[Chilli] SSL on Chili
Gergely Kiss
mail.gery at gmail.com
Thu Nov 19 20:33:00 UTC 2009
Here is my idea: let's redirect all HTTPS requests to a HTTPS-enabled
Apache server which will then point the browser to the login screen
(HTTP) via the UrlRewrite module. For normal HTTP requests, Chilli
should do the trick by itself. For example, create an iptables rule
like this:
iptables -t nat -I PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.1.1:443
where 192.168.1.1 is the IP of your Apache server. The server catches
the request and after the SSL tunnel has been established, it can
redirect the browser to any other URL. After a successful login, you
create a rule that resolves the redirection rule for the client:
iptables -t nat -I PREROUTING -s <client IP> -p tcp --dport 443 -j ACCEPT
You can achieve this by using the --conup and --condown parameters of
the chilli daemon. The client IP address can be easily determined,
because Chilli exports a couple of useful environment variables just
before running the script. Therefore, you need only a single command:
#!/bin/sh
if [ -n "$FRAMED_IP_ADDRESS" ] ; then
iptables -t nat -I PREROUTING -s ${FRAMED_IP_ADDRESS} -p tcp --dport
443 -j ACCEPT
fi
For the logout event, use the following script:
#!/bin/sh
if [ -n "$FRAMED_IP_ADDRESS" ] ; then
iptables -t nat -D PREROUTING -s ${FRAMED_IP_ADDRESS} -p tcp --dport
443 -j ACCEPT
fi
I'm not able to test this right now, but theoretically it should solve
the issue.
Regards
George
Ps.: hopefully this is an acceptable solution for you, as I'm not 100%
sure that I understood your problem correctly.
2009/11/19 Fernando Dutra Fagundes Macedo <fmacedo at cpd.ufrgs.br>:
> I think that I wasn't enough clear describing the problem in the last
> message. I'll try to explain this issue with more details:
>
> The problem happens When coova chilli is configured to work with ssl and a
> client tries to connect to a http server (port 80). In this sittuation,
> coova redirects the connection to port 3990 which is working with ssl.
> Although, the client have made a request to connect to a http server, not
> https. So, the ssl negotiation fails, the client didn't connect properly and
> presents a blank page to the user.
>
> We have been trying to solve this issue but we hadn't any good ideas until
> now. The best solution we thought was to redirect the connection to apache
> and after do a http redirection from http to https and then return back the
> connection to coova.
>
> The scenario now is like this:
> 1. http request to http://www.abcdefgh.com
> 2. coova redirects to port 3990 with ssl
> 3. ssl negotiation fails
>
> And we want coova to work like this:
> 1. http request to http://www.abcdefgh.com
> 2. coova redirects to apache port 80
> 3. apache makes a http to https redirection to coova
> 4. coova receives https connection on port 3990 and the ssl negotiation
> succeeds
>
> Could someone help us or give us some directions on how to modify the code
> to solve this problem?
>
>
>
> Regards,
>
> Fernando Macedo
>
>
>
> De: chilli-bounces at coova.org [mailto:chilli-bounces at coova.org] Em nome de
> Fernando Dutra Fagundes Macedo
> Enviada: quinta-feira, 12 de novembro de 2009 12:51
> Para: chilli at coova.org
> Assunto: [Chilli] SSL on Chili
>
>
>
> Hi,
>
>
>
> When using ssl on chilli, the first page that a user must open must be HTTPS
> because chilli will respond only connections over ssl. How can I accept the
> two types of redirection (80 and 443) when using ssl?
>
>
>
> Regards,
>
> Fernando
>
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>
>
More information about the Chilli
mailing list