilisation of a separate web server*, particularly useful for legacy devices with limited flash and RAM capacity.
**PreAuth** is a pre-authentication process that enables NDS to directly serve dynamic web content generated by a script or executable program.
.. note::
From version 3.3.1 onwards, a PreAuth login script is preinstalled. This generates a page asking for username and email address. Logins are recorded in a log file. It is enabled by uncommenting just 3 lines in the config file.
@@ -81,6 +81,22 @@ On tapping "Continue" for the second time, the client user is given access to th
This is a simple example of a script to demonstrate how to use PreAuth as a built in FAS. The script could of course ask for any response from the client and conduct its own authentication procedures - entirely at the discretion of the person setting up their own captive portal functionality.
PreAuth with Remote Images
**************************
An additional example PreAuth script, demo-preauth-remote-image.sh, is available in the source code:
`https://github.com/nodogsplash/nodogsplash/archive/master.zip`
and extracting from the folder:
"forward_authentication_service/PreAuth/"
This is an enhancement of the preinstalled login.sh, giving an example of how to display images pulled in from remote web servers, both http and https.
The example displays the NodogSplash avatar image dynamically retreived from Github.
Writing A Preauth Script
************************

8
docs/source/todo.rst
View File

@@ -1,10 +1,14 @@
TODO List
#########
Not all features are finished or working as properly or as efficiently as they should.
Not all features are finished or working as properly or as efficiently as they should. Other features have not been thought of yet!
Features should be aimed at providing tools to allow NDS to be used as flexible Captive Portal engine, rather than building in specific solutions.
Here is a list of things that need to be improved:
* While (un-) block/trust/allow via the ndsctl tool take effect, the state object of the client in NDS is not affected.
Both systems still need to be connected (in src/auth.c).
* Include blocked and trusted clients in the client list - so that they can be managed.
@@ -16,3 +20,5 @@ Here is a list of things that need to be improved:
* The code in src/http_microhttpd.c has evolved from previous versions and possibly has some missed edge cases. It would benefit from a rewrite to improve maintainability as well as performance.
* ip version 6 is not currently supported by NDS. It is not essential or advantageous to have in the short term but should be added at some time in the future.
* Automatic Offline mode. Either for forced offline use, or automatic detection of a failed Internet feed could be implemented. Some thought and discussion has been put into this and it is quite possible to achieve.

