Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Squid captive portal #771

Open
wants to merge 11 commits into
base: release-6.1
Choose a base branch
from
Open

Squid captive portal #771

wants to merge 11 commits into from

Conversation

georgejhunt
Copy link
Contributor

No description provided.

@m-anish
Copy link
Contributor

m-anish commented Sep 14, 2016

Pulling this into release-6.1 for testing, and running install-console, I get this error:

TASK: [1-prep | set_fact ] **************************************************** 
fatal: [127.0.0.1] => One or more undefined variables: 'dict object' has no attribute 'squid_dir'

FATAL: all hosts have already failed -- aborting

@jvonau
Copy link
Member

jvonau commented Sep 14, 2016

whenever something in install console changes the variable gui_ver in roles/xsce-admin/defaults/main.yml needs to be bumped to re-run the already completed parts.

@m-anish
Copy link
Contributor

m-anish commented Sep 14, 2016

I also renamed/removed /etc/xsce/xsce.env and that seemed to do the trick

@m-anish
Copy link
Contributor

m-anish commented Sep 14, 2016

Okay, some thoughts on the actual PR.

This sort of works. If I set capture_enabled = True and rerun the network setup, the following scenario works:

  1. If I open a website over port 80 (HTTP), I get redirected to the schoolserver homepage.
  2. If I open a website over port 443 (HTTPS), I get redirected to the schoolserver homepage.

However, after this initial captive portal page, https doesn't work, probably because squid isn't setup to handle https

If I remove the https iptables line: $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 443 ! -d 172.18.96.1 -j DNAT --to 172.18.96.1:3128 then

  1. The captive portal works over port 80
  2. It does not work over 443

HTTPS (443) traffic works afterwards.

So, I think before this goes in.
We should make squid transparently handle https traffic. Searching the internet, I got this:
http://rahulpahade.com/content/squid-transparent-proxy-over-ssl-https

Hope this helps.

@jvonau
Copy link
Member

jvonau commented Sep 14, 2016

something just feels icky about a man-in-the-middle squid setup for https to me.

@m-anish
Copy link
Contributor

m-anish commented Sep 14, 2016

Yup agree.

Other ideas?

@m-anish
Copy link
Contributor

m-anish commented Sep 14, 2016

Also, anyone have experience with this?

https://msdn.microsoft.com/en-us/library/windows/hardware/dn408679.aspx

Perhaps embedding this small snippet of xml in the html header can popup a notification in phones.

Also found this:

http://www.squid-cache.org/mail-archive/squid-users/201405/0285.html

@tim-moody
Copy link
Contributor

Does this interact with squid-xs.conf.j2:

{% if gw_block_https == True %}
#acl Safe_ports port 443 # https
{% else %}
acl Safe_ports port 443 # https
{% endif %}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@georgejhunt @m-anish @jvonau @tim-moody