[ previous ] [ next ] [ threads ]
 From:  joshmccormack at travelersdiary dot com
 To:  M0N0Wall firewall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] captive portal support (fwd)
 Date:  Tue, 20 Jan 2004 09:32:23 -0600 (CST)
Fred asked a question on the captive portal solution I passed along

>I'm not sure I understand why he is forwarding port 80 to the local
>server, and then in turn redirecting to the portal on another server.
>Why not simply forward the user directly to the portal on the second server?

Here's my friends response:

---------- Forwarded message ----------
Date: Tue, 20 Jan 2004 12:21:34 -0200
From: Bruno Lopes F. Cabral <bruno at openline dot com dot br>
To: joshmccormack at travelersdiary dot com
Subject: Re: [m0n0wall] captive portal support (fwd)

Hi ppl

very good point: that's because

a. I don't wan't to modify remote servers to i.e.
show the same page whatever page it is asked
(a way would be based on the source address,
but whoever tried to use apache to remote proxy
while being an actual server knows the difficulties
it could lead to)

b. I don't have space to put the page locally
(my server runs from a floppy)

c. it seemed simplier to me, but perhaps I did
it on a dumb way ;-)

the local server is busybox' http with a little
patch to put an error page when the file doesn't
exist locally (the same server is used to config
my system, so it's just a matter of running it
on another port with an empty dir as it's home)

then I simply do a redirect of all non-PPTP traffic
to port 80 to this "another port" (via iptables)
-- of course, all traffic EXCEPT the ones to my
main server, which I choose to let it remain open
the user being authenticated or not

finally, the error page is shown, which has a refresh
of 1s with a real page (on my real server) with
instructions (install the PPTP client, configure
this way etc)

the real server doesn't have anything modified at all,
as the request is for a real (existant) page,
guaranteed by busybox' http redirect page

before doing this way, I had modified squid to
receive the traffic from my box and provide quite
the same behaviour, but gave up on it because there
were some problems between forced proxying and
user logins (via squid auth acls)

as I stated, my solution isn't "the" solution to everyone
needs, but it is working pretty well for more than 8 months

from Brazil