419
forward_authentication_service/fas-aes/fas-aes.php Executable file
View File

@@ -0,0 +1,419 @@
<?php
/* (c) Blue Wave Projects and Services 2015-2019. This software is released under the GNU GPL license.
This is a FAS script providing an example of remote Forward Authentication for Nodogsplash (NDS) on an http web server supporting PHP.
The following NDS configurations must be set:
1. fasport: Set to the port number the remote webserver is using (typically port 80)
2. faspath: This is the path from the FAS Web Root to the location of this FAS script (not from the file system root).
eg. /nds/fas-aes.php
3. fasremoteip: The remote IPv4 address of the remote server eg. 46.32.240.41
4. fasremotefqdn: The fully qualified domain name of the remote web server.
This is required in the case of a shared web server (ie. a server that hosts multiple domains on a single IP),
but is optional for a dedicated web server (ie. a server that hosts only a single domain on a single IP).
eg. onboard-wifi.net
5. faskey: Matching $key as set in this script (see below this introduction).
This is a key phrase for NDS to encrypt the query string sent to FAS.
It can be any combination of A-Z, a-z and 0-9, up to 16 characters with no white space.
eg 1234567890
6. fas_secure_enabled: set to level 2
The NDS parameters: clientip, clientmac, gatewayname, client token, gatewayaddress, authdir and originurl
are encrypted using fas_key and passed to FAS in the query string.
The query string will also contain a randomly generated initialization vector to be used by the FAS for decryption.
The "php-cli" package and the "php-openssl" module must both be installed for fas_secure level 2.
Nodogsplash does not have "php-cli" and "php-openssl" as dependencies, but will exit gracefully at runtime if this package and module
are not installed when fas_secure_enabled is set to level 2.
The FAS must use the initialisation vector passed with the query string and the pre shared faskey to decrypt the required information.
The remote web server (that runs this script) must have the "php-openssl" module installed (standard for most hosting services).
This script requires the client user to enter their Fullname and email address. This information is stored in a log file kept
in the same folder as this script.
This script requests the client CPD to display the NDS splash.jpg image directly from the
/etc/nodogsplash/htdocs/images folder of the NDS device.
This script displays an example Terms of Service. You should modify this for your local legal juristiction.
The script is provided as a fully functional alternative to the basic NDS splash page.
In its present trivial form it does not do any verification, but serves as an example for customisation projects.
*/
$key="1234567890";
date_default_timezone_set("UTC");
if (isset($_SERVER['HTTPS'])) {
$protocol="https://";
} else {
$protocol="http://";
}
$fullname=$email=$invalid="";
$cipher="AES-256-CBC";
$docroot=$_SERVER['DOCUMENT_ROOT'];
$me=$_SERVER['SCRIPT_NAME'];
$home=str_replace(basename($_SERVER['SCRIPT_NAME']),"",$_SERVER['SCRIPT_NAME']);
$header="NDS Captive Portal";
if (isset($_GET['fas']) and isset($_GET['iv'])) {
$string=$_GET['fas'];
$iv=$_GET['iv'];
$decrypted=openssl_decrypt( base64_decode( $string ), $cipher, $key, 0, $iv );
$dec_r=explode(", ",$decrypted);
foreach ($dec_r as $dec) {
list($name,$value)=explode("=",$dec);
if ($name == "clientip") {$clientip=$value;}
if ($name == "clientmac") {$clientmac=$value;}
if ($name == "gatewayname") {$gatewayname=$value;}
if ($name == "tok") {$tok=$value;}
if ($name == "gatewayaddress") {$gatewayaddress=$value;}
if ($name == "authdir") {$authdir=$value;}
if ($name == "originurl") {$originurl=$value;}
}
} else if (isset($_GET["status"])) {
$gatewayname=$_GET["gatewayname"];
$originurl="";
$loggedin=true;
} else {
$invalid=true;
}
if (!isset($gatewayname)) {
$gatewayname="NoDogSplash";
}
$landing=false;
$terms=false;
if (isset($_GET["originurl"])) {
$originurl=$_GET["originurl"];
$landing=true;
} else if (isset($_GET["terms"])) {
$gatewayname=$_GET["gatewayname"];
$terms=true;
} else {
$redir=$_SERVER["SCRIPT_URI"]."/?originurl=".urlencode($originurl);
}
// Add headers to stop browsers from cacheing
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-cache");
header("Pragma: no-cache");
if (isset($gatewayaddress)) {
$imagepath="http://".$gatewayaddress."/images/splash.jpg";
} else {
$imagepath="";
}
//Output our responsive page
echo"<!DOCTYPE html>\n<html>\n<head>\n".
"<meta charset=\"utf-8\" />\n".
"<meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n";
if (isset($gatewayaddress)) {
echo "<link rel=\"shortcut icon\" href=".$imagepath." type=\"image/x-icon\">";
}
echo "<title>".$header."</title>\n"."<style>\n";
insert_css();
echo"\n</style>\n</head>\n<body>\n";
//page header
echo "<div class=\"offset\">\n";
echo "<hr><b style=\"color:blue;\">".$gatewayname.
" </b><br><b>".$header."</b><br><hr>\n";
echo"<div class=\"insert\">\n";
if (isset($gatewayaddress)) {
echo "<img style=\"float:left; width:4em; height:4em;\" src=\"".$imagepath."\">";
}
if ($terms == true) {
display_terms();
footer();
exit(0);
}
if ($landing == true) {
echo "<p><big-red>You are now logged in and have access to the Internet.</big-red></p>";
echo "<hr>";
echo "<p><italic-black>You can use your Browser, Email and other network Apps as you normally would.</italic-black></p>";
echo "\n<form>\n<input type=\"button\" VALUE=\"Continue\" onClick=\"location.href='".$originurl."'\" >\n</form>\n";
footer();
exit(0);
}
if (isset($_GET["status"])) {
if ($_GET["status"] == "authenticated") {
echo "<p><big-red>You are already logged in and have access to the Internet.</big-red></p>";
echo "<hr>";
echo "<p><italic-black>You can use your Browser, Email and other network Apps as you normally would.</italic-black></p>";
footer();
exit(0);
}
}
if (isset($_GET["fullname"])) {
$fullname=ucwords($_GET["fullname"]);
}
if (isset($_GET["email"])) {
$email=$_GET["email"];
}
//Initial Form
if ($fullname == "" or $email == "") {
echo "<b>Enter Full Name and Email Address</b>\n";
$me=$_SERVER['SCRIPT_NAME'];
if ($invalid == true) {
echo "<br><b style=\"color:red;\">ERROR! Incomplete data passed from NDS</b>\n";
} else {
read_terms($me, $gatewayname);
echo "<form action=\"".$me."\" method=\"get\" >\n";
echo "<input type=\"hidden\" name=\"fas\" value=\"".$string."\">\n";
echo "<input type=\"hidden\" name=\"iv\" value=\"".$iv."\">\n";
echo "<hr>Full Name:<br>\n";
echo "<input type=\"text\" name=\"fullname\" value=\"".$fullname."\">\n<br>\n";
echo "Email Address:<br>\n";
echo "<input type=\"email\" name=\"email\" value=\"".$email."\">\n<br><br>\n";
echo "<input type=\"submit\" value=\"Accept Terms of Service\">\n</form>\n";
}
} else {
# Output the "Thankyou page" with a continue button
# You could include information or advertising on this page
# Be aware that many devices will close the login browser as soon as
# the client taps continue, so now is the time to deliver your message.
$authaction="http://".$gatewayaddress."/".$authdir."/";
echo "<big-red>Thankyou!</big-red>\n".
"<br><b>Welcome $fullname</b>\n".
"<br><italic-black> Your News or Advertising could be here, contact the owners of this Hotspot to find out how!</italic-black>\n".
"<form action=\"".$authaction."\" method=\"get\">\n".
"<input type=\"hidden\" name=\"tok\" value=\"".$tok."\">\n".
"<input type=\"hidden\" name=\"redir\" value=\"".$redir."\"><br>\n".
"<input type=\"submit\" value=\"Continue\" >\n".
"</form><hr>\n";
read_terms($me,$gatewayname);
# In this example we have decided to log all clients who are granted access
$log=date('d/m/Y H:i:s', $_SERVER['REQUEST_TIME'])." Username=".$fullname." emailaddress=".$email." macaddress=".$clientmac."\n";
$gwname=str_replace(" ", "_", trim($gatewayname));
if (!file_exists($gwname."_log.php")) {
file_put_contents($gwname."_log.php", "<?php exit(0); ?>\n");
}
file_put_contents($gwname."_log.php", $log, FILE_APPEND );
}
footer();
// Functions:
function footer() {
echo "<hr>\n</div>\n";
echo "<div style=\"font-size:0.7em;\">\n";
echo "&copy; The Nodogsplash Contributors 2004-".date("Y")."<br>";
echo "&copy; Blue Wave Projects and Services 2015-".date("Y")."<br>".
"This software is released under the GNU GPL license.\n";
echo "</div>\n";
echo "</div>\n";
echo "</body>\n</html>\n";
}
function read_terms($me, $gatewayname) {
//terms of service button
echo "<form action=\"".$me."\" method=\"get\" >\n".
"<input type=\"hidden\" name=\"terms\" value=\"terms\">\n".
"<input type=\"hidden\" name=\"gatewayname\" value=\"".$gatewayname."\">\n".
"<input type=\"submit\" value=\"Read Terms of Service\" >\n".
"</form>\n";
}
function display_terms () {
echo "<b style=\"color:red;\">Privacy.</b><br>\n".
"<b>By logging in to the system, you grant your permission for this system to store the data you provide ".
"along with the networking parameters of your device that the system requires to function.<br>".
"All information collected by this system is stored in a secure manner.<br>".
"All we ask for is your name and an email address in return for unrestricted FREE Internet access.</b><hr>";
echo "<b style=\"color:red;\">Terms of Service for this Hotspot.</b> <br>\n".
"<b>Access is granted on a basis of trust that you will NOT misuse or abuse that access in any way.</b><hr><b>\n";
echo "<b>Please scroll down to read the Terms of Service in full or click the Continue button to return to the Acceptance Page</b>\n";
echo "<form>\n".
"<input type=\"button\" VALUE=\"Continue\" onClick=\"history.go(-1);return true;\">\n".
"</form>\n";
echo "<hr><b>Proper Use</b>\n";
echo "<p>This Hotspot provides a wireless network that allows you to connect to the Internet. <br>\n".
"<b>Use of this Internet connection is provided in return for your FULL acceptance of these Terms Of Service.</b></p>\n";
echo "<p><b>You agree</b> that you are responsible for providing security measures that are suited for your intended use of the Service. \n".
"For example, you shall take full responsibility for taking adequate measures to safeguard your data from loss.</p>\n";
echo "<p>While the Hotspot uses commercially reasonable efforts to provide a secure service, \n".
"the effectiveness of those efforts cannot be guaranteed.</p>\n";
echo "<p> <b>You may</b> use the technology provided to you by this Hotspot for the sole purpose \n".
"of using the Service as described here. \n".
"You must immediately notify the Owner of any unauthorized use of the Service or any other security breach.<br><br>\n".
"We will give you an IP address each time you access the Hotspot, and it may change.\n".
"<br><b>You shall not</b> program any other IP or MAC address into your device that accesses the Hotspot. \n".
"You may not use the Service for any other reason, including reselling any aspect of the Service. \n".
"Other examples of improper activities include, without limitation:</p>\n";
echo "<ol>\n".
"<li>downloading or uploading such large volumes of data that the performance of the Service becomes \n".
"noticeably degraded for other users for a significant period;</li>\n".
"<li>attempting to break security, access, tamper with or use any unauthorized areas of the Service;</li>\n".
"<li>removing any copyright, trademark or other proprietary rights notices contained in or on the Service;</li>\n".
"<li>attempting to collect or maintain any information about other users of the Service \n".
"(including usernames and/or email addresses) or other third parties for unauthorized purposes; </li>\n".
"<li>logging onto the Service under false or fraudulent pretenses;</li>\n".
"<li>creating or transmitting unwanted electronic communications such as SPAM or chain letters to other users \n".
"or otherwise interfering with other user's enjoyment of the service;</li>\n".
"<li>transmitting any viruses, worms, defects, Trojan Horses or other items of a destructive nature; or </li>\n".
"<li>using the Service for any unlawful, harassing, abusive, criminal or fraudulent purpose. </li>\n".
"</ol>\n";
echo "<hr><b>Content Disclaimer</b>\n";
echo "<p>The Hotspot Owners do not control and are not responsible for data, content, services, or products \n".
"that are accessed or downloaded through the Service. \n".
"The Owners may, but are not obliged to, block data transmissions to protect the Owner and the Public. </p>\n".
"The Owners, their suppliers and their licensors expressly disclaim to the fullest extent permitted by law, \n".
"all express, implied, and statutary warranties, including, without limitation, the warranties of merchantability \n".
"or fitness for a particular purpose.\n".
"<br><br>The Owners, their suppliers and their licensors expressly disclaim to the fullest extent permitted by law \n".
"any liability for infringement of proprietory rights and/or infringement of Copyright by any user of the system. \n".
"Login details and device identities may be stored and be used as evidence in a Court of Law against such users.<br>\n";
echo "<hr><b>Limitation of Liability</b>\n".
"<p>Under no circumstances shall the Owners, their suppliers or their licensors be liable to any user or \n".
"any third party on account of that party's use or misuse of or reliance on the Service.</p>\n";
echo "<hr><b>Changes to Terms of Service and Termination</b>\n".
"<p>We may modify or terminate the Service and these Terms of Service and any accompanying policies, \n".
"for any reason, and without notice, including the right to terminate with or without notice, \n".
"without liability to you, any user or any third party. Please review these Terms of Service \n".
"from time to time so that you will be apprised of any changes.</p>\n";
echo "<p>We reserve the right to terminate your use of the Service, for any reason, and without notice. \n".
"Upon any such termination, any and all rights granted to you by this Hotspot Owner shall terminate.</p>\n";
echo"<hr><b>Indemnity</b>\n".
"<p><b>You agree</b> to hold harmless and indemnify the Owners of this Hotspot, \n".
"their suppliers and licensors from and against any third party claim arising from \n".
"or in any way related to your use of the Service, including any liability or expense arising from all claims, \n".
"losses, damages (actual and consequential), suits, judgments, litigation costs and legal fees, of every kind and nature.</p>\n";
echo "<hr>\n";
echo "<form>\n".
"<input type=\"button\" VALUE=\"Continue\" onClick=\"history.go(-1);return true;\">\n".
"</form>\n";
}
function insert_css() {
echo "
body {
background-color: lightgrey;
color: black;
margin-left: 5%;
margin-right: 5%;
text-align: left;
}
hr {
display:block;
margin-top:0.5em;
margin-bottom:0.5em;
margin-left:auto;
margin-right:auto;
border-style:inset;
border-width:5px;
}
.offset {
background: rgba(300, 300, 300, 0.6);
margin-left:auto;
margin-right:auto;
max-width:600px;
min-width:200px;
padding: 5px;
}
.insert {
background: rgba(350, 350, 350, 0.7);
border: 2px solid #aaa;
border-radius: 4px;
min-width:200px;
max-width:100%;
padding: 5px;
}
img {
width: 40%;
max-width: 180px;
margin-left: 0%;
margin-right: 5%;
}
input[type=text], input[type=email] {
color: black;
background: lightgrey;
}
input[type=submit], input[type=button] {
color: black;
background: lightblue;
}
med-blue {
font-size: 1.2em;
color: blue;
font-weight: bold;
font-style: normal;
}
big-red {
font-size: 1.5em;
color: red;
font-weight: bold;
}
italic-black {
font-size: 1.0em;
color: black;
font-weight: bold;
font-style: italic;
}
copy-right {
font-size: 0.7em;
color: darkgrey;
font-weight: bold;
font-style:italic;
}
";
}
?>

