890
edits
Difference between revisions of "Mesh/Firmware/Splash page"
Mesh/Firmware/Splash page (view source)
Revision as of 14:37, 13 August 2013
, 14:37, 13 August 2013→Solutions
(→iOS) |
|||
| Line 74: | Line 74: | ||
The filtering should happen at the exit nodes (the servers from which traffic flows between the mesh and the internet). This means that we are not limited by the processing power of the routers. | The filtering should happen at the exit nodes (the servers from which traffic flows between the mesh and the internet). This means that we are not limited by the processing power of the routers. | ||
== Current in-progress solution == | |||
The exit nodes run a dnsmasq caching dns server. They have an entry for www.apple.com in their /etc/hosts file: | |||
<pre> | |||
184.85.61.15 www.apple.com | |||
</pre> | |||
This is to ensure that the IP for www.apple.com is always the same for all the entire network and is always known. This is not a good solution. Instead, the configuration that relies on the IP should be updated every time the IP for www.apple.com changes. | |||
An iptables rule redirects all port 80 traffic for the www.apple.com IP to a different port: | |||
<pre> | |||
iptables -t nat -A PREROUTING -i bat0 -p tcp -d 184.85.61.15 --dport 80 -j REDIRECT --to-port 3128 | |||
</pre> | |||
The squid proxy is run on port 3128 and set to run a program called rewrite.pl that sends alternate responses to specific GET requests. | |||
Squid 3.1 configuration: | |||
<pre> | |||
acl mesh src 10.0.0.0/8 | |||
acl manager proto cache_object | |||
acl localhost src 127.0.0.1/32 ::1 | |||
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 | |||
acl Safe_ports port 80 | |||
acl CONNECT method CONNECT | |||
# Only allow cachemgr access from localhost | |||
http_access allow manager localhost | |||
http_access deny manager | |||
http_access deny !Safe_ports | |||
http_access allow localhost | |||
http_access allow mesh | |||
http_access deny all | |||
http_port 3128 transparent | |||
coredump_dir /var/spool/squid3 | |||
# program to run to re-write urls of incoming requests | |||
url_rewrite_program /etc/squid3/rewrite.pl | |||
# The number of redirector processes to spawn | |||
url_rewrite_children 10 | |||
# Bypass rewrite if all rewrite processes are busy | |||
url_rewrite_bypass on | |||
# This is almost certainly not needed | |||
refresh_pattern ^ftp: 1440 20% 10080 | |||
refresh_pattern ^gopher: 1440 0% 1440 | |||
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | |||
refresh_pattern . 0 20% 4320 | |||
</pre> | |||
We should see if we can use the squid ''url_rewrite_access'' directive to ensure that the rewrite.pl program is only run for the specific queries that need rewriting. | |||
The rewrite.pl program simply replies to the captive portal probe queries with the replies from a local apache server. Here is the code of /etc/squid3/rewrite.pl: | |||
<pre> | |||
#!/usr/bin/perl | |||
$splash_response = "http://localhost/splash.html\n"; | |||
$|=1; | |||
while (<>) { | |||
chomp; | |||
@line = split; | |||
$url = $line[0]; | |||
if ($url =~ /^http:\/\/www\.apple\.com\/library\/test\/success\.html/) { | |||
print $splash_response; | |||
} elsif ($url =~ /^http:\/\/www\.apple\.com\/$/) { | |||
print $splash_response; | |||
} else { | |||
print $url . "\n"; | |||
} | |||
} | |||
</pre> | |||
For versions 3.4 of squid and above, the program should look like this instead (reference [http://www.squid-cache.org/Versions/v3/3.1/cfgman/url_rewrite_program.html v3.1 docs] and [http://www.squid-cache.org/Versions/v3/3.4/cfgman/url_rewrite_program.html v3.4 docs]): | |||
<pre> | |||
#!/usr/bin/perl | |||
$splash_response = "OK rewrite-url=http://localhost/splash.html\n"; | |||
$|=1; | |||
while (<>) { | |||
chomp; | |||
@line = split; | |||
$url = $line[0]; | |||
if ($url =~ /^http:\/\/www\.apple\.com\/library\/test\/success\.html/) { | |||
print $splash_response; | |||
} elsif ($url =~ /^http:\/\/www\.apple\.com\/$/) { | |||
print $splash_response; | |||
} else { | |||
print "ERR\n"; | |||
} | |||
} | |||
</pre> | |||
An apache 2 with standard configuration is running and in /var/www/splash.html has the following file: | |||
<pre> | |||
<!DOCTYPE html> | |||
<html lang="en"> | |||
<head> | |||
<meta CHARSET=utf8mb4"utf-8"> | |||
<title>peopleswifi.org</title> | |||
</head> | |||
<body> | |||
<h1>Welcome to People's Wifi</h1> | |||
<p> | |||
Click anywhere to continue! | |||
</p> | |||
</body> | |||
</html> | |||
</pre> | |||
The last missing steps are to improve rewrite.pl to add firewall rules that bypass the squid proxy for the source IP after the user clicks past the splash screen. These should be flushed out after some period of time. Also, the matching for http://www.apple.com/ should only be activated for an IP for some minutes immediately after the request to http://www.apple.com/library/test/success.html such that requests to http://www.apple.com from non-captive-portal detecting devices will not be redirected. | |||
One concern is: What happens when the client roams to another mesh node and then stays there until their dhcp lease expires? They may get a new IP if batman-adv decides that another gateway is closer/better. If the client gets a new IP, will it try the captive portal detection again? | |||
== Proxy == | == Proxy == | ||