[Chilli] Proxy and REDIRSSL issues

James @ ADSL24 james at adsl24.co.uk
Sun Jan 6 11:55:30 UTC 2013


I took a punt and got it working. See below dhcp.c modifications for anyone
else who needs postauthproxy support but to send HTTPS direct:

----------------------------------------------------------------------------
if (_options.postauth_proxyport > 0) {
    if (is_return) {
      if ((iph->protocol == PKT_IP_PROTO_TCP) &&
	  (iph->saddr == _options.postauth_proxyip.s_addr) &&
	  (tcph->src == htons(_options.postauth_proxyport))) {
	
	*do_checksum = 1;
	return dhcp_uam_unnat(conn, ethh, iph, tcph);
      }
    } else {
      if ((iph->protocol == PKT_IP_PROTO_TCP) &&
	  (tcph->dst == htons(DHCP_HTTP) )) {

#if(_debug_ > 0)	
	log_dbg("rewriting packet for post-auth proxy %s:%d",
		inet_ntoa(_options.postauth_proxyip),
		_options.postauth_proxyport);
#endif
	
	*do_checksum = 1;
	return dhcp_uam_nat(conn, ethh, iph, tcph,
			    &_options.postauth_proxyip, 
			    _options.postauth_proxyport);
      } elseif (_options.redirssl && tcph->dst == htons(DHCP_HTTPS)) {
		#if(_debug_ > 0)	
		log_dbg("NOT rewriting packet for post-auth proxy %s:%d",
			inet_ntoa(_options.postauth_proxyip),
			_options.postauth_proxyport);
	#endif
	  }
    }
  }
----------------------------------------------------------------------------

-----Original Message-----
From: chilli-bounces at coova.org [mailto:chilli-bounces at coova.org] On Behalf
Of James @ ADSL24
Sent: 05 January 2013 23:06
To: chilli at coova.org
Subject: [Chilli] Proxy and REDIRSSL issues

David,

Hi All,

As you know, it's not really possible to proxy all HTTPS traffic without
causing SSL violation/certificate errors to the end users browser. So, is
there any way that when the postauthproxy option is used within coova, to
send all HTTPS traffic direct and not via the defined proxy?

I must concur, this only happens when we use the HS_REDIRSSL = on setting
because we need to redirect the initial end users HTTPS page requests to the
captive portal else it does not redirect. If you don't use HS_REDIRSSL then
no HTTPs traffic is sent via the proxy - doh!

Any ideas?

Looking at dhcp.c it appears the below code is being used, but I'm not 100%
sure on what to modify to send all HTTPS traffic direct and not through the
proxy once they are authenticated.

----------------------------------------------------------------------------
------
if (_options.postauth_proxyport > 0) {
    if (is_return) {
      if ((iph->protocol == PKT_IP_PROTO_TCP) &&
	  (iph->saddr == _options.postauth_proxyip.s_addr) &&
	  (tcph->src == htons(_options.postauth_proxyport))) {
	
	*do_checksum = 1;
	return dhcp_uam_unnat(conn, ethh, iph, tcph);
      }
    }
    else {
      if ((iph->protocol == PKT_IP_PROTO_TCP) &&
	  (tcph->dst == htons(DHCP_HTTP) 
#ifdef HAVE_SSL
	   || (_options.redirssl && tcph->dst == htons(DHCP_HTTPS))
#endif
	   )) {

#if(_debug_ > 0)	
	log_dbg("rewriting packet for post-auth proxy %s:%d",
		inet_ntoa(_options.postauth_proxyip),
		_options.postauth_proxyport);
#endif
	
	*do_checksum = 1;
	return dhcp_uam_nat(conn, ethh, iph, tcph,
			    &_options.postauth_proxyip, 
			    _options.postauth_proxyport);
      }
    }
  }
----------------------------------------------------------------------------
------

Thanks in advance.

James 

-----Original Message-----
From: chilli-bounces at coova.org [mailto:chilli-bounces at coova.org] On Behalf
Of David Bird
Sent: 02 January 2013 20:16
To: chilli at coova.org
Subject: Re: [Chilli] postauthproxy authentication

There is no chilli option for that, though you could just implement that
with a local proxy with an up-stream configuration. 

Happy new year!
David

On Wed, 2013-01-02 at 11:54 +0000, James @ ADSL24 wrote:
> Happy New Year to you all!
> 
> I'm wondering if anyone can help.
> 
> We currently have a requirement to use the postauthproxy config option
> within coovachilli but I need to know if there is a way to set a
> username/password for the HTTP proxy, so we can lock it down on the squid
> server to a specified user/pass.
> 
> We can't just set squid based on specific IPs as a lot of customers are on
> dynamic IPs so we can't track them easily.
> 
> Does postauthproxy allow a username/password for the proxy to be specified
> in this way, and if so how?
> 
> Many thanks
> 
> James
> 
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli


_______________________________________________
Chilli mailing list
Chilli at coova.org
http://lists.coova.org/cgi-bin/mailman/listinfo/chilli

_______________________________________________
Chilli mailing list
Chilli at coova.org
http://lists.coova.org/cgi-bin/mailman/listinfo/chilli



More information about the Chilli mailing list