NDS: Version 3.2.1

Signed-off-by: Rob White <rob@blue-wave.net>

ChangeLog

@@ -4,6 +4,7 @@ nodogsplash (3.2.1)
   * print sesssion duration as 0 in "ndsctl json" and "ndsctl clients" output when a session has not been started [mwarning]
   * rework html templater to speed up splash page generation [mwarning]
   * FAS documentation updates [bluewavenet]
+  * Add CSS file and update splash and status html [bluewavenet]
 
  -- Moritz Warning <moritzwarning@web.de>  Wed, 26 Sep 2018 15:04:05 +0000
 

README.md

@@ -9,7 +9,7 @@ It was derived originally from the codebase of the Wifi Guard Dog project.
 Nodogsplash is released under the GNU General Public License.
 
 * Mailing List: http://ml.ninux.org/mailman/listinfo/nodogsplash
-* Original Homepage: http://kokoro.ucsd.edu/nodogsplash
+* Original Homepage (no longer available): http://kokoro.ucsd.edu/nodogsplash
 * Wifidog: http://dev.wifidog.org/
 * GNU GPL: http://www.gnu.org/copyleft/gpl.html
 
@@ -31,20 +31,22 @@ Customising the page seen by users is a simple matter of editing the simple defa
 
 All modern mobile devices, most desktop operating systems and most browsers now have a Captive Portal Detection process that automatically issues a port 80 request on connection to a network. Nodogsplash detects this and serves a 'splash' web page.
 
-The splash page in its most basic form, contains a Continue button. When the user clicks on it, access to the internet is granted subject to a preset time interval.
+The splash page in its most basic form, contains a *Continue* button. When the user clicks on it, access to the Internet is granted subject to a preset time interval.
 
-Nodogsplash does not currently support traffic control but is fully compatible with other stand alone systems such as SQM scripts.
+Nodogsplash does not currently support traffic control but is fully compatible with other stand alone systems such as Smart Queue Management (SQM).
 
 **Nodogsplash supports multiple means of authentication**:
 
-- Click the submit button (default)
+- Click the *Continue* button (default)
 - Call an external script that may accept username/password and set session durations per user.
 - Forwarding authentication to an external service
 
 
 ## 2. Documentation
 
-For additonal documentation please look at https://nodogsplashdocs.rtfd.io/
+For additional documentation please look at https://nodogsplashdocs.rtfd.io/
+
+You can select either *Stable* or *Latest* documentation.
 
 ---
 

debian/changelog

@@ -4,6 +4,7 @@ nodogsplash (3.2.1) stable; urgency=medium
   * print sesssion duration as 0 in "ndsctl json" and "ndsctl clients" output when a session has not been started [mwarning]
   * rework html templater to speed up splash page generation [mwarning]
   * FAS documentation updates [bluewavenet]
+  * Add CSS file and update splash and status html [bluewavenet]
 
  -- Moritz Warning <moritzwarning@web.de>  Wed, 26 Sep 2018 15:04:05 +0000
 

docs/source/compile.rst

@@ -24,7 +24,7 @@ After compiling you can call ``make install`` to install nodogsplash to /usr/
 OpenWrt
 *******
 
-To compile nodogsplash please use the package definiton from the feeds package.
+To compile nodogsplash please use the package definition from the feeds package.
 
 .. code::
 
@@ -34,7 +34,7 @@ To compile nodogsplash please use the package definiton from the feeds package.
    ./scripts/feeds install
    ./scripts/feeds install nodogsplash
 
-Select the appropiate "Target System" and "Target Profile" in the menuconfig menu and build the image.
+Select the appropriate "Target System" and "Target Profile" in the menuconfig menu and build the image.
 
 .. code::
 

docs/source/conf.py

@@ -60,9 +60,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '3.2.0'
+version = '3.2.1'
 # The full version, including alpha/beta/rc tags.
-release = '3.2.0'
+release = '3.2.1'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

docs/source/customize.rst

@@ -105,7 +105,7 @@ replaced by their values:
   of the client or gateway. This might be useful in cases where the data
   needs to be forwarded to some other place by the splash page itself.
 
-* *$nclients* and *$maxclients* User stats. Usefull when you need to
+* *$nclients* and *$maxclients* User stats. Useful when you need to
   display something like "n of m users online" on the splash site.
 
