Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Initial commit

  • Loading branch information...
commit 7ef260650a5b23835a5dcacf8ae0ab168780ada5 0 parents
Overrider authored
7 README.md
@@ -0,0 +1,7 @@
+openbsd-captive-portal
+======================
+
+This is a captive portal used with OpenBSD 5.2 meant to learn from and expand upon.
+
+Read the readmefirst.txt and headover to <a href="http://www.bsdguides.org/2012/build-a-captive-portal-with-openbsd">www.bsdguides.org</a>
+to learn more and get started using this for your own project.
8 etc/dhcpd.conf
@@ -0,0 +1,8 @@
+option domain-name "my.domain";
+option domain-name-servers 10.0.3.1;
+
+subnet 10.0.3.0 netmask 255.255.255.0 {
+ option routers 10.0.3.1;
+
+ range 10.0.3.100 10.0.3.150;
+}
1  etc/hostname.alc0
@@ -0,0 +1 @@
+inet 10.0.1.254 255.255.255.0 10.0.1.255 up
1  etc/hostname.athn0
@@ -0,0 +1 @@
+inet 10.0.3.1 255.255.255.0 10.0.3.255 media autoselect mediaopt hostap nwid CaptivePortal chan 11 up
1  etc/mygate
@@ -0,0 +1 @@
+10.0.1.2
36 etc/pf.conf
@@ -0,0 +1,36 @@
+# this PF works as a captive portal
+
+wired ="alc0"
+wireless = "athn0"
+
+wired_net = "{ 10.0.1.0/24 }"
+wireless_net = "{ 10.0.3.0/24 }"
+
+icmp_types = "{echoreq, unreach}"
+
+table <whitelist> persist file "/var/db/whitelist"
+
+set block-policy return
+set loginterface $wireless
+set skip on lo0
+
+#scrub in all
+
+# Handles NAT for the wireless clients
+match out on egress inet from !(egress:network) to any nat-to (egress:0)
+
+# Redirect everybody not the in the whitelist (everybody) to our captive portal
+# Uncomment to enable Captive Portal
+match in proto tcp from !<whitelist> to any port www rdr-to 127.0.0.1 port 80
+
+block log all
+
+pass out quick
+
+# Comment out to enable Captive Portal
+pass in quick
+
+pass in quick on { $wired $wireless } inet proto { tcp udp gre } from <whitelist> to any
+pass in quick on { $wired $wireless } inet proto { tcp } from any to { "127.0.0.1", $wireless } port { 22 53 80 }
+pass in quick on { $wired $wireless } inet proto { udp } from any to { "127.0.0.1", $wireless } port { 53 }
+pass in quick on { $wired $wireless } inet proto icmp all icmp-type $icmp_types keep state
5 etc/rc.conf.local
@@ -0,0 +1,5 @@
+dhcpd_flags="athn0"
+httpd_flags=""
+named_flags=""
+pf="YES"
+pkg_scripts="obsdcp"
19 etc/rc.d/obsdcp
@@ -0,0 +1,19 @@
+#!/bin/sh
+#
+# $OpenBSD: obsdcp,v 1.1 2012/02/19 11:34:36 robert Exp $
+
+daemon="/usr/local/bin/obsdcp"
+
+. /etc/rc.d/rc.subr
+
+pexp="obsdcp"
+
+rc_check() {
+ pkill -0 -f "/usr/local/bin/obsdcp"
+}
+
+rc_stop() {
+ pkill -f "/usr/local/bin/obsdcp"
+}
+
+rc_cmd $1
2  etc/resolv.conf
@@ -0,0 +1,2 @@
+nameserver 127.0.0.1
+lookup file bind
49 etc/sysctl.conf
@@ -0,0 +1,49 @@
+# $OpenBSD: sysctl.conf,v 1.53 2012/05/31 15:04:03 sthen Exp $
+#
+# This file contains a list of sysctl options the user wants set at
+# boot time. See sysctl(3) and sysctl(8) for more information on
+# the many available variables.
+#
+net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
+#net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicast packets
+#net.inet.ip.multipath=1 # 1=Enable IP multipath routing
+#net.inet.icmp.rediraccept=1 # 1=Accept ICMP redirects
+#net.inet6.icmp6.rediraccept=1 # 1=Accept IPv6 ICMP redirects (for hosts)
+#net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets
+#net.inet6.ip6.mforwarding=1 # 1=Permit forwarding (routing) of IPv6 multicast packets
+#net.inet6.ip6.multipath=1 # 1=Enable IPv6 multipath routing
+#net.inet6.ip6.accept_rtadv=1 # 1=Permit IPv6 autoconf (forwarding must be 0)
+#net.inet.tcp.always_keepalive=1 # 1=Keepalives for all connections (e.g. hotel/airport NAT)
+#net.inet.tcp.keepidle=100 # 100=send TCP keepalives every 50 seconds
+#net.inet.tcp.rfc1323=0 # 0=Disable TCP RFC1323 extensions (for if tcp is slow)
+#net.inet.tcp.rfc3390=0 # 0=Disable RFC3390 for TCP window increasing
+#net.inet.esp.enable=0 # 0=Disable the ESP IPsec protocol
+#net.inet.ah.enable=0 # 0=Disable the AH IPsec protocol
+#net.inet.esp.udpencap=0 # 0=Disable ESP-in-UDP encapsulation
+#net.inet.ipcomp.enable=1 # 1=Enable the IPCOMP protocol
+#net.inet.etherip.allow=1 # 1=Enable the Ethernet-over-IP protocol
+#net.inet.tcp.ecn=1 # 1=Enable the TCP ECN extension
+#net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
+#net.inet.carp.log=3 # log level of carp(4) info, default 2
+#ddb.panic=0 # 0=Do not drop into ddb on a kernel panic
+#ddb.console=1 # 1=Permit entry of ddb from the console
+#fs.posix.setuid=0 # 0=Traditional BSD chown() semantics
+#vm.swapencrypt.enable=0 # 0=Do not encrypt pages that go to swap
+#vfs.nfs.iothreads=4 # Number of nfsio kernel threads
+#net.inet.ip.mtudisc=0 # 0=Disable tcp mtu discovery
+#kern.usercrypto=1 # 1=Enable userland use of /dev/crypto
+#kern.userasymcrypto=1 # 1=Permit userland to do asymmetric crypto
+#kern.splassert=2 # 2=Enable with verbose error messages
+#kern.nosuidcoredump=2 # 2=Put suid coredumps in /var/crash
+#kern.watchdog.period=32 # >0=Enable hardware watchdog(4) timer if available
+#kern.watchdog.auto=0 # 0=Disable automatic watchdog(4) retriggering
+#kern.pool_debug=0 # 0=Disable pool corruption checks (faster)
+#hw.allowpowerdown=0 # 0=Disable power button shutdown
+machdep.allowaperture=2 # See xf86(4)
+#machdep.apmhalt=1 # 1=powerdown hack, try if halt -p doesn't work
+#machdep.kbdreset=1 # permit console CTRL-ALT-DEL to do a nice halt
+#machdep.lidsuspend=1 # laptop lid closes cause a suspend
+#machdep.userldt=1 # allow userland programs to play with ldt,
+ # required by some ports
+#kern.emul.aout=1 # enable running dynamic OpenBSD a.out bins
+#kern.emul.linux=1 # enable running Linux binaries
72 install.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+
+echo "IMPORTