Merge pull request #381 from nodogsplash/fas_key

Add fasremotefqdn, faskey, bump to v4.0.0

ChangeLog

@@ -1,11 +1,24 @@
+nodogsplash (4.0.0)
+
+  * Introduce aes encryption of the query string passed to remote FAS, allowing authdir and client token to be transferred securely. Uses php-cli and php-openssl. These are required if encryption is enabled but are not dependencies [bluewavenet]
+  * Introduce fasremotefqdn, specifying the FQDN of the remote FAS. This facilitates simplified support for FAS operation on shared hosting systems [bluewavenet]
+  * Add a FAS php script supporting aes encrypted query string sent from NDS [bluewavenet]
+  * Numerous Documentation updates [bluewavenet]
+  * Remove unused pagesdir and imagesdir [mwarning]
+  * Add Preauth script that displays images from remote servers [bluewavenet]
+  * Use elegant check for valid ip addresses [mwarning]
+  * openwrt initscript - add missing macmechanism in the config file [lynxis]
+
+ -- Rob White <dot@blue-wave.net> Sun, 7 Jul 2019 08:29:00 +0000
+
 nodogsplash (3.3.2)
 
-  * Fix Issue introduced in v3.3.0 with the addition of Improvements towards usable IPv6 support, that caused CPD on client devices to fail with "Too Many Redirects" error. NDS now terminates gracefully with a console error if fasremoteip is set AND fasport=80  [bluewavenet]
+  * Fix Issue introduced in v3.3.0 with the addition of Improvements towards usable IPv6 support, that caused CPD on client devices to fail with "Too Many Redirects" error. NDS now terminates gracefully with a console error if fasremoteip is not set AND fasport=80  [bluewavenet]
   * Validate fasremoteip to ensure that if it is set, then it is a valid dotted format IPv4 address  [bluewavenet]
-  * Numerous Documentation updates  [bluewavenet]
+  * Numerous Documentation updates [bluewavenet]
   * Fix to Known Issue on OpenWrt >18.x.x with v3.3.1. This was caused by misconfigured Makefile for libmicrohttpd; this has been fixed there [bluewavenet]
 
- --Rob White <dot@blue-wave.net> Tue, 23 Apr 2019 11:49:00 +0000
+ -- Rob White <dot@blue-wave.net> Tue, 23 Apr 2019 11:49:00 +0000
 
 nodogsplash (3.3.1)
 
@@ -33,7 +46,7 @@ nodogsplash (3.3.0)
 nodogsplash (3.2.1)
 
   * reset upload/download counter when a client has been authenticated a second time [mwarning]
-  * print sesssion duration as 0 in "ndsctl json" and "ndsctl clients" output when a session has not been started [mwarning]
+  * print session duration as 0 in "ndsctl json" and "ndsctl clients" output when a session has not been started [mwarning]
   * rework html templater to speed up splash page generation [mwarning]
   * FAS documentation updates [bluewavenet]
   * Add CSS file and update splash and status html [bluewavenet]

Makefile

@@ -44,6 +44,7 @@ install:
 	cp resources/status.html $(DESTDIR)/etc/nodogsplash/htdocs/
 	cp resources/splash.jpg $(DESTDIR)/etc/nodogsplash/htdocs/images/
 	cp forward_authentication_service/PreAuth/demo-preauth.sh $(DESTDIR)/etc/nodogsplash/login.sh
+	cp forward_authentication_service/fas-aes/fas-aes.php $(DESTDIR)/etc/nodogsplash/
 
 checkastyle:
 	@command -v astyle >/dev/null 2>&1 || \

debian/changelog

@@ -1,3 +1,17 @@
+nodogsplash (4.0.0-1) stable; urgency=medium
+
+  * Introduce aes encryption of the query string passed to remote FAS, allowing authdir and client token to be transferred securely. Uses php-cli and php-openssl. These are required if encryption is enabled but are not dependencies [bluewavenet]
+  * Introduce fasremotefqdn, specifying the FQDN of the remote FAS. This facilitates simplified support for FAS operation on shared hosting systems [bluewavenet]
+  * Add a FAS php script supporting aes encrypted query string sent from NDS [bluewavenet]
+  * Numerous Documentation updates [bluewavenet]
+  * Remove unused pagesdir and imagesdir [mwarning]
+  * Add Preauth script that displays images from remote servers [bluewavenet]
+  * Use elegant check for valid ip addresses [mwarning]
+  * openwrt initscript - add missing macmechanism in the config file [lynxis]
+
+ -- Rob White <dot@blue-wave.net>  Sun, 7 Jul 2019 08:29:00 +0000
+
+
 nodogsplash (3.3.2-1) stable; urgency=medium
 