 * *$uptime* The time Nodogsplash has been running.
@@ -117,3 +117,15 @@ replaced by their values:
  ``/etc/nodogsplash/htdocs/status.html``
 
  In the status.html file, the same variables as in the splash.html site can be used.
+
+It should be noted when designing a custom splash page that for security reasons many client device CPD implementations:
+
+ * Immediately close the browser when the client has authenticated.
+
+ * Prohibit the use of href links.
+
+ * Prohibit downloading of external files (including .css and .js, even if they are allowed in NDS firewall settings).
+
+ * Prohibit the execution of javascript.
+
+Also, note that any images you reference should reside in the subdirectory that is defined by *$imagesdir* (default: "images").

docs/source/faq.rst

@@ -5,7 +5,7 @@ What's the difference between v0.9, v1, v2 and v3?
 **************************************************
 
 v0.9 and v1 are the same codebase with the same feature set.
-If the documentation says something about v1, this is usally also valid
+If the documentation says something about v1, this is usually also valid
 for v0.9.
 
 v2 was developed before version v1 was released. In v2 the http code was replaced by libmicrohttpd and the template engine was rewritten. Many features became defunct because of this procedure.
@@ -52,7 +52,7 @@ The original pre version 1 feature has been broken since OpenWrt 12.09 (Attitude
 
  **Pull Requests are welcome!**
 
-However the OpenWrt package, SQM Scripts, is fully compatible with Nodogsplash and if configured to operate on the Nodogsplash interface (br-lan by default) will provide efficient IP connection based traffic control to ensure fair usage of available bandwidth.
+However the OpenWrt package, SQM Scripts (Smart Queue Management), is fully compatible with Nodogsplash and if configured to operate on the Nodogsplash interface (br-lan by default) will provide efficient IP connection based traffic control to ensure fair usage of available bandwidth.
 
 Is https capture supported?
 ******************************
@@ -61,4 +61,4 @@ Is https capture supported?
 
 HTTPS web sites are now more or less a standard and to maintain security and user confidence it is essential that captive portals **DO NOT** attempt to capture port 443.
 
-**Captive Portal Detection** (CPD) has evolved as an enhancement to the network manager component included with major Operating Systems (Linux, Android, iOS/macOS, Windows). Using a pre defined port 80 web page (that depends upon the vendor) the network manager will detect the presence of a captive portal hotspot and notify the user. In addition, most major browsers now support CPD.
+**Captive Portal Detection** (CPD) has evolved as an enhancement to the network manager component included with major Operating Systems (Linux, Android, iOS/macOS, Windows). Using a pre-defined port 80 web page (depending on the vendor) the network manager will detect the presence of a captive portal hotspot and notify the user. In addition, most major browsers now support CPD.

docs/source/howitworks.rst

@@ -13,7 +13,7 @@ A wireless router, typically running OpenWrt or some other Linux distribution, h
 
  The user of the client device will then be expected to complete some actions on the splash page, such as accepting terms of service, entering a username and password etc. (this will of course be on either the basic NDS splash.html or the page presented by the FAS, depending on the NDS configuration).
 
- Once the user on the client device has sucessfully completed the splash page actions, the page then links directly, with a query string, to an NDS virtual http directory provided by NDS's built in web server.
+ Once the user on the client device has successfully completed the splash page actions, the page then links directly, with a query string, to an NDS virtual http directory provided by NDS's built in web server.
 
  For security, NDS expects to receive the same valid token it allocated when the client issued its initial port 80 request. If the token received is valid, NDS then "authenticates" the client device, allowing access to the Internet.
 
