[Chilli] Proxy and REDIRSSL issues

David Bird david at coova.com
Thu Jan 10 18:00:13 UTC 2013


Perhaps there should be an option postauthproxyssl that defaults to
false that when enabled means the postauth proxy is used for ssl too.


On Sun, 2013-01-06 at 11:55 +0000, James @ ADSL24 wrote:
> I took a punt and got it working. See below dhcp.c modifications for anyone
> else who needs postauthproxy support but to send HTTPS direct:
> 
> ----------------------------------------------------------------------------
> if (_options.postauth_proxyport > 0) {
>     if (is_return) {
>       if ((iph->protocol == PKT_IP_PROTO_TCP) &&
> 	  (iph->saddr == _options.postauth_proxyip.s_addr) &&
> 	  (tcph->src == htons(_options.postauth_proxyport))) {
> 	
> 	*do_checksum = 1;
> 	return dhcp_uam_unnat(conn, ethh, iph, tcph);
>       }
>     } else {
>       if ((iph->protocol == PKT_IP_PROTO_TCP) &&
> 	  (tcph->dst == htons(DHCP_HTTP) )) {
> 
> #if(_debug_ > 0)	
> 	log_dbg("rewriting packet for post-auth proxy %s:%d",
> 		inet_ntoa(_options.postauth_proxyip),
> 		_options.postauth_proxyport);
> #endif
> 	
> 	*do_checksum = 1;
> 	return dhcp_uam_nat(conn, ethh, iph, tcph,
> 			    &_options.postauth_proxyip, 
> 			    _options.postauth_proxyport);
>       } elseif (_options.redirssl && tcph->dst == htons(DHCP_HTTPS)) {
> 		#if(_debug_ > 0)	
> 		log_dbg("NOT rewriting packet for post-auth proxy %s:%d",
> 			inet_ntoa(_options.postauth_proxyip),
> 			_options.postauth_proxyport);
> 	#endif
> 	  }
>     }
>   }
> ----------------------------------------------------------------------------
> 
> -----Original Message-----
> From: chilli-bounces at coova.org [mailto:chilli-bounces at coova.org] On Behalf
> Of James @ ADSL24
> Sent: 05 January 2013 23:06
> To: chilli at coova.org
> Subject: [Chilli] Proxy and REDIRSSL issues
> 
> David,
> 
> Hi All,
> 
> As you know, it's not really possible to proxy all HTTPS traffic without
> causing SSL violation/certificate errors to the end users browser. So, is
> there any way that when the postauthproxy option is used within coova, to
> send all HTTPS traffic direct and not via the defined proxy?
> 
> I must concur, this only happens when we use the HS_REDIRSSL = on setting
> because we need to redirect the initial end users HTTPS page requests to the
> captive portal else it does not redirect. If you don't use HS_REDIRSSL then
> no HTTPs traffic is sent via the proxy - doh!
> 
> Any ideas?
> 
> Looking at dhcp.c it appears the below code is being used, but I'm not 100%
> sure on what to modify to send all HTTPS traffic direct and not through the
> proxy once they are authenticated.
> 
> ----------------------------------------------------------------------------
> ------
> if (_options.postauth_proxyport > 0) {
>     if (is_return) {
>       if ((iph->protocol == PKT_IP_PROTO_TCP) &&
> 	  (iph->saddr == _options.postauth_proxyip.s_addr) &&
> 	  (tcph->src == htons(_options.postauth_proxyport))) {
> 	
> 	*do_checksum = 1;
> 	return dhcp_uam_unnat(conn, ethh, iph, tcph);
>       }
>     }
>     else {
>       if ((iph->protocol == PKT_IP_PROTO_TCP) &&
> 	  (tcph->dst == htons(DHCP_HTTP) 
> #ifdef HAVE_SSL
> 	   || (_options.redirssl && tcph->dst == htons(DHCP_HTTPS))
> #endif
> 	   )) {
> 
> #if(_debug_ > 0)	
> 	log_dbg("rewriting packet for post-auth proxy %s:%d",
> 		inet_ntoa(_options.postauth_proxyip),
> 		_options.postauth_proxyport);
> #endif
> 	
> 	*do_checksum = 1;
> 	return dhcp_uam_nat(conn, ethh, iph, tcph,
> 			    &_options.postauth_proxyip, 
> 			    _options.postauth_proxyport);
>       }
>     }
>   }
> ----------------------------------------------------------------------------
> ------
> 
> Thanks in advance.
> 
> James 
> 
> -----Original Message-----
> From: chilli-bounces at coova.org [mailto:chilli-bounces at coova.org] On Behalf
> Of David Bird
> Sent: 02 January 2013 20:16
> To: chilli at coova.org
> Subject: Re: [Chilli] postauthproxy authentication
> 
> There is no chilli option for that, though you could just implement that
> with a local proxy with an up-stream configuration. 
> 
> Happy new year!
> David
> 
> On Wed, 2013-01-02 at 11:54 +0000, James @ ADSL24 wrote:
> > Happy New Year to you all!
> > 
> > I'm wondering if anyone can help.
> > 
> > We currently have a requirement to use the postauthproxy config option
> > within coovachilli but I need to know if there is a way to set a
> > username/password for the HTTP proxy, so we can lock it down on the squid
> > server to a specified user/pass.
> > 
> > We can't just set squid based on specific IPs as a lot of customers are on
> > dynamic IPs so we can't track them easily.
> > 
> > Does postauthproxy allow a username/password for the proxy to be specified
> > in this way, and if so how?
> > 
> > Many thanks
> > 
> > James
> > 
> > _______________________________________________
> > Chilli mailing list
> > Chilli at coova.org
> > http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
> 
> 
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
> 
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
> 
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli




More information about the Chilli mailing list