   * Fix Issue introduced in v3.3.0 with the addition of Improvements towards usable IPv6 support, that caused CPD on client devices to fail with "Too Many Redirects" error. NDS now terminates gracefully with a console error if fasremoteip is set AND fasport=80  [bluewavenet]

docs/source/conf.py

@@ -60,9 +60,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '3.3.3-beta'
+version = '4.0.0'
 # The full version, including alpha/beta/rc tags.
-release = '3.3.3-beta'
+release = '4.0.0'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

docs/source/customize.rst

@@ -58,10 +58,10 @@ Finally you must tell UCI to commit your changes to the configuration file:
 
   uci commit nodogsplash
 
-The Splash Page
-***************
+The Default Click and Go Splash Page
+************************************
 
-The default simple splash page can be found at:
+The default default splash page can be found at:
 
   ``/etc/nodogsplash/htdocs/splash.html``
 
@@ -79,7 +79,6 @@ replaced by their values:
 
  (You should instead use a GET-method HTML form to send this   information to the nodogsplash server; see below.)
 
-* *$imagesdir* The directory in nodogsplash's web hierarchy where images to be displayed in the splash page must be located.
 * *$tok*, *$redir*, *$authaction*, and *$denyaction* are available and should be used to write the splash page to use a GET-method HTML form instead of using $authtarget as the value of an href attribute to communicate with the nodogsplash server.
 
  *$authaction* and *$denyaction* are virtual urls used to inform NDS that a client should be authenticated or deauthenticated and are of the form:
@@ -128,4 +127,4 @@ It should be noted when designing a custom splash page that for security reasons
 
  * Prohibit the execution of javascript.
 
-Also, note that any images you reference should reside in the subdirectory that is defined by *$imagesdir* (default: "images").
+Also, note that any images you reference should reside in the subdirectory /etc/nodogsplash/htdocs/images/.

docs/source/faq.rst

@@ -1,64 +1,105 @@
 Frequently Asked Questions
 ###########################
 
-What's the difference between v0.9, v1, v2 and v3?
-**************************************************
+What's the difference between v0.9, v1, v2, v3 and v4?
+******************************************************
 
-v0.9 and v1 are the same codebase with the same feature set.
+**v0.9 and v1** are the same codebase with the same feature set.
 If the documentation says something about v1, this is usually also valid
 for v0.9.
 
-v2 was developed before version v1 was released. In v2 the http code was replaced by libmicrohttpd and the template engine was rewritten. Many features became defunct because of this procedure.
+**v2** was developed before version v1 was released. In v2 the http code was replaced by libmicrohttpd and the template engine was rewritten. Many features became defunct because of this procedure.
 
-v3 cleans up the source code and adds three major new features,
+**v3** cleans up the source code and adds three major new features,
 
- 1. **FAS**, a forwarding authentication service. FAS supports development of "Credential Verification" running on any dynamic web serving platform, on the same device as Nodogsplash, on another device on the local network, or on an Internet hosted web server.
+ * **FAS**
 
- 2. **PreAuth**, an implementation of FAS running on the same device as Nodogsplash and using Nogogsplash's own web server to generate dynamic web pages. Any scripting language or even a compiled application program can be used. This has the advantage of not requiring the resources of a separate web server.
+  A forwarding authentication service. FAS supports development of "Credential Verification" running on any dynamic web serving platform, on the same device as Nodogsplash, on another device on the local network, or on an Internet hosted web server.
 
- 3. **BinAuth**, enabling an external script to be called for simple username/password authentication as well as doing post authentication processing such as setting session durations. This is similar to the old binvoucher feature, but more flexible.
+ * **PreAuth**
 
-In addition, in v3, the ClientTimeout setting was split into PreauthIdleTimeout and AuthIdleTimeout and for the ClientForceTimeout setting, SessionTimeout is now used instead.
+  An implementation of FAS running on the same device as Nodogsplash and using Nogogsplash's own web server to generate dynamic web pages. Any scripting language or even a compiled application program can be used. This has the advantage of not requiring the resources of a separate web server.
 