@@ -38,7 +38,7 @@ Nodogsplash considers four kinds of packets coming into the router over the mana
  1. **Blocked**, if the MAC mechanism is block, and the source MAC address of the packet matches one listed in the BlockedMACList; or if the MAC mechanism is allow, and source MAC address of the packet does not match one listed in the AllowedMACList or the TrustedMACList. These packets are dropped.
  2. **Trusted**, if the source MAC address of the packet matches one listed in the TrustedMACList. By default, these packets are accepted and routed to all destination addresses and ports. If desired, this behavior can be customized by FirewallRuleSet trusted-users and FirewallRuleSet trusted-users-to-router lists in the nodogsplash.conf configuration file, or by the EmptyRuleSetPolicy trusted-users EmptyRuleSetPolicy trusted-users-to-router directives.
  3. **Authenticated**, if the packet's IP and MAC source addresses have gone through the nodogsplash authentication process and has not yet expired. These packets are accepted and routed to a limited set of addresses and ports (see FirewallRuleSet authenticated-users and FirewallRuleSet users-to-router in the nodogsplash.conf configuration file).
- 4. **Preauthenticated**. Any other packet. These packets are accepted and routed to a limited set of addresses and ports (see FirewallRuleSet      preauthenticated-users and FirewallRuleSet users-to-router in the nodogsplash.conf configuration file). Any other packet is dropped, except that a packet for destination port 80 at any address is redirected to port 2050 on the router, where nodogsplash's builtin libhttpd-based web server is listening. This begins the 'authentication' process. The server will serve a splash page back to the source IP address of the packet. The user clicking the appropriate link on the splash page will complete the process, causing future packets from this IP/MAC address to be marked as Authenticated until the inactive or forced timeout is reached, and its packets revert to being Preauthenticated.
+ 4. **Preauthenticated**. Any other packet. These packets are accepted and routed to a limited set of addresses and ports (see FirewallRuleSet      preauthenticated-users and FirewallRuleSet users-to-router in the nodogsplash.conf configuration file). Any other packet is dropped, except that a packet for destination port 80 at any address is redirected to port 2050 on the router, where nodogsplash's built in libhttpd-based web server is listening. This begins the 'authentication' process. The server will serve a splash page back to the source IP address of the packet. The user clicking the appropriate link on the splash page will complete the process, causing future packets from this IP/MAC address to be marked as Authenticated until the inactive or forced timeout is reached, and its packets revert to being Preauthenticated.
 
 
  Nodogsplash implements these actions by inserting rules in the router's iptables mangle PREROUTING chain to mark packets, and by inserting rules in the nat PREROUTING, filter INPUT and filter FORWARD chains which match on those marks.
@@ -48,6 +48,6 @@ Nodogsplash considers four kinds of packets coming into the router over the mana
 Traffic control
 ***************
 
-Data rate control on an IP connection basis can be achived using SQM scripts configured separately, with NDS being fully compatible.
+Data rate control on an IP connection basis can be achieved using Smart Queue Management (SQM) configured separately, with NDS being fully compatible.
 
 It should be noted that while setup options and binauth do accept traffic/quota settings, these values currently have no effect and are reserved for future development.

docs/source/overview.rst

@@ -14,12 +14,12 @@ Customising the page seen by users is a simple matter of editing the simple defa
 
 All modern mobile devices, most desktop operating systems and most browsers now have a Captive Portal Detection process that automatically issues a port 80 request on connection to a network. Nodogsplash detects this and serves a 'splash' web page.
 
-The splash page in its most basic form, contains a Continue button. When the user clicks on it, access to the internet is granted subject to a preset time interval.
+The splash page in its most basic form, contains a *Continue* button. When the user clicks on it, access to the Internet is granted subject to a preset time interval.
 
-Nodogsplash does not currently support traffic control but is fully compatible with other stand alone systems such as SQM scripts.
+Nodogsplash does not currently support traffic control but is fully compatible with other stand alone systems such as Smart Queue Management (SQM).
 
 **Nodogsplash supports multiple means of authentication**:
 
-- Click the submit button (default)
+- Click the *Continue* button (default)
 - Call an external script that may accept username/password and set session durations per user.
 - Forwarding authentication to an external service

docs/source/todo.rst

@@ -1,16 +1,18 @@
 TODO List
 #########
 
-Not all features are finished or working as properly as they should.
+Not all features are finished or working as properly or as efficiently as they should.
 Here is a list of things that need to be improved:
 
 * While (un-) block/trust/allow via the ndsctl tool take effect, the state object of the client in NDS is not affected.
   Both systems still need to be connected (in src/auth.c).
 
-* Show a site when the users authentication was rejected, e.g. because the user exeeded the quota
+* Include blocked and trusted clients in the client list - so that they can be managed.
 
-* Traffic control is still broken since a long time now.
+* Extend Status processing to display a page when a user's authentication is rejected, e.g. because the user exceeded a quota or is blocked etc.
 
-* The code in src/http_microhttpd.c is a mess that has probably a lot of missed edge cases.
+* Implement Traffic control on a user by user basis. This functionality was originally available but has been broken for many years.
 
