[Chilli] Proxy and REDIRSSL issues
David Bird
david at coova.com
Thu Jan 10 18:00:13 UTC 2013
Perhaps there should be an option postauthproxyssl that defaults to
false that when enabled means the postauth proxy is used for ssl too.
On Sun, 2013-01-06 at 11:55 +0000, James @ ADSL24 wrote:
> I took a punt and got it working. See below dhcp.c modifications for anyone
> else who needs postauthproxy support but to send HTTPS direct:
>
> ----------------------------------------------------------------------------
> if (_options.postauth_proxyport > 0) {
> if (is_return) {
> if ((iph->protocol == PKT_IP_PROTO_TCP) &&
> (iph->saddr == _options.postauth_proxyip.s_addr) &&
> (tcph->src == htons(_options.postauth_proxyport))) {
>
> *do_checksum = 1;
> return dhcp_uam_unnat(conn, ethh, iph, tcph);
> }
> } else {
> if ((iph->protocol == PKT_IP_PROTO_TCP) &&
> (tcph->dst == htons(DHCP_HTTP) )) {
>
> #if(_debug_ > 0)
> log_dbg("rewriting packet for post-auth proxy %s:%d",
> inet_ntoa(_options.postauth_proxyip),
> _options.postauth_proxyport);
> #endif
>
> *do_checksum = 1;
> return dhcp_uam_nat(conn, ethh, iph, tcph,
> &_options.postauth_proxyip,
> _options.postauth_proxyport);
> } elseif (_options.redirssl && tcph->dst == htons(DHCP_HTTPS)) {
> #if(_debug_ > 0)
> log_dbg("NOT rewriting packet for post-auth proxy %s:%d",
> inet_ntoa(_options.postauth_proxyip),
> _options.postauth_proxyport);
> #endif
> }
> }
> }
> ----------------------------------------------------------------------------
>
> -----Original Message-----
> From: chilli-bounces at coova.org [mailto:chilli-bounces at coova.org] On Behalf
> Of James @ ADSL24
> Sent: 05 January 2013 23:06
> To: chilli at coova.org
> Subject: [Chilli] Proxy and REDIRSSL issues
>
> David,
>
> Hi All,
>
> As you know, it's not really possible to proxy all HTTPS traffic without
> causing SSL violation/certificate errors to the end users browser. So, is
> there any way that when the postauthproxy option is used within coova, to
> send all HTTPS traffic direct and not via the defined proxy?
>
> I must concur, this only happens when we use the HS_REDIRSSL = on setting
> because we need to redirect the initial end users HTTPS page requests to the
> captive portal else it does not redirect. If you don't use HS_REDIRSSL then
> no HTTPs traffic is sent via the proxy - doh!
>
> Any ideas?
>
> Looking at dhcp.c it appears the below code is being used, but I'm not 100%
> sure on what to modify to send all HTTPS traffic direct and not through the
> proxy once they are authenticated.
>
> ----------------------------------------------------------------------------
> ------
> if (_options.postauth_proxyport > 0) {
> if (is_return) {
> if ((iph->protocol == PKT_IP_PROTO_TCP) &&
> (iph->saddr == _options.postauth_proxyip.s_addr) &&
> (tcph->src == htons(_options.postauth_proxyport))) {
>
> *do_checksum = 1;
> return dhcp_uam_unnat(conn, ethh, iph, tcph);
> }
> }
> else {
> if ((iph->protocol == PKT_IP_PROTO_TCP) &&
> (tcph->dst == htons(DHCP_HTTP)
> #ifdef HAVE_SSL
> || (_options.redirssl && tcph->dst == htons(DHCP_HTTPS))
> #endif
> )) {
>
> #if(_debug_ > 0)
> log_dbg("rewriting packet for post-auth proxy %s:%d",
> inet_ntoa(_options.postauth_proxyip),
> _options.postauth_proxyport);
> #endif
>
> *do_checksum = 1;
> return dhcp_uam_nat(conn, ethh, iph, tcph,
> &_options.postauth_proxyip,
> _options.postauth_proxyport);
> }
> }
> }
> ----------------------------------------------------------------------------
> ------
>
> Thanks in advance.
>
> James
>
> -----Original Message-----
> From: chilli-bounces at coova.org [mailto:chilli-bounces at coova.org] On Behalf
> Of David Bird
> Sent: 02 January 2013 20:16
> To: chilli at coova.org
> Subject: Re: [Chilli] postauthproxy authentication
>
> There is no chilli option for that, though you could just implement that
> with a local proxy with an up-stream configuration.
>
> Happy new year!
> David
>
> On Wed, 2013-01-02 at 11:54 +0000, James @ ADSL24 wrote:
> > Happy New Year to you all!
> >
> > I'm wondering if anyone can help.
> >
> > We currently have a requirement to use the postauthproxy config option
> > within coovachilli but I need to know if there is a way to set a
> > username/password for the HTTP proxy, so we can lock it down on the squid
> > server to a specified user/pass.
> >
> > We can't just set squid based on specific IPs as a lot of customers are on
> > dynamic IPs so we can't track them easily.
> >
> > Does postauthproxy allow a username/password for the proxy to be specified
> > in this way, and if so how?
> >
> > Many thanks
> >
> > James
> >
> > _______________________________________________
> > Chilli mailing list
> > Chilli at coova.org
> > http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>
>
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
More information about the Chilli
mailing list