101
forward_authentication_service/nodog/css.php
View File

@@ -1,101 +0,0 @@
body {
background-color:lightgrey;
color:black;
font-family: Arial, 'Arial Black', sans-serif;
}
input[type=text], input[type=email], input[type=password] {
margin-left: 0%; margin-right: 0%;
text-align:left;
display: left;
font-size: 1em;
line-height: 1em;
color: #333;
font-weight: bold;
height: 1.5em;
width: auto;
max-width: 100%;
border: 1px solid #bbb;
}
input[type=submit], input[type=button], input[type=file], button[type=link], select[type=list] {
-webkit-appearance: none;
-moz-appearance: none;
margin-left: 0%;
margin-right: 5%;
text-align:left;
display: left;
font-size: 1em;
line-height: 1em;
color: #333;
font-weight: bold;
height: 1.5em;
width: auto;
max-width: 95%;
background: #fdfdfd;
background: -moz-linear-gradient(top, #fdfdfd 0%, #bebebe 100%);
background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#fdfdfd), color-stop(100%,#bebebe));
background: -webkit-linear-gradient(top, #fdfdfd 0%,#bebebe 100%);
background: -o-linear-gradient(top, #fdfdfd 0%,#bebebe 100%);
background: -ms-linear-gradient(top, #fdfdfd 0%,#bebebe 100%);
background: linear-gradient(to bottom, #fdfdfd 0%,#bebebe 100%);
border: 1px solid #bbb;
border-radius: 10px;
-webkit-border-radius: 10px;
-moz-border-radius: 10px;
}
.box
{
border: 2px solid #aaa;
border-radius: 4px;
padding: 5px;
min-width:200px;
max-width:100%;
}
@media screen and (min-width: 500px) {
.box {max-width:50%;}
}
textarea
{
width: 97%;
margin-left:0%;
margin-right:0%;
}
img
{
width: 100%;
margin-left:0%;
margin-right:0%;
}
mark {
background-color:red;
color:white;
}
hr {
display:block;
margin-top:0.5em;
margin-bottom:0.5em;
margin-left:auto;
margin-right:auto;
border-style:inset;
border-width:5px;
}
.offset {
max-width:400px;
min-width:200px;
margin: auto;
}
@media screen and (min-width: 2500px) {
body {font-size: 2em;}
}

171
forward_authentication_service/nodog/fas.php
View File

@@ -1,171 +0,0 @@
<?php
// (c) Blue Wave Projects and Services 2015-2017." This software is released under the GNU GPL license.
date_default_timezone_set("UTC");
$users="users.dat";
$gatewayname=$tok=$tokchk=$redir=$orgurl=$authaction=$clientip=$clientmac=$username=$password="";
if (isset($_SERVER['HTTPS'])) {
$protocol="https://";
} else {
$protocol="http://";
}
$host=$_SERVER['HTTP_HOST'];
$home=str_replace("fas.php","",$_SERVER['SCRIPT_NAME']);
$redirscript=str_replace("fas.php","landing.php",$_SERVER['SCRIPT_NAME']);
$landing=$protocol.$host.$redirscript;
$validated="not tested";
$header="Forwarding Authentication Service for NoDogSplash - Simple Example";
if (isset($_GET['gatewayname'])) {
$gatewayname=$_GET['gatewayname'];
} else {
$gatewayname="NoDogSplash";
}
if (isset($_GET['tok'])) {$tok=$_GET['tok'];}
if (isset($_GET['tokchk'])) {$tokchk=$_GET['tokchk'];}
if (isset($_GET['redir'])) {$redir=$_GET['redir'];}
if (isset($_GET['orgurl'])) {$orgurl=$_GET['orgurl'];}
if (isset($_GET['authaction'])) {$authaction=$_GET['authaction'];}
if (isset($_GET['clientip'])) {$clientip=$_GET['clientip'];}
if (isset($_GET['clientmac'])) {$clientmac=$_GET['clientmac'];}
if (isset($_POST['username'])) {
$username=$_POST['username'];
$password=$_POST['password'];
$gatewayname=$_POST['gatewayname'];
$tok=$_POST['tok'];
$tokchk=$_POST['tokchk'];
$redir=$_POST['redir'];
$orgurl=$_POST['orgurl'];
$authaction=$_POST['authaction'];
$clientip=$_POST['clientip'];
$clientmac=$_POST['clientmac'];
}
// Add headers to stop browsers from cacheing
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-cache");
header("Pragma: no-cache");
//Output our responsive page
echo"<!DOCTYPE html>\n<html>\n<head>\n";
echo"<meta charset=\"utf-8\" />\n";
echo"<meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n";
echo"<title>".$header.".</title>\n";
echo"<style>\n";
include("css.php");
echo"\n</style>\n</head>\n<body>\n";
//page header
echo "<div class=\"offset\">\n";
echo "<hr><b style=\"color:blue;\">".$gatewayname." </b><br><b>".$header."</b><br><hr>\n";
echo"<div class=\"box\" style=\"max-width:100%;\">\n";
//end of page header
#check for binauth nak
$split=explode("&orgurl=",$redir);
if (isset($split[1])) {
$split=explode("&clientip=",$split[1]);
$userurl=$split[0];
include "querycheck.php";
}
# check for invalid token return #
if (isset($_GET['tokchk'])) {
$userurl=$_GET['orgurl'];
include "querycheck.php";
}
if (isset($_POST['username'])) {
//Validate user supplied username and password
if ($username!="") {
//username is set to something
if (file_exists($users)) {
$handle=fopen($users,'r');
while(! feof($handle)) {
$line=fgets($handle);
if (feof($handle)) {break;}
list($user,$pass)=explode(", ",$line);
if ($username==trim($user) and $password==trim($pass)) {
$validated="yes";
break;
}
}
if($validated!="yes"){$validated="no";}
fclose($handle);
} else {
echo"<br><b>Missing User Database</b><br>";
}
} else {
$validated="no";
}
} else {
//Initial Form
echo"<b>Enter Username and Password</b>";
login($gatewayname, $tok, $tokchk, $redir, $orgurl,
$authaction, $clientip, $clientmac, $username, $password);
}
if ($validated=="yes") {
echo"<b style=\"color:red;\">Successful Login</b><hr>";
acceptance($landing, $gatewayname, $tok, $tokchk, $redir, $orgurl,
$authaction, $clientip, $clientmac, $username, $password);
}
if ($validated=="no") {
echo"<b style=\"color:red;\">Invalid login attempt</b>";
login($gatewayname, $tok, $tokchk, $redir, $orgurl,
$authaction, $clientip, $clientmac, $username, "");
}
echo"</div>\n";
echo "<div style=\"font-size:0.7em;\">\n";
echo "&copy; Blue Wave Projects and Services 2015-".date("Y")." This software is released under the GNU GPL license.\n";
echo"</div>\n";
echo"</div>\n";
echo"</body>\n</html>\n";
//Functions
function read_terms() {
//terms of service button
echo"\n<form>\n<input type=\"button\" VALUE=\"Read Terms of Service\" onClick=\"location.href='tos.php'\" >\n</form>\n";
}
function acceptance($landing, $gatewayname, $tok, $tokchk, $redir, $orgurl,
$authaction, $clientip, $clientmac, $username, $password) {
read_terms();
echo"\n<br>\n<form method='GET' action='" . $authaction . "'>\n";
echo"<input type='hidden' name='tok' value='" . $tok . "'>\n";
echo"<input type='hidden' name='redir' value='".$landing."?userurl=".$redir.
"&amp;tok=".$tok."&amp;orgurl=".$redir."&amp;clientip=".$clientip.
"&amp;clientmac=".$clientmac."&amp;username=".$username."&amp;gatewayname=".
$gatewayname."&amp;tokchk=true'>\n";
echo"<input type='submit' value='Accept Terms of Service'>\n</form>\n";
}
function login($gatewayname, $tok, $tokchk, $redir, $orgurl,
$authaction, $clientip, $clientmac, $username, $password) {
$me=$_SERVER['SCRIPT_NAME'];
if ($authaction=="" or $authaction=="\$authaction") {
echo"<br><b style=\"color:red;\">ERROR! Incomplete data passed from NDS</b>";
} else {
echo"<form action=\"".$me."\" method=\"post\" >\n";
echo"<input type=\"hidden\" name=\"gatewayname\" value=\"" . $gatewayname . "\">\n";
echo"<input type=\"hidden\" name=\"tok\" value=\"" . $tok . "\">\n";
echo"<input type=\"hidden\" name=\"tokchk\" value=\"" . $tokchk . "\">\n";
echo"<input type=\"hidden\" name=\"redir\" value=\"" . $redir . "\">\n";
echo"<input type=\"hidden\" name=\"orgurl\" value=\"" . $orgurl . "\">\n";
echo"<input type=\"hidden\" name=\"authaction\" value=\"" . $authaction . "\">\n";
echo"<input type=\"hidden\" name=\"clientip\" value=\"" . $clientip . "\">\n";
echo"<input type=\"hidden\" name=\"clientmac\" value=\"" . $clientmac . "\">\n";
echo"<hr>Username:<br>";
echo"<input type=\"text\" name=\"username\" value=\"" . htmlentities($username) . "\">\n<br>\n";
echo"Password:<br>";
echo"<input type=\"password\" name=\"password\" value=\"" . htmlentities($password) . "\">\n<br><br>\n";
echo"<input type=\"submit\" value=\"Log In\">\n</form>\n<hr>\n";
}
}
?>

