[Chilli] Coova when no wan
David Bird
david at coova.com
Thu Mar 14 16:29:48 UTC 2013
There is no elegant way to deal with https traffic... essentially,
chilli is a man-in-the-middle and it breaks SSL security. Having users
notified of this lack of security is a GOOD thing. My advice is to keep
SSL blocked. What would be interesting for Chrome to integrate into
their browser is a notice that 'Authentication is required' on the
network -- similar to how Android will give you such a notice, etc.
On Thu, 2013-03-14 at 15:38 +0100, Bojan Pogacar wrote:
> Another problem with HTTPS redirection is, that google websites like
> google.com, gmail, .. in Chrome not just warns about invalid (self
> signed) certificate, but also disable redirection to captive portal.
> They report that something strange is going on and you can not click
> proceed anyway.
>
> The problem is even bigger with Chrome 25 because all searches from
> address bar are now on https. Users are now confused and some don't try
> to open some other web site to login and just complain, that they can
> not login.
>
> Is there any solution for that?
>
> BR, Bojan
>
>
>
> Dne 14.3.2013 9:01, piše Xabier Oneca -- xOneca:
> > For HTTPS redirections to work, you need a valid certificate for each
> > domain you want to be redirected. It would be a huge security hole, so
> > you cannot do a beautiful HTTPS redirect.
> >
> > If you don't mind that the user gets a security warning in his browser,
> > you can use --redirssl with its --ssl* config options to allow
> > CoovaChilli to listen to HTTPS requests. Chilli does not do this by
> > default. You will need a (self signed) certificate.
> >
> > HTH.
> >
> > --
> > Xabier Oneca_,,_
> >
> > El 14/03/2013 08:50, "Alexandre Rubert" <alexandre.rubert at gmail.com
> > <mailto:alexandre.rubert at gmail.com>> escribió:
> >
> > Ok, thank for your answer. I tried with dnsmasq and now all DNS
> > request return an IP which is unauthaurized by coova, in that way
> > client is redirected to uamhomepage. That's what I want but when
> > client try to access to https, he isn't redirected. Wireshark show
> > that client try to access to https on the redirected IP but there is
> > nothing matching it.
> > Le 14/03/2013 03:39, David Bird a écrit :
> >
> > The problem with there being no WAN is that DNS will not work.
> > Without
> > DNS, you do not get a redirect since the browser times out
> > before making
> > any HTTP request. However, what you can do is use option
> > --domaindnslocal to instruct CoovaChilli to return a 'local' IP
> > for any
> > DNS request under the --domain (so, if you have domain=lan, then
> > hostname.lan would resolve in chilli to a local IP). Typically, DNS
> > systems will attempt the original hostname, then the hostname
> > under the
> > DHCP domain, searching for a result.
> >
> >
> > On Wed, 2013-03-13 at 15:18 +0100, Alexandre Rubert wrote:
> >
> > Hello,
> > I try to configure coovachilli to redirect all client to the
> > uamhomepage
> > when there is no internet connection. But actually, it
> > doesn't work. Do
> > you have an example of a kind of configuration ?
> >
> > Thanks
> > _________________________________________________
> > Chilli mailing list
> > Chilli at coova.org <mailto:Chilli at coova.org>
> > http://lists.coova.org/cgi-__bin/mailman/listinfo/chilli
> > <http://lists.coova.org/cgi-bin/mailman/listinfo/chilli>
> >
> >
> >
> > _________________________________________________
> > Chilli mailing list
> > Chilli at coova.org <mailto:Chilli at coova.org>
> > http://lists.coova.org/cgi-__bin/mailman/listinfo/chilli
> > <http://lists.coova.org/cgi-bin/mailman/listinfo/chilli>
> >
> >
> >
> > _______________________________________________
> > Chilli mailing list
> > Chilli at coova.org
> > http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
> >
>
--
--
David Bird
http://www.linkedin.com/in/dwbird
https://twitter.com/wlanmac
More information about the Chilli
mailing list