-Can I update from v0.9 to v1
-****************************
+ * **BinAuth**
+
+  Enabling an external script to be called for simple username/password authentication as well as doing post authentication processing such as setting session durations. This is similar to the old binvoucher feature, but more flexible.
+
+ In addition, in v3, the ClientTimeout setting was split into PreauthIdleTimeout and AuthIdleTimeout and for the ClientForceTimeout setting, SessionTimeout is now used instead.
+
+**v4** continues to add enhancements towards improving NDS as a Captive Portal Engine that can be used in the development of custom solutions.
+
+ Two major new features are introduced.
+
+ * **FAS FQDN**
+
+  Enabling simple configuration for a FAS running on a remote shared web hosting server.
+
+ * **FAS secure level 2**
+
+  Enabling aes256cbc encryption on NDS data transferred to remote FAS, thus preventing knowledgable client users from bypassing verification.
+
+Can I update from v0.9 to v1?
+*****************************
 
 Updating to v1.0.0 and v1.0.1, this is a very smooth update with full compatibility.
 
 Updating to 1.0.2 requires iptables v1.4.21 or above.
 
-Can I update from v0.9/v1 to v2.0.0
-***********************************
+Can I update from v0.9/v1 to v2.0.0?
+************************************
 
 You can, if:
 
 * You don't use BinVoucher
 * You have iptables v1.4.21 or above
 
 
-Can I update from v0.9/v1/v2 to v3.0.0
-**************************************
+Can I update from v0.9/v1/v2 to v3.0.0?
+***************************************
 
 You can, if:
 
 * You don't use BinVoucher
 * You have iptables v1.4.21 or above
 * You use the new options contained in the version 3 configuration file
 
-I would like to use QoS or TrafficControl on OpenWrt
-****************************************************
+Can I update from v0.9/v1/v2/v3 to v4.0.0?
+******************************************
+
+You can, if:
+
+* You don't use BinVoucher
+* You have iptables v1.4.21 or above
+* You use the new options contained in the version 4 configuration file
+
+
+How do I use QoS or TrafficControl on OpenWrt?
+**********************************************
 
 The original pre version 1 feature has been broken since OpenWrt 12.09 (Attitude Adjustment), because the IMQ (Intermediate queueing device) is no longer supported.
 
  **Pull Requests are welcome!**
 
-However the OpenWrt package, SQM Scripts (Smart Queue Management), is fully compatible with Nodogsplash and if configured to operate on the Nodogsplash interface (br-lan by default) will provide efficient IP connection based traffic control to ensure fair usage of available bandwidth.
+ However the OpenWrt package, SQM Scripts (Smart Queue Management), is fully compatible with Nodogsplash and if configured to operate on the Nodogsplash interface (br-lan by default) will provide efficient IP connection based traffic control to ensure fair usage of available bandwidth.
 
 Is https capture supported?
-******************************
-
+***************************
 **No**. Because all connections would have a critical certificate failure.
 
-HTTPS web sites are now more or less a standard and to maintain security and user confidence it is essential that captive portals **DO NOT** attempt to capture port 443.
+ HTTPS web sites are now more or less a standard and to maintain security and user confidence it is essential that captive portals **DO NOT** attempt to capture port 443.
+
+What is CPD / Captive Portal Detection?
+***************************************
+CPD (Captive Portal Detection) has evolved as an enhancement to the network manager component included with major Operating Systems (Linux, Android, iOS/macOS, Windows).
+
+ Using a pre-defined port 80 web page (which one gets used depends on the vendor) the network manager will detect the presence of a captive portal hotspot and notify the user. In addition, most major browsers now support CPD.
+
+**It should be noted** when designing a custom splash page that for security reasons many client device CPD implementations:
+
+ * Immediately close the browser when the client has authenticated.
+
+ * Prohibit the use of href links.
+
+ * Prohibit downloading of external files (including .css and .js, even if they are allowed in NDS firewall settings).
 
-**Captive Portal Detection** (CPD) has evolved as an enhancement to the network manager component included with major Operating Systems (Linux, Android, iOS/macOS, Windows). Using a pre-defined port 80 web page (depending on the vendor) the network manager will detect the presence of a captive portal hotspot and notify the user. In addition, most major browsers now support CPD.
+ * Prohibit the execution of javascript.