59
forward_authentication_service/nodog/landing.php
View File

@@ -1,59 +0,0 @@
<?php
// (c) Blue Wave Projects and Services 2015-2017." This software is released under the GNU GPL license.
date_default_timezone_set("UTC");
$gatewayname=$tok=$tokchk=$orgurl=$clientip=$clientmac=$username=$password="";
$header="Forwarding Authentication Landing Page";
if (isset($_GET['gatewayname'])) {
$gatewayname=$_GET['gatewayname'];
} else {
$gatewayname="NoDogSplash";
}
if (isset($_GET['tok'])) {$tok=$_GET['tok'];}
if (isset($_GET['tokchk'])) {$tokchk=$_GET['tokchk'];}
if (isset($_GET['orgurl'])) {$orgurl=$_GET['orgurl'];}
if (isset($_GET['clientip'])) {$clientip=$_GET['clientip'];}
if (isset($_GET['clientmac'])) {$clientmac=$_GET['clientmac'];}
if (isset($_GET['username'])) {$username=$_GET['username'];}
// Add headers to stop browsers from cacheing
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-cache");
header("Pragma: no-cache");
//Output our responsive page
echo"<!DOCTYPE html>\n<html>\n<head>\n";
echo"<meta charset=\"utf-8\" />\n";
echo"<meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n";
echo"<title>".$header.".</title>\n";
echo"<style>\n";
include("css.php");
echo"\n</style>\n</head>\n<body>\n";
echo"<div class=\"offset\">\n";
echo"<hr><b style=\"color:blue;\">".$gatewayname." </b><br><b>".$header."</b><br><hr>\n";
echo"<div class=\"box\" style=\"max-width:100%;\">\n";
echo"<hr><b style=\"font-size:1.25em;color:red;\">Welcome \"".$username."\".<br> You are logged in.</b><br><hr>";
echo"<b style=\"font-size:1em;color:black;\">Thank you for accepting the Terms of Service.<br><br>".
"You can now use your browser and device APPs as you normally would.</b><hr>";
read_terms();
echo"<br><b>Click Continue to see the page you originally requested.</b>";
echo"<form><br>";
echo"<INPUT TYPE=\"button\" VALUE=\"Continue\" onClick=\"window.location.href='".$orgurl."'\">";
echo"</form>";
echo"<hr></div>\n";
echo"<div style=\"font-size:0.7em;\">\n";
echo"&copy; Blue Wave Projects and Services 2015-".date("Y")." This software is released under the GNU GPL license.";
echo"</div>\n";
echo"</body></html>";
function read_terms() {
echo("\n<form>\n<input type=\"button\" VALUE=\"Read Terms of Service\" onClick=\"location.href='tos.php'\" >\n</form>\n");
}
?>

14
forward_authentication_service/nodog/querycheck.php
View File

@@ -1,14 +0,0 @@
<?php
echo"<b style=\"color:red;\">Sorry! Something seems to have gone wrong!</b>";
echo"<br><b>Most likely BinAuth post authentication failed or your session has expired.<br>Please click the button to try again.</b>";
echo"<form>";
echo"<INPUT TYPE=\"button\" VALUE=\"Continue\" onClick=\"window.location.href='".$userurl."'\">";
echo"</form>";
echo"<div style=\"font-size:0.7em;\">\n";
echo"<hr>&copy; Blue Wave Projects and Services 2015-".date("Y").".</div>\n";
echo"</div>\n";
exit();
?>

89
forward_authentication_service/nodog/tos.php
View File

@@ -1,89 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="0" />
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Terms of Service</title>
<style>
<?php
include("css.php");
?>
p {text-align: left; margin-left: 0%; margin-right: 0%}
</style>
</head>
<body>
<?php
echo"<div class=\"offset\">";
echo"<hr><b>Terms of Service for use of this Hotspot.</b> <hr><b>Access is granted on a basis of trust that you will NOT misuse or abuse that access in any way.</b><hr><b>";
echo"<b>Please scroll down to read the Terms of Service in full or click the Continue button to return to the Acceptance Page</b>";
#echo"<hr>";
echo"<form>";
echo"<input type=\"button\" VALUE=\"Continue\" onClick=\"history.go(-1);return true;\">";
echo"</form>";
echo"<hr><b>Proper Use</b>";
echo"<p>This Hotspot provides a wireless network that allows you to connect to the Internet. <br>
<b>Use of this Internet connection is provided in return for your FULL acceptance of these Terms Of Service.</b></p>";
echo"<p><b>You agree</b> that you are responsible for providing security measures that are suited for your intended use of the Service. For example, you shall take full responsibility for taking adequate measures to safeguard your data from loss.</p>";
echo"<p>While the Hotspot uses commercially reasonable efforts to provide a secure service, the effectiveness of those efforts cannot be guaranteed.
</p>";
echo"<p> <b>You may</b> use the technology provided to you by this Hotspot for the sole purpose of using the Service as described here. You must immediately notify the Owner of any unauthorized use of the Service or any other security breach.<br><br>We will give you an IP address each time you access the Hotspot, and it may change.
<br><b>You shall not</b> program any other IP or MAC address into your device that accesses the Hotspot. You may not use the Service for any other reason, including reselling any aspect of the Service. Other examples of improper activities include, without limitation:</p>";
?>
<ol>
<li>downloading or uploading such large volumes of data that the performance of the Service becomes noticeably degraded for other users for a significant period;</li>
<li>attempting to break security, access, tamper with or use any unauthorized areas of the Service;</li>
<li>removing any copyright, trademark or other proprietary rights notices contained in or on the Service;</li>
<li>attempting to collect or maintain any information about other users of the Service (including usernames and/or email addresses) or other third parties for unauthorized purposes; </li>
<li>logging onto the Service under false or fraudulent pretenses;</li>
<li>creating or transmitting unwanted electronic communications such as SPAM or chain letters to other users or otherwise interfering with other user's enjoyment of the service;</li>
<li>transmitting any viruses, worms, defects, Trojan Horses or other items of a destructive nature; or </li>
<li>using the Service for any unlawful, harassing, abusive, criminal or fraudulent purpose. </li>
</ol>
<hr><b>Content Disclaimer</b>
<?php
echo"<p>The Hotspot Owners do not control and are not responsible for data, content, services, or products that are accessed or downloaded through the Service. The Owners may, but are not obliged to, block data transmissions to protect the Owner and the Public. </p>
The Owners, their suppliers and their licensors expressly disclaim to the fullest extent permitted by law, all express, implied, and statutary warranties, including, without limitation, the warranties of merchantability or fitness for a particular purpose.
<br><br>The Owners, their suppliers and their licensors expressly disclaim to the fullest extent permitted by law any liability for infringement of proprietory rights and/or infringement of Copyright by any user of the system. Login details and device identities may be stored and be used as evidence in a Court of Law against such users.<br>";
echo"<hr><b>Limitation of Liability</b>
<p>Under no circumstances shall the Owners, their suppliers or their licensors be liable to any user or any third party on account of that party's use or misuse of or reliance on the Service.
</p>";
echo"<hr><b>Changes to Terms of Service and Termination</b>\n<p>We may modify or terminate the Service and these Terms of Service and any accompanying policies, for any reason, and without notice, including the right to terminate with or without notice, without liability to you, any user or any third party. Please review these Terms of Service from time to time so that you will be apprised of any changes.</p>\n";
echo"<p>We reserve the right to terminate your use of the Service, for any reason, and without notice. Upon any such termination, any and all rights granted to you by this Hotspot Owner shall terminate.</p>\n";
echo"<hr><b>Indemnity</b>";
$indemnitystr="<p><b>You agree</b> to hold harmless and indemnify the Owners of this Hotspot, their suppliers and licensors from and against any third party claim arising from or in any way related to your use of the Service, including any liability or expense arising from all claims, losses, damages (actual and consequential), suits, judgments, litigation costs and legal fees, of every kind and nature.</p>\n";
echo $indemnitystr;
echo"<hr>";
echo"<form>";
echo"<INPUT TYPE=\"button\" VALUE=\"Continue\" onClick=\"history.go(-1);return true;\">";
echo"</form>\n<hr>\n";
echo"</div>\n";
echo"</body>\n</html>\n";
?>

6
forward_authentication_service/nodog/users.dat
View File

@@ -1,6 +0,0 @@
tom, letmein
dick, 123456
harry, abcdefg
gemima, puddleduck23
jennie, StarShipFreedom
judith, heyjude1968

