This enhancement allows custom parameters to be defined in the config file.
This enhancement is added primarily to support remote configuration operations
using tools such as opensync, but can also be of general use.
Custom Parameters are options defined in the configuration file
and have fixed values once set.
Note: Custom Variables are very different and are defined in the FAS,
with values determined by the FAS/Client dialogue script.
Signed-off-by: Rob White <rob@blue-wave.net>
Use login.sh with config select of "continue" or username/email login.
Allow reneabling with allow_legacy_splash config option.
Signed-off-by: Rob White <rob@blue-wave.net>
As (most) client CPD processes close immediately on authentication,
RedirectURL no longer works.
Similar but reliable functionality can be achieved by using FAS,
displaying the required URL BEFORE authenticating.
Signed-off-by: Rob White <rob@blue-wave.net>
Changelog updates for 6.0.0
Set MHD version check to >= 0.9.71
Clean up Preauth "Already authenticated" page
Update config files for v6.0.0
Add description for binauth output and input arguments
Tidy function do_binauth
Add preauth multifield login script with css update
Clarify custom string options
Hidden or client entered custom string
Signed-off-by: Rob White <rob@blue-wave.net>
Previously a remote FAS could not use https protocol without generating
browser security errors or warnings so NDS enforced use of http.
A new FAS level, fas_secure_enabled = 3 is introduced here.
Level 3 is the same as level 2 except the use of https protocol is
enforced for FAS. In addition, the "authmon" daemon is loaded.
This daemon allows the external FAS, after client verification is complete,
to effectively traverse inbound firewalls and address translation to
achieve NDS authentication without generating browser security warnings.
or errors.
A fully functional https fas script is provided (fas-aes-https.php).
Signed-off-by: Rob White <rob@blue-wave.net>
See issue #516
"#" is used as a comment indicator in nodogsplash.conf
This fix allows the character to be present as part of an option value.
If the character occurs at the beginning of the line,
the line will be considered as a comment.
"'" (single quote/asterisk) is used as a uci delimiter.
If this character is required in gatewayname then use the
htmlentity ' instead.
The default config files have been updated to reflect this.
The demo preauth scripts have been modified to ensure
gatewayname is properly escaped.
Signed-off-by: Rob White <rob@blue-wave.net>
See issue #515
MHD_get_version is used to determine the installed (runtime) version of
libmicrohttpd (MHD).
If the version is earlier than 0.9.69, then by default, NDS will terminate.
However, if option use_outdated_mhd is set to 1, NDS starts normally
but logs an error.
Signed-off-by: Rob White <rob@blue-wave.net>
Disabled is 0 (default)
Enabled is 1
This allows custom unescape in MHD.
MHD needs to unescape characters sent in query strings by browsers.
When this option is disabled, MHD uses its builtin unescape.
When enabled, MHD uses /usr/lib/nodogsplash/unescape.sh
The unescape.sh library is safe as all incoming queries are escaped
by the client browser and the argument containing string to be unescaped
is quoted by NDS.
Signed-off-by: Rob White <rob@blue-wave.net>
This is a fix to allow "+" and "&" characters in user data passed to MHD in get requests.
Reported in issue #476, this effected PreAuth and Binauth.
"+" and "&" characters can now be used in form data, eg passwords etc.
Signed-off-by: Rob White <rob@blue-wave.net>
When option fas_secure_enabled '2' is set, get the client interface connections.
The client interface connections string is of the form:
[localif] [remotemeshnodemac] [localmeshif]
This is added to the query string as "clientif".
[remotemeshnodemac] and [localmeshif] will be null if the client is connected
to a local interface or 802.11s mesh networking is not active.
This can be used to change the response of the FAS captive portal login page,
depending on the interface the client is connected to.
Connections to local wireless interfaces and
remote 802.11s mesh node connections are detected.
Signed-off-by: Rob White <rob@blue-wave.net>
* Symptom was spontaneous restart of NDS often with no errors.
* Caused by coding error introduced by previous changes.
* Added improved checking and debuglevel logging when calling MHD.
* Added debuglevel logging for case of firewall restart.
* Return error 403(forbidden) rather than 503(internal server error) when client attempts to use a forbidden http method.
* Return error 403(forbidden) rather than 503(internal server error) when client attempts to use an invalid ip or mac address.
* Revert QUERYMAXLEN to 4096 bytes to prevent query string truncation when a client session deauthenticates whilst client is using some types of vpn software.
Signed-off-by: Rob White <rob@blue-wave.net>
