See issue #515
MHD_get_version is used to determine the installed (runtime) version of
libmicrohttpd (MHD).
If the version is earlier than 0.9.69, then by default, NDS will terminate.
However, if option use_outdated_mhd is set to 1, NDS starts normally
but logs an error.
Signed-off-by: Rob White <rob@blue-wave.net>
See issue #503
If ndsctl is called within a Binauth script it deadlocks as NDS is in
the middle of its client authentication logic when BinAuth is called.
It should not be necessary to run ndsctl from Binauth anyway as it does not
provide any useful post authentation functionality.
This commit prevents ndsctl from being run using a modified version of
the existing ndsctl.lock logic.
Signed-off-by: Rob White <rob@blue-wave.net>
Disabled is 0 (default)
Enabled is 1
This allows custom unescape in MHD.
MHD needs to unescape characters sent in query strings by browsers.
When this option is disabled, MHD uses its builtin unescape.
When enabled, MHD uses /usr/lib/nodogsplash/unescape.sh
The unescape.sh library is safe as all incoming queries are escaped
by the client browser and the argument containing string to be unescaped
is quoted by NDS.
Signed-off-by: Rob White <rob@blue-wave.net>
Note on characters in gatewayname:
# ' and " are invalid in both uci config and nodogsplash.conf so cannot be used.
Signed-off-by: Rob White <rob@blue-wave.net>
This caused a subtle memory corruption resulting in MHD failing to start,
starting NDS from the command line to fail unless argument -d2 was used
and probably other strange anomalies. But only some targets eg RPi/Raspian,
but probably not seen on OpenWrt.
Fix was found by @skra72, many thanks.
Signed-off-by: Rob White <rob@blue-wave.net>
This is a fix to allow "+" and "&" characters in user data passed to MHD in get requests.
Reported in issue #476, this effected PreAuth and Binauth.
"+" and "&" characters can now be used in form data, eg passwords etc.
Signed-off-by: Rob White <rob@blue-wave.net>
When option fas_secure_enabled '2' is set, get the client interface connections.
The client interface connections string is of the form:
[localif] [remotemeshnodemac] [localmeshif]
This is added to the query string as "clientif".
[remotemeshnodemac] and [localmeshif] will be null if the client is connected
to a local interface or 802.11s mesh networking is not active.
This can be used to change the response of the FAS captive portal login page,
depending on the interface the client is connected to.
Connections to local wireless interfaces and
remote 802.11s mesh node connections are detected.
Signed-off-by: Rob White <rob@blue-wave.net>
* Symptom was spontaneous restart of NDS often with no errors.
* Caused by coding error introduced by previous changes.
* Added improved checking and debuglevel logging when calling MHD.
* Added debuglevel logging for case of firewall restart.
* Return error 403(forbidden) rather than 503(internal server error) when client attempts to use a forbidden http method.
* Return error 403(forbidden) rather than 503(internal server error) when client attempts to use an invalid ip or mac address.
* Revert QUERYMAXLEN to 4096 bytes to prevent query string truncation when a client session deauthenticates whilst client is using some types of vpn software.
Signed-off-by: Rob White <rob@blue-wave.net>
iptables uses a lock file (xtables.lock). iptables holds this lock as long the
executable is running which means as long we haven't read all the input.
When iterating over the input lines nodogsplash might run into a dead lock if
another thread of nodogsplash executes iptables.
This release Fixes a Debian package build error
This did not effect the OpenWrt package.
There are no other changes from v4.3.1
Signed-off-by: Rob White <rob@blue-wave.net>
This version provides the fix to an issue in Makefile, introduced in the previous version, that prevents the Debian package from being created.
This does not effect the OpenWrt package.
There are no other changes from v4.3.0
Signed-off-by: Rob White <rob@blue-wave.net>
Allows simple switch between templated splash page and preauth login script.
Disabled:
option login_option_enabled '0'
use config options for FAS if set, or Templated Splash
Enabled:
option login_option_enabled '1'
use preauth login script providing username/email login with access log
Signed-off-by: Rob White <rob@blue-wave.net>
Save a little memory, useful for legacy devices with low ram.
Default the example script log file to /tmp if on NDS router,
or script file location if elsewhere.
Signed-off-by: Rob White <rob@blue-wave.net>
Enhances security and mitigates issues accessing ndsctl remotely to obtain the client token.
In addition, no additional packages are required allowing legacy low flash/ram devices to be used.
For option fas_secure_enabled '1', NDS adds the hash of the client token (hid) to the query string.
FAS concatenates hid and the fas key and hashes the result.
This new hash is added to the query string returned to NDS instead of the client token.
NDS then compares this hash with one it calculates itself from the client token and the pre-shared key.
For option fas_secure_enabled '2', the FAS can return either the client token in clear text
or can return the concatenated hash as for fas_secure_enabled '1', NDS will detect which is used.
Signed-off-by: Rob White <rob@blue-wave.net>
NDS uptime may be from seconds to years (!!) too large if NTP client is
enabled when the system starts and there is no hardware RTC.
NDS started_time is deliberately left untouched, uptime discrepancy is
logged when debuglevel is >1 but uptime is correctly calculated.
Signed-off-by: Rob White <rob@blue-wave.net>
This enhancement allows custom variables generated by FAS
to be sent to Binauth.
FAS can embed custom variables into redir, allowing
local post authentication processing to take place.
Two example scripts are provided.
The first provides sitewide username/password login for two user groups,
Staff and Guest in the example.
Staff has unlimited access, Guest is limited to 10 minutes per session.
The second provides local logging of NDS logins, even with a remote FAS.
The documentation is fully updated.
Signed-off-by: Rob White <rob@blue-wave.net>
redirectURL is now redundant as most CPD implementations immediately close the "splash" page
as soon as NDS authenticates, thus redirectURL will not be shown.
This functionality, ie displaying a particular web page as a final "Landing Page"
can be achieved reliably using FAS, with NDS calling the previous "redirectURL" as the FAS page.
Signed-off-by: Rob White <rob@blue-wave.net>
