Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Rob White <rob@blue-wave.net>
- Loading branch information
1 parent
4e78711
commit 572b91a
Showing
11 changed files
with
44 additions
and
142 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,18 @@ | ||
TODO List | ||
######### | ||
|
||
Not all features are finished or working as properly as they should. | ||
Not all features are finished or working as properly or as efficiently as they should. | ||
Here is a list of things that need to be improved: | ||
|
||
* While (un-) block/trust/allow via the ndsctl tool take effect, the state object of the client in NDS is not affected. | ||
Both systems still need to be connected (in src/auth.c). | ||
|
||
* Show a site when the users authentication was rejected, e.g. because the user exeeded the quota | ||
* Include blocked and trusted clients in the client list - so that they can be managed. | ||
|
||
* Traffic control is still broken since a long time now. | ||
* Extend Status processing to display a page when a user's authentication is rejected, e.g. because the user exceeded a quota or is blocked etc. | ||
|
||
* The code in src/http_microhttpd.c is a mess that has probably a lot of missed edge cases. | ||
* Implement Traffic control on a user by user basis. This functionality was originally available but has been broken for many years. | ||
|
||
* Include blocked and trusted clients in the client list - so that they can be managed. | ||
* The code in src/http_microhttpd.c has evolved from previous versions and possibly has some missed edge cases. It would benefit from a rewrite to improve maintainability as well as performance. | ||
|
||
* ip version 6 is not currently supported by NDS. It is not essential or advantageous to have in the short term but should be added at some time in the future. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,122 +1,6 @@ | ||
Forwarding Authentication Service (FAS) | ||
####################################### | ||
|
||
Overview | ||
******** | ||
Full documentation can be found here: | ||
|
||
Nodogsplash (NDS) supports external (to NDS) authentication service via simple configuration options. | ||
|
||
These options are: | ||
1. **fasport**. This enables Forwarding Authentication Service (FAS). Redirection is changed from splash.html to a FAS. The value is the IP port number of the FAS. | ||
2. **fasremoteip**. If set, this is the remote ip address of the FAS, if not set it will take the value of the NDS gateway address. | ||
3. **faspath**. This is the path to the login page on the FAS. | ||
4. **fas_secure_enable**. If set to "1", authaction and the client token are not revealed and it is the responsibility of the FAS to request the token from NDSCTL. If set to "0", the client token is sent to the FAS in clear text in the query string of the redirect along with authaction and redir. | ||
|
||
|
||
Using FAS | ||
********* | ||
When FAS is enabled, NDS automatically configures access to the FAS service. | ||
|
||
The FAS service must serve an http splash of its own to replace the NDS splash.html. | ||
Typically, the FAS service will be written in PHP or any other language that can provide dynamic web content. | ||
|
||
FAS can then provide an action form for the client, typically requesting login, or self account creation for login. | ||
|
||
The FAS can be on the same device as NDS, on the same local area network as NDS, or on an Internet hosted web server. | ||
|
||
If FAS Secure is enabled, NDS will supply only the gateway name, the client IP address and the originally requested URL. | ||
|
||
It is the responsibility of FAS to obtain the unique client token allocated by NDS. | ||
|
||
If the client successfully authenticates in the FAS, FAS will return the unique token to NDS to finally allow the client access to the Internet. | ||
|
||
If FAS Secure is disabled, the token is sent to FAS as clear text. | ||
|
||
A FAS on the local network can obtain the user token by requesting it from NDS, using, for example SSH. | ||
|
||
A Secure Internet based FAS is best implemented as a two stage process, first using a local FAS, that in turn accesses an https remote FAS using tools such as curl or wget. | ||
|
||
Running FAS on your Nodogsplash router | ||
************************************** | ||
|
||
A FAS service will run quite well on uhttpd (the web server that serves Luci) on an OpenWrt supported device with 8MB flash and 32MB ram but shortage of ram may well be an issue if more than two or three clients log in at the same time. | ||
|
||
For this reason a device with a minimum of 8MB flash and 64MB ram is recommended. | ||
|
||
**Running on uhttpd with PHP**: | ||
|
||
Install the modules php7 and php7-cgi on LEDE for a simple example. Further modules may be required depending on your requirements. | ||
|
||
To enable php in uhttpd you must add the line: | ||
|
||
``list interpreter ".php=/usr/bin/php-cgi"`` | ||
|
||
to the /etc/config/uhttpd file in the config uhttpd 'main' or first section. | ||
|
||
The two important NDS options to set will be: | ||
|
||
1. fasport. By default this will be port 80 for uhttpd | ||
|
||
2. faspath. Set to, for example, /myfas/fas.php, | ||
your FAS files being placed in /www/myfas/ | ||
|
||
**Note 1**: | ||
|
||
A typical Internet hosted Apache/PHP shared server will be set up to serve multiple domain names. | ||
|
||
To access yours, use: | ||
|
||
fasremoteip = the ip address of the remote server | ||
|
||
and, for example, | ||
|
||
faspath = /domainname/pathto/myfas/fas.php | ||
|
||
or | ||
|
||
faspath = /accountname/pathto/myfas/fas.php | ||
|
||
If necessary, contact your hosting service provider. | ||
|
||
|
||
**Note 2:** | ||
|
||
The configuration file /etc/config/nodogsplash contains the line "option enabled 1". | ||
|
||
If you have done something wrong and locked yourself out, you can still SSH to your router and stop NoDogSplash (ndsctl stop) to fix the problem. | ||
|
||
Using the simple example files | ||
****************************** | ||
|
||
Assuming you want to run the FAS example demo locally under uhttpd on the same OpenWrt device that is running NDS, configured as above, do the following. | ||
|
||
(Under other operating systems you may need to edit the nodogsplash.conf file in /etc/nodogsplash instead, but the process is very similar.) | ||
|
||
First you should optain the demo files by downloading the Nodogsplash zip file from | ||
|
||
https://github.com/nodogsplash/nodogsplash/ | ||
|
||
Then extract the php files from the folder | ||
|
||
``"forward_authentication_service/nodog/"`` | ||
|
||
OpenWrt and uhttpd: | ||
|
||
* Create a folder | ||
|
||
``/www/nodog/`` | ||
|
||
* Place the files fas.php, landing.php, css.php, querycheck.php, tos.php, users.dat in | ||
|
||
``/www/nodog/`` | ||
|
||
* Edit | ||
|
||
``/etc/config/nodogsplash`` | ||
|
||
adding the lines: | ||
- option fasport '80' | ||
- option faspath '/nodog/fas.php' | ||
- option fas_secure_enabled '0' | ||
|
||
* Restart NDS using the command "service nodogsplash restart". | ||
https://nodogsplashdocs.readthedocs.io/en/stable/fas.html |