-* Include blocked and trusted clients in the client list - so that they can be managed.
+* The code in src/http_microhttpd.c has evolved from previous versions and possibly has some missed edge cases. It would benefit from a rewrite to improve maintainability as well as performance.
+
+* ip version 6 is not currently supported by NDS. It is not essential or advantageous to have in the short term but should be added at some time in the future.

forward_authentication_service/FAS-Docs/readme

@@ -1,122 +1,6 @@
 Forwarding Authentication Service (FAS)
 #######################################
 
-Overview
-********
+Full documentation can be found here:
 
-Nodogsplash (NDS) supports external (to NDS) authentication service via simple configuration options.
-
-These options are:
- 1. **fasport**. This enables Forwarding Authentication Service (FAS). Redirection is changed from splash.html to a FAS. The value is the IP port number of the FAS.
- 2. **fasremoteip**. If set, this is the remote ip address of the FAS, if not set it will take the value of the NDS gateway address.
- 3. **faspath**. This is the path to the login page on the FAS.
- 4. **fas_secure_enable**. If set to "1", authaction and the client token are not revealed and it is the responsibility of the FAS to request the token from NDSCTL. If set to "0", the client token is sent to the FAS in clear text in the query string of the redirect along with authaction and redir.
-
-
-Using FAS
-*********
-When FAS is enabled, NDS automatically configures access to the FAS service.
-
-The FAS service must serve an http splash of its own to replace the NDS splash.html.
-Typically, the FAS service will be written in PHP or any other language that can provide dynamic web content.
-
-FAS can then provide an action form for the client, typically requesting login, or self account creation for login.
-
-The FAS can be on the same device as NDS, on the same local area network as NDS, or on an Internet hosted web server.
-
-If FAS Secure is enabled, NDS will supply only the gateway name, the client IP address and the originally requested URL.
-
-It is the responsibility of FAS to obtain the unique client token allocated by NDS.
-
-If the client successfully authenticates in the FAS, FAS will return the unique token to NDS to finally allow the client access to the Internet.
-
-If FAS Secure is disabled, the token is sent to FAS as clear text.
-
-A FAS on the local network can obtain the user token by requesting it from NDS, using, for example SSH.
-
-A Secure Internet based FAS is best implemented as a two stage process, first using a local FAS, that in turn accesses an https remote FAS using tools such as curl or wget.
-
-Running FAS on your Nodogsplash router
-**************************************
-
-A FAS service will run quite well on uhttpd (the web server that serves Luci) on an OpenWrt supported device with 8MB flash and 32MB ram but shortage of ram may well be an issue if more than two or three clients log in at the same time.
-
-For this reason a device with a minimum of 8MB flash and 64MB ram is recommended.
-
-**Running on uhttpd with PHP**:
-
- Install the modules php7 and php7-cgi on LEDE for a simple example. Further modules may be required depending on your requirements.
-
-To enable php in uhttpd you must add the line:
-
-  ``list interpreter ".php=/usr/bin/php-cgi"``
-
-to the /etc/config/uhttpd file in the config uhttpd 'main' or first section.
-
-The two important NDS options to set will be:
-
- 1. fasport. By default this will be port 80 for uhttpd
-
- 2. faspath. Set to, for example, /myfas/fas.php,
-    your FAS files being placed in /www/myfas/
-
-**Note 1**:
-
- A typical Internet hosted Apache/PHP shared server will be set up to serve multiple domain names.
-
- To access yours, use:
-
-  fasremoteip = the ip address of the remote server
-
-  and, for example,
-
-  faspath = /domainname/pathto/myfas/fas.php
-
-  or
-
-  faspath = /accountname/pathto/myfas/fas.php
-
- If necessary, contact your hosting service provider.
-
-
-**Note 2:**
-
- The configuration file /etc/config/nodogsplash contains the line "option enabled 1".
-
- If you have done something wrong and locked yourself out, you can still SSH to your router and stop NoDogSplash (ndsctl stop) to fix the problem.
-
-Using the simple example files
-******************************
-
-Assuming you want to run the FAS example demo locally under uhttpd on the same OpenWrt device that is running NDS, configured as above, do the following.
-
- (Under other operating systems you may need to edit the nodogsplash.conf file in /etc/nodogsplash instead, but the process is very similar.)
-
-First you should optain the demo files by downloading the Nodogsplash zip file from
-
- https://github.com/nodogsplash/nodogsplash/
-
-Then extract the php files from the folder
-
- ``"forward_authentication_service/nodog/"``
-
-OpenWrt and uhttpd:
-
- * Create a folder
-
-     ``/www/nodog/``
-
- * Place the files fas.php, landing.php, css.php, querycheck.php, tos.php, users.dat in
-
-  ``/www/nodog/``
-
- * Edit
-
-  ``/etc/config/nodogsplash``
-
-  adding the lines:
-    - option fasport '80'
-    - option faspath '/nodog/fas.php'
-    - option fas_secure_enabled '0'
-
- * Restart NDS using the command "service nodogsplash restart".
+https://nodogsplashdocs.readthedocs.io/en/stable/fas.html