6
notes/release_todos
View File

@@ -11,7 +11,9 @@ When ready to do a release, do the following:
9. Push to origin
10. Github - Create Pull Request and Merge to master
11. Github proceed to "Draft New Release"
12. Github tag release as eg. v3.3.0 (remembering the leading "v"") (or use git tag -a v3.3.0 -m "nodogsplash release 3.3.0 " and git push --tags.)
12. Github tag release as eg. v3.3.0 (remembering the leading "v"")
(or use git tag -a v3.3.0 -m "nodogsplash release 3.3.0 " and git push --tags.)
13. In your local repository, make a new branch called "stable"
14. Push branch "stable" to origin, overwriting the existing "stable". Branch stable is the source for the readthedocs stable documentation at https://nodogsplashdocs.readthedocs.io/en/stable/
14. Push branch "stable" to origin, overwriting the existing "stable".
Note:Branch stable is the source for the readthedocs stable documentation at https://nodogsplashdocs.readthedocs.io/en/stable/
15. In Master, set version to -beta eg 3.1.1-beta in conf.h, conf.py, openwrt/Makefile

5
openwrt/nodogsplash/Makefile
View File

@@ -7,8 +7,8 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=nodogsplash
PKG_FIXUP:=autoreconf
PKG_VERSION:=3.3.3
PKG_RELEASE:=1-beta
PKG_VERSION:=4.0.0
PKG_RELEASE:=1
PKG_SOURCE_URL:=https://codeload.github.com/nodogsplash/nodogsplash/tar.gz/v$(PKG_VERSION)?
PKG_SOURCE:=nodogsplash-$(PKG_VERSION).tar.gz
@@ -60,6 +60,7 @@ define Package/nodogsplash/install
$(CP) $(PKG_BUILD_DIR)/openwrt/nodogsplash/files/etc/uci-defaults/40_nodogsplash $(1)/etc/uci-defaults/
$(CP) $(PKG_BUILD_DIR)/openwrt/nodogsplash/files/usr/lib/nodogsplash/restart.sh $(1)/usr/lib/nodogsplash/
$(CP) $(PKG_BUILD_DIR)/forward_authentication_service/PreAuth/demo-preauth.sh $(1)/usr/lib/nodogsplash/login.sh
$(CP) $(PKG_BUILD_DIR)/forward_authentication_service/fas-aes/fas-aes.php $(1)/etc/nodogsplash/
endef
define Package/nodogsplash/postrm

75
openwrt/nodogsplash/files/etc/config/nodogsplash
View File

@@ -82,6 +82,15 @@ config nodogsplash
# Typical Locally Hosted example (ie fasremoteip not set):
#option fasport '2080'
# Option: fasremotefqdn
# Default: Not set
# If set, this is the remote fully qualified domain name (FQDN) of the FAS.
# The protocol must NOT be prepended to the FQDN (ie http:// or https://)
# To prevent CPD or browser security errors NDS prepends http:// before redirection.
# If set, DNS MUST resolve fasremotefqdn to be the same ip address as fasremoteip.
# Typical Remote Shared Hosting Example:
#option fasremotefqdn 'onboard-wifi.net'
# Option: fasremoteip
# Default: GatewayAddress (the IP of NDS)
# If set, this is the remote ip address of the FAS.
@@ -94,30 +103,60 @@ config nodogsplash
# This is the path from the FAS Web Root to the FAS login page
# (not the file system root).
#
# Typical Remote Shared Hosting Example:
# Typical Remote Shared Hosting Example (if fasremotefqdn is not specified):
#option faspath '/onboard-wifi.net/nodog/fas.php'
#
# Typical Locally Hosted example (ie fasremoteip not set):
# Typical Remote Shared Hosting Example (ie BOTH fasremoteip AND fasremotefqdn set):
#option faspath '/nodog/fas.php'
#
# Typical Locally Hosted Example (ie fasremoteip not set):
#option faspath '/nodog/fas.php'
# Option: faskey
# Default: not set
# A key phrase for NDS to encrypt the query string sent to FAS
# Can be any combination of A-Z, a-z and 0-9, up to 16 characters with no white space
#option faskey '1234567890'
# Option: fas_secure_enabled
# Default: 1
# If set to "1", authaction and the client token are not revealed and it is the responsibility
# of the FAS to request the token from NDSCTL.
# If set to "0", the client token is sent to the FAS in clear text in the query string of the
#
# ****If set to "0"****
# the client token is sent to the FAS in clear text in the query string of the
# redirect along with authaction and redir.
#
# ****If set to "1"****
# authaction and the client token are not revealed and it is the responsibility
# of the FAS to request the token from NDSCTL.
#
# *****If set to 2****
# clientip, clientmac, gatewayname, client token, gatewayaddress, authdir and originurl
# are encrypted using faskey and passed to FAS in the query string.
#
# The query string will also contain a randomly generated initialization vector to be used by the FAS for decryption.
#
# The "php-cli" package and the "php-openssl" module must both be installed for fas_secure level 2.
#
# Nodogsplash does not depend on this package and module, but will exit gracefully
# if this package and module are not installed when this level is set.
#
# The FAS must use the query string passed initialisation vector and the pre shared fas_key to decrypt the query string.
# An example FAS php script is supplied in the source code.
#
#option fas_secure_enabled '0'
# Enable PreAuth Support.
# PreAuth support allows FAS to call a local program or script with html served by NDS
#
# A simple login script is provided in the package.
# A functional preauth script is installed by default providing
# username/emailaddress login as an alternative to the basic splash page.
# This generates a login page asking for usename and email address.
# User logins are recorded in the log file /tmp/ndslog.log
# Details of how the script works are contained in comments in the script itself.
#
# PreAuth support allows FAS to call a local program or script with html served by NDS
# If set, a program/script is called by the NDS FAS handler when:
# 1. fasremopteip is not set,
# If set, a program/script is called by the NDS FAS handler
# when all three of the following conditions are met:
# 1. fasremoteip is NOT set,
# 2. fasport is set to the gateway port
# 3. faspath is set to /nodogsplash_preauth/
#
@@ -134,7 +173,6 @@ config nodogsplash
# It must also obtain the client token using ndsctl (or the original query string if fas_secure_enabled=0)
# for NDS authentication when calling /nodogsplash_auth/
#
# Enable username/emailaddress login.
# Note: fasport must be set to the same value as gatewayport (default = 2050)
# Enable by uncommenting the following three lines
@@ -157,12 +195,22 @@ config nodogsplash
# Or for happy customers allow all
list authenticated_users 'allow all'
# For preauthenticated users to resolve IP addresses in their
# initial request not using the router itself as a DNS server,
# Leave commented to help prevent DNS tunnelling
# For preauthenticated users:
#
# *****IMPORTANT*****
# To help prevent DNS tunnelling and DNS Hijacking DO NOT uncomment the following two lines:
#list preauthenticated_users 'allow tcp port 53'
#list preauthenticated_users 'allow udp port 53'
# Allow preauthenticated users to access an external IP address
# This is commonly referred to as a Walled Garden.
# Only IPv4 addresses can be used (not domain names)
#list preauthenticated_users 'allow tcp port 80 to 112.122.123.124'
#list preauthenticated_users 'allow udp port 8020 to 112.122.123.124'
#
# Alternatively, a preconfigured ipset can be used:
#list preauthenticated_users 'allow tcp port [port number] ipset [ipset rule name]'
# Allow ports for SSH/Telnet/DNS/DHCP/HTTP/HTTPS
list users_to_router 'allow tcp port 22'
list users_to_router 'allow tcp port 23'
@@ -170,6 +218,7 @@ config nodogsplash
list users_to_router 'allow udp port 53'
list users_to_router 'allow udp port 67'
list users_to_router 'allow tcp port 80'
list users_to_router 'allow tcp port 443'
# MAC addresses that are / are not allowed to access the splash page
# Value is either 'allow' or 'block'. The allowedmac or blockedmac list is used.

2
openwrt/nodogsplash/files/etc/init.d/nodogsplash
View File

@@ -139,7 +139,7 @@ generate_uci_config() {
addline "GatewayInterface $ifname"
for option in preauth binauth fasport fasremoteip faspath fas_secure_enabled \
for option in preauth binauth fasport faskey fasremotefqdn fasremoteip faspath fas_secure_enabled \
daemon debuglevel maxclients gatewayname gatewayinterface gatewayiprange \
gatewayaddress gatewayport webroot splashpage statuspage \
redirecturl sessiontimeout preauthidletimeout authidletimeout checkinterval \

131
resources/nodogsplash.conf
View File

@@ -2,7 +2,7 @@
# Nodogsplash Configuration File
#
# Parameter: GatewayInterface
# Option: GatewayInterface
# Default: NONE
#
# GatewayInterface is not autodetected, has no default, and must be set here.
@@ -12,7 +12,7 @@
#
GatewayInterface br-lan
# Parameter: WebRoot
# Option: WebRoot
# Default: /etc/nodogsplash/htdocs
#
# The local path where the splash page content resides.
@@ -159,7 +159,7 @@ FirewallRuleSet users-to-router {
# EmptyRuleSetPolicy trusted-users-to-router allow
# Parameter: GatewayName
# Option: GatewayName
# Default: NoDogSplash
#
# Set GatewayName to the name of your gateway. This value
@@ -169,7 +169,7 @@ FirewallRuleSet users-to-router {
#
# GatewayName NoDogSplash
# Parameter: GatewayAddress
# Option: GatewayAddress
# Default: Discovered from GatewayInterface
#
# This should be autodetected on an OpenWRT system, but if not:
@@ -179,21 +179,21 @@ FirewallRuleSet users-to-router {
#
# GatewayAddress 192.168.1.1
# Parameter: StatusPage
# Option: StatusPage
# Default: status.html
#
# The page the client is show if the client is already authenticated but navigates to the captive portal.
#
# StatusPage status.html
# Parameter: SplashPage
# Option: SplashPage
# Default: splash.html
#
# The page the client is redirected to if not authenticated or whitelisted.
#
# SplashPage splash.html
# Parameter: RedirectURL
# Option: RedirectURL
# Default: none
#
# After authentication, normally a user is redirected
@@ -202,7 +202,7 @@ FirewallRuleSet users-to-router {
#
# RedirectURL http://www.ilesansfil.org/
# Parameter: GatewayPort
# Option: GatewayPort
# Default: 2050
#
# Nodogsplash's own http server uses GatewayAddress as its IP address.
@@ -210,7 +210,7 @@ FirewallRuleSet users-to-router {
#
# GatewayPort 2050
# Parameter: MaxClients
# Option: MaxClients
# Default: 20
#
# Set MaxClients to the maximum number of users allowed to
@@ -219,21 +219,21 @@ FirewallRuleSet users-to-router {
#
MaxClients 250
# Parameter: SessionTimeout
# Option: SessionTimeout
# Default: 0
#
# Set the default session length in minutes. A value of 0 is for
# sessions without an end.
#
# Parameter: PreAuthIdleTimeout
# Option: PreAuthIdleTimeout
# Default: 10
#
# Set PreAuthIdleTimeout to the desired number of minutes before
# an pre-authenticated user is automatically removed from the client list.
#
# Parameter: AuthIdleTimeout
# Option: AuthIdleTimeout
# Default: 120
#
# Set AuthIdleTimeout to the desired number of minutes before
@@ -241,13 +241,13 @@ FirewallRuleSet users-to-router {
# and removed from the client list.
#
# Parameter: CheckInterval
# Option: CheckInterval
# Default: 30
#
# Interval in seconds (!) the timeouts of all clients are checked.
#
# Parameter: MACMechanism
# Option: MACMechanism
# Default: block
#
# Either block or allow.
@@ -258,7 +258,7 @@ FirewallRuleSet users-to-router {
#
# MACMechanism block
# Parameter: BlockedMACList
# Option: BlockedMACList
# Default: none
#
# Comma-separated list of MAC addresses who will be completely blocked
@@ -267,7 +267,7 @@ FirewallRuleSet users-to-router {
#
# BlockedMACList 00:00:DE:AD:BE:EF,00:00:C0:1D:F0:0D
# Parameter: AllowedMACList
# Option: AllowedMACList
# Default: none
#
# Comma-separated list of MAC addresses who will not be completely
@@ -276,7 +276,7 @@ FirewallRuleSet users-to-router {
#
# AllowedMACList 00:00:12:34:56:78
# Parameter: TrustedMACList
# Option: TrustedMACList
# Default: none
#
# Comma-separated list of MAC addresses who are not subject to
@@ -285,14 +285,14 @@ FirewallRuleSet users-to-router {
#
# TrustedMACList 00:00:CA:FE:BA:BE, 00:00:C0:01:D0:0D
# Parameter: TrafficControl
# Option: TrafficControl
# Default: no
#
# Set to yes (or true or 1), to enable traffic control in Nodogsplash.
#
# TrafficControl no
# Parameter: DownloadLimit
# Option: DownloadLimit
# Default: 0
#
# If TrafficControl is enabled, this sets the maximum download
@@ -304,7 +304,7 @@ FirewallRuleSet users-to-router {
#
# DownloadLimit 384
# Parameter: UploadLimit
# Option: UploadLimit
# Default: 0
#
# If TrafficControl is enabled, this sets the maximum upload
@@ -316,7 +316,7 @@ FirewallRuleSet users-to-router {
#
# UploadLimit 64
# Parameter: GatewayIPRange
# Option: GatewayIPRange
# Default: 0.0.0.0/0
#
# By setting this parameter, you can specify a range of IP addresses
@@ -327,14 +327,14 @@ FirewallRuleSet users-to-router {
#
# GatewayIPRange 0.0.0.0/0
# Parameter: DebugLevel
# Option: DebugLevel
# Default: 5
#
# Set the debug level. Use 9 for maximum verbosity.
#
# DebugLevel 5
# Parameter: fasport
# Option: fasport
# Default: None
#
# Enable Forwarding Authentication Service (FAS)
@@ -348,8 +348,16 @@ FirewallRuleSet users-to-router {
# Typical Locally Hosted Example:
# fasport 2080
# Option: fasremotefqdn
# Default: Not set
# If set, this is the remote fully qualified domain name (FQDN) of the FAS.
# The protocol must NOT be prepended to the FQDN (ie http:// or https://)
# To prevent CPD or browser security errors NDS prepends http:// before redirection.
# If set, DNS MUST resolve fasremotefqdn to be the same ip address as fasremoteip.
# Typical Remote Shared Hosting Example:
# fasremotefqdn onboard-wifi.net
# Parameter: fasremoteip
# Option: fasremoteip
# Default: GatewayAddress (the IP of NDS)
#
# If set, this is the remote ip address of the FAS.
@@ -357,7 +365,7 @@ FirewallRuleSet users-to-router {
# Typical Locally Hosted example (ie fasremoteip not set):
# fasremoteip 46.32.240.41
# Parameter: faspath
# Option: faspath
# Default: /
#
# This is the path from the FAS Web Root to the FAS login page
@@ -369,32 +377,61 @@ FirewallRuleSet users-to-router {
# Typical Locally Hosted example (ie fasremoteip not set):
# faspath /nodog/fas.php
# Parameter: fas_secure_enabled
# Option: faskey
# Default: not set
# A key phrase for NDS to encrypt the query string sent to FAS
# Can be any combination of A-Z, a-z and 0-9, up to 16 characters with no white space
#option faskey 1234567890
# Option: fas_secure_enabled
# Default: 1
#
# If set to "1", authaction and the client token are not revealed and it is the responsibility
# of the FAS to request the token from NDSCTL.
# If set to "0", the client token is sent to the FAS in clear text in the query string of the
# ****If set to "0"****
# the client token is sent to the FAS in clear text in the query string of the
# redirect along with authaction and redir.
#
# fas_secure_enabled 0
# ****If set to "1"****
# authaction and the client token are not revealed and it is the responsibility
# of the FAS to request the token from NDSCTL.
#
# *****If set to 2****
# clientip, clientmac, gatewayname, client token, gatewayaddress, authdir and originurl
# are encrypted using faskey and passed to FAS in the query string.
#
# The query string will also contain a randomly generated initialization vector to be used by the FAS for decryption.
#
# The "php-cli" package and the "php-openssl" module must both be installed for fas_secure level 2.
#
# Nodogsplash does not depend on this package and module, but will exit gracefully
# if this package and module are not installed when this level is set.
#
# The FAS must use the query string passed initialisation vector and the pre shared fas_key to decrypt the query string.
# An example FAS php script is supplied in the source code.
#
#fas_secure_enabled 0
# Option: PreAuth
#
# Enable PreAuth Support.
# A simple login script is provided in the package.
# PreAuth support allows FAS to call a local program or script with html served by NDS
#
# A functional preauth script is installed by default providing
# username/emailaddress login as an alternative to the basic splash page.
# This generates a login page asking for usename and email address.
# User logins are recorded in the log file /tmp/ndslog.log
# Details of how the script works are contained in comments in the script itself.
#
# PreAuth support allows FAS to call a local program or script with html served by NDS
# If set, a program/script is called by the NDS FAS handler when:
# 1. fasremopteip is not set,
# If set, a program/script is called by the NDS FAS handler
# when all three of the following conditions are met:
# 1. fasremoteip is NOT set,
# 2. fasport is set to the gateway port
# 3. faspath is set to /nodogsplash_preauth/
#
# Initially FAS appends its query string to faspath.
#
# The Preauth program will output html code that will be served to the client by NDS
# Using html GET the Preauth program may call:
# Using html GET, the Preauth program may call:
# /nodogsplash_preauth/ to ask the client for more information
# or
# /nodogsplash_auth/ to authenticate the client
@@ -404,21 +441,19 @@ FirewallRuleSet users-to-router {
# It must also obtain the client token using ndsctl (or the original query string if fas_secure_enabled=0)
# for NDS authentication when calling /nodogsplash_auth/
#
# Enable username/emailaddress login.
#
# Note: fasport must be set to the same value as GateWayport (default = 2050)
# Note: fasport must be set to the same value as gatewayport (default = 2050)
# Enable by uncommenting the following two lines
# fasport '2050'
# faspath '/nodogsplash_preauth/'
# fasport 2050
# faspath /nodogsplash_preauth/
#
# and this one for OpenWrt
# preauth '/usr/lib/nodogsplash/login.sh'
# PLUS this line for OpenWrt:
# preauth /usr/lib/nodogsplash/login.sh
#
# or this one for Debian and other Linux distributions
# preauth '/etc/nodogsplash/login.sh'
# OR this line for Debian and other Linux distributions:
# preauth /etc/nodogsplash/login.sh
# Parameter: BinAuth
# Option: BinAuth
#
# Enable BinAuth Support.
# If set, a program is called with several parameters on authentication (request) and deauthentication.
@@ -453,12 +488,12 @@ FirewallRuleSet users-to-router {
# This mask can conflict with the requirements of other packages such as mwan3, sqm etc
# Any values set here are interpreted as in hex format.
#
# Parameter: fw_mark_authenticated
# Option: fw_mark_authenticated
# Default: 30000 (0011|0000|0000|0000|0000 binary)
#
# Parameter: fw_mark_trusted
# Option: fw_mark_trusted
# Default: 20000 (0010|0000|0000|0000|0000 binary)
#
# Parameter: fw_mark_blocked
# Option: fw_mark_blocked
# Default: 10000 (0001|0000|0000|0000|0000 binary)
#

2
src/common.h
View File

@@ -30,7 +30,7 @@
#define MAX_BUF 4096
/* Max length of a query string in bytes */
#define QUERYMAXLEN 2048
#define QUERYMAXLEN 4096
/* Separator for Preauth query string */
#define QUERYSEPARATOR ", "

34
src/conf.c
View File

@@ -76,8 +76,12 @@ typedef enum {
oGatewayAddress,
oGatewayPort,
oFasPort,
oFasKey,
oFasPath,
oFasRemoteIP,
oFasRemoteFQDN,
oFasURL,
oFasSSL,
oFasSecureEnabled,
oHTTPDMaxConn,
oWebRoot,
@@ -128,7 +132,11 @@ static const struct {
{ "gatewayaddress", oGatewayAddress },
{ "gatewayport", oGatewayPort },
{ "fasport", oFasPort },
{ "faskey", oFasKey },
{ "fasremoteip", oFasRemoteIP },
{ "fasremotefqdn", oFasRemoteFQDN },
{ "fasurl", oFasURL },
{ "fasssl", oFasSSL },
{ "fas_secure_enabled", oFasSecureEnabled },
{ "faspath", oFasPath },
{ "webroot", oWebRoot },
@@ -201,8 +209,12 @@ config_init(void)
config.gw_ip = NULL;
config.gw_port = DEFAULT_GATEWAYPORT;
config.fas_port = DEFAULT_FASPORT;
config.fas_key = NULL;
config.fas_secure_enabled = DEFAULT_FAS_SECURE_ENABLED;
config.fas_remoteip = NULL;
config.fas_remotefqdn = NULL;
config.fas_url = NULL;
config.fas_ssl = NULL;
config.fas_path = DEFAULT_FASPATH;
config.webroot = safe_strdup(DEFAULT_WEBROOT);
config.splashpage = safe_strdup(DEFAULT_SPLASHPAGE);
@@ -775,9 +787,15 @@ config_read(const char *filename)
case oFasPath:
config.fas_path = safe_strdup(p1);
break;
case oFasKey:
config.fas_key = safe_strdup(p1);
break;
case oFasRemoteIP:
config.fas_remoteip = safe_strdup(p1);
break;
case oFasRemoteFQDN:
config.fas_remotefqdn = safe_strdup(p1);
break;
case oBinAuth:
config.binauth = safe_strdup(p1);
if (!((stat(p1, &sb) == 0) && S_ISREG(sb.st_mode) && (sb.st_mode & S_IXUSR))) {
@@ -952,22 +970,6 @@ config_read(const char *filename)
fclose(fd);
if (config.fas_remoteip) {
if (is_addr(config.fas_remoteip) == 1) {
debug(LOG_INFO, "fasremoteip - %s - is a valid IPv4 address...", config.fas_remoteip);
} else {
debug(LOG_ERR, "fasremoteip - %s - is NOT a valid IPv4 address format...", config.fas_remoteip);
debug(LOG_ERR, "Exiting...");
exit(1);
}
} else {
if (config.fas_port == 80) {
debug(LOG_ERR, "Invalid fasport - port 80 is reserved and cannot be used for local FAS...");
debug(LOG_ERR, "Exiting...");
exit(1);
}
}
debug(LOG_INFO, "Done reading configuration file '%s'", filename);
}

6
src/conf.h
View File

@@ -29,7 +29,7 @@
#ifndef _CONF_H_
#define _CONF_H_
#define VERSION "3.3.3-beta"
#define VERSION "4.0.0"
/*@{*/
/** Defines */
@@ -155,7 +155,11 @@ typedef struct {
unsigned int fas_port; /**< @brief Port the fas server will run on */
int fas_secure_enabled; /**< @brief Enable Secure FAS */
char *fas_path; /**< @brief Path to forward authentication page of FAS */
char *fas_key; /**< @brief AES key for FAS */
char *fas_remoteip; /**< @brief IP addess of a remote FAS */
char *fas_remotefqdn; /**< @brief FQDN of a remote FAS */
char *fas_url; /**< @brief URL of a remote FAS */
char *fas_ssl; /**< @brief SSL provider for FAS */
char *webroot; /**< @brief Directory containing splash pages, etc. */
char *splashpage; /**< @brief Name of main splash page */
char *statuspage; /**< @brief Name of info status page */

92
src/http_microhttpd.c
View File

@@ -499,7 +499,7 @@ static int authenticated(struct MHD_Connection *connection,
MHD_get_connection_values(connection, MHD_HEADER_KIND, get_host_value_callback, &host);
/* check if this is an late request meaning the user tries to get the internet, but ended up here,
/* check if this is a late request, meaning the user tries to get the internet, but ended up here,
* because the iptables rule came too late */
if (is_foreign_hosts(connection, host)) {
/* might happen if the firewall rule isn't yet installed */
@@ -514,14 +514,16 @@ static int authenticated(struct MHD_Connection *connection,
if (check_authdir_match(url, config->authdir)) {
if (config->fas_port && !config->preauth) {
safe_asprintf(&fasurl, "http://%s:%u%s?clientip=%s&gatewayname=%s&status=authenticated",
config->fas_remoteip, config->fas_port, config->fas_path, client->ip, config->gw_name);
safe_asprintf(&fasurl, "%s?clientip=%s&gatewayname=%s&status=authenticated",
config->fas_url, client->ip, config->gw_name);
debug(LOG_DEBUG, "fasurl %s", fasurl);
ret = send_redirect_temp(connection, fasurl);
free(fasurl);
return ret;
} else if (config->fas_port && config->preauth) {
safe_asprintf(&fasurl, "?clientip=%s%sgatewayname=%s%sstatus=authenticated",
client->ip, QUERYSEPARATOR, config->gw_name, QUERYSEPARATOR);
debug(LOG_DEBUG, "fasurl %s", fasurl);
ret = show_preauthpage(connection, fasurl);
free(fasurl);
return ret;
@@ -534,6 +536,7 @@ static int authenticated(struct MHD_Connection *connection,
if (config->fas_port) {
safe_asprintf(&fasurl, "?clientip=%s&gatewayname=%s&status=authenticated",
client->ip, config->gw_name);
debug(LOG_DEBUG, "fasurl %s", fasurl);
ret = show_preauthpage(connection, fasurl);
free(fasurl);
return ret;
@@ -693,35 +696,60 @@ static int preauthenticated(struct MHD_Connection *connection,
*/
static int encode_and_redirect_to_splashpage(struct MHD_Connection *connection, const char *originurl, const char *querystr)
{
char msg[QUERYMAXLEN] = {0};
char *splashpageurl = NULL;
char encoded[QUERYMAXLEN] = {0};
char *phpcmd = NULL;
s_config *config;
int ret;
config = config_get_config();
if (originurl) {
if (uh_urlencode(encoded, sizeof(encoded), originurl, strlen(originurl)) == -1) {
debug(LOG_WARNING, "could not encode url");
} else {
debug(LOG_DEBUG, "originurl: %s", originurl);
}
}
if (config->fas_port) {
// Generate secure query string or authaction url
// Note: config->fas_path contains a leading / as it is the path from the FAS web root.
if (config->fas_secure_enabled) {
safe_asprintf(&splashpageurl, "http://%s:%u%s%s&redir=%s",
config->fas_remoteip, config->fas_port, config->fas_path, querystr, encoded);
} else {
if (config->fas_secure_enabled == 0) {
safe_asprintf(&splashpageurl, "http://%s:%u%s?authaction=http://%s/%s/%s&redir=%s",
config->fas_remoteip, config->fas_port, config->fas_path,
config->gw_address, config->authdir, querystr, encoded);
config->gw_address, config->authdir, querystr, originurl);
} else if (config->fas_secure_enabled == 1) {
safe_asprintf(&splashpageurl, "%s%s&redir=%s",
config->fas_url, querystr, originurl);
} else if (config->fas_secure_enabled == 2) {
safe_asprintf(&phpcmd,
"echo '<?php \n"
"$key=\"%s\";\n"
"$string=\"%s\";\n"
"$cipher=\"aes-256-cbc\";\n"
"if (in_array($cipher, openssl_get_cipher_methods())) {\n"
"$secret_iv = base64_encode(openssl_random_pseudo_bytes(\"8\"));\n"
"$iv = substr(openssl_digest($secret_iv, \"sha256\"), 0, 16 );\n"
"$string = base64_encode( openssl_encrypt( $string, $cipher, $key, 0, $iv ) );\n"
"echo \"?fas=\".$string.\"&iv=\".$iv;\n"
"}\n"
" ?>' "
" | %s\n",
config->fas_key, querystr, config->fas_ssl);
debug(LOG_DEBUG, "phpcmd: %s", phpcmd);
if (execute_ret_url_encoded(msg, sizeof(msg) - 1, phpcmd) == 0) {
safe_asprintf(&splashpageurl, "%s%s",
config->fas_url, msg);
debug(LOG_DEBUG, "Encrypted query string=%s\n", msg);
} else {
safe_asprintf(&splashpageurl, "%s?redir=%s",
config->fas_url, originurl);
debug(LOG_ERR, "Error encrypting query string. %s", msg);
}
free(phpcmd);
} else {
safe_asprintf(&splashpageurl, "%s%s&redir=%s",
config->fas_url, querystr, originurl);
}
} else {
safe_asprintf(&splashpageurl, "http://%s/%s?redir=%s",
config->gw_address, config->splashpage, encoded);
config->gw_address, config->splashpage, originurl);
}
debug(LOG_DEBUG, "splashpageurl: %s", splashpageurl);
@@ -741,7 +769,8 @@ static int encode_and_redirect_to_splashpage(struct MHD_Connection *connection,
*/
static int redirect_to_splashpage(struct MHD_Connection *connection, t_client *client, const char *host, const char *url)
{
char *originurl = NULL;
char *originurl_raw = NULL;
char originurl[QUERYMAXLEN] = {0};
char query_str[QUERYMAXLEN] = {0};
char *query = query_str;
int ret = 0;
@@ -757,16 +786,35 @@ static int redirect_to_splashpage(struct MHD_Connection *connection, t_client *c
}
debug(LOG_DEBUG, "Query string is [ %s ]", query);
safe_asprintf(&originurl_raw, "http://%s%s%s", host, url, query);
if (config->fas_secure_enabled != 1) {
if (uh_urlencode(originurl, sizeof(originurl), originurl_raw, strlen(originurl_raw)) == -1) {
debug(LOG_WARNING, "could not encode url");
} else {
debug(LOG_DEBUG, "originurl: %s", originurl);
}
if (config->fas_secure_enabled == 0) {
safe_asprintf(&querystr, "?clientip=%s&gatewayname=%s&tok=%s", client->ip, config->gw_name, client->token);
} else if (config->fas_secure_enabled == 1) {
safe_asprintf(&querystr, "?clientip=%s&gatewayname=%s", client->ip, config->gw_name);
} else if (config->fas_secure_enabled == 2) {
safe_asprintf(&querystr,
"clientip=%s%sclientmac=%s%sgatewayname=%s%stok=%s%sgatewayaddress=%s%sauthdir=%s%soriginurl=%s",
client->ip, QUERYSEPARATOR,
client->mac, QUERYSEPARATOR,
config->gw_name, QUERYSEPARATOR,
client->token, QUERYSEPARATOR,
config->gw_address, QUERYSEPARATOR,
config->authdir, QUERYSEPARATOR,
originurl);
} else {
safe_asprintf(&querystr, "?clientip=%s&gatewayname=%s", client->ip, config->gw_name);
}
safe_asprintf(&originurl, "http://%s%s%s", host, url, query);
ret = encode_and_redirect_to_splashpage(connection, originurl, querystr);
free(originurl);
free(originurl_raw);
free(querystr);
return ret;
}

78
src/main.c
View File

@@ -221,6 +221,11 @@ main_loop(void)
int result = 0;
pthread_t tid;
s_config *config;
char msg[255] = {0};
int rc;
char *fasurl = NULL;
char *fasssl = NULL;
char *phpcmd = NULL;
config = config_get_config();
@@ -274,17 +279,82 @@ main_loop(void)
httpdAddC404Content(webserver, http_nodogsplash_callback_404);
*/
if (config->fas_remoteip) {
if (is_addr(config->fas_remoteip) == 1) {
debug(LOG_INFO, "fasremoteip - %s - is a valid IPv4 address...", config->fas_remoteip);
} else {
debug(LOG_ERR, "fasremoteip - %s - is NOT a valid IPv4 address format...", config->fas_remoteip);
debug(LOG_ERR, "Exiting...");
exit(1);
}
} else {
if (config->fas_port == 80) {
debug(LOG_ERR, "Invalid fasport - port 80 is reserved and cannot be used for local FAS...");
debug(LOG_ERR, "Exiting...");
exit(1);
}
}
if (config->fas_key) {
/* PHP cli command can be php or php-cli depending on Linux version. */
if (execute_ret(msg, sizeof(msg) - 1, "php -v") == 0) {
safe_asprintf(&fasssl, "php");
debug(LOG_NOTICE, "SSL Provider is active");
debug(LOG_DEBUG, "SSL Provider: %s FAS key is: %s\n", &msg, config->fas_key);
} else if (execute_ret(msg, sizeof(msg) - 1, "php-cli -v") == 0) {
safe_asprintf(&fasssl, "php-cli");
debug(LOG_NOTICE, "SSL Provider is active");
debug(LOG_DEBUG, "SSL Provider: %s FAS key is: %s\n", &msg, config->fas_key);
} else {
debug(LOG_ERR, "PHP packages PHP CLI and PHP OpenSSL are required");
debug(LOG_ERR, "Exiting...");
exit(1);
}
config->fas_ssl = safe_strdup(fasssl);
free(fasssl);
safe_asprintf(&phpcmd,
"echo '<?php "
"if (!extension_loaded (openssl)) {exit(1);"
"} ?>' | %s", config->fas_ssl);
if (execute_ret(msg, sizeof(msg) - 1, phpcmd) == 0) {
debug(LOG_NOTICE, "OpenSSL module is loaded\n");
} else {
debug(LOG_ERR, "OpenSSL PHP module is not loaded");
debug(LOG_ERR, "Exiting...");
exit(1);
}
free(phpcmd);
}
/* Make sure fas_remoteip is set. Note: This does not enable FAS. */
if (!config->fas_remoteip) {
config->fas_remoteip = safe_strdup(config->gw_ip);
}
if (config->fas_port) {
debug(LOG_NOTICE, "Forwarding Authentication is Enabled.\n");
debug(LOG_NOTICE, "FAS URL is http://%s:%u%s\n", config->fas_remoteip, config->fas_port, config->fas_path);
if (config->fas_remotefqdn) {
debug(LOG_NOTICE, "FAS FQDN is: %s\n", config->fas_remotefqdn);
}
if (config->fas_secure_enabled != 1 && config->fas_port) {
if (config->fas_port) {
debug(LOG_NOTICE, "Forwarding Authentication is Enabled.\n");
if (config->fas_remotefqdn) {
safe_asprintf(&fasurl, "http://%s:%u%s",
config->fas_remotefqdn, config->fas_port, config->fas_path);
config->fas_url = safe_strdup(fasurl);
} else {
safe_asprintf(&fasurl, "http://%s:%u%s",
config->fas_remoteip, config->fas_port, config->fas_path);
config->fas_url = safe_strdup(fasurl);
}
debug(LOG_NOTICE, "FAS URL is %s\n", config->fas_url);
free(fasurl);
}
if (config->fas_secure_enabled == 0 && config->fas_port) {
debug(LOG_NOTICE, "Warning - Forwarding Authentication - Security is DISABLED.\n");
}

16
src/util.c
View File

@@ -147,7 +147,7 @@ int execute(const char fmt[], ...)
int execute_ret(char* msg, int msg_len, const char fmt[], ...)
{
char cmd[512];
char cmd[QUERYMAXLEN];
va_list vlist;
int rc;
@@ -163,6 +163,15 @@ int execute_ret(char* msg, int msg_len, const char fmt[], ...)
return _execute_ret(msg, msg_len, cmd);
}
// Warning: Any client originated portion of the cmd string must be url encoded before calling this function.
// It may not be desired to url encode the entire cmd string,
// so it is our responsibility to encode the relevant parts (eg the clients original request url) before calling.
int execute_ret_url_encoded(char* msg, int msg_len, const char *cmd)
{
return _execute_ret(msg, msg_len, cmd);
}
char *
get_iface_ip(const char ifname[], int ip6)
{
@@ -418,10 +427,9 @@ ndsctl_status(FILE *fp)
}
if (config->fas_port) {
fprintf(fp, "FAS: Secure=%u URL: http://%s:%u%s\n",
fprintf(fp, "FAS: Secure Level %u, URL: %s\n",
config->fas_secure_enabled,
config->fas_remoteip,
config->fas_port, config->fas_path);
config->fas_url);
} else {
fprintf(fp, "FAS: Disabled\n");
}

2
src/util.h
View File

@@ -32,7 +32,7 @@
/* @brief Execute a shell command */
int execute(const char fmt[], ...);
int execute_ret(char* msg, int msg_len, const char fmt[], ...);
int execute_ret_url_encoded(char* msg, int msg_len, const char *cmd);
/* @brief Get IP address of an interface */
char *get_iface_ip(const char ifname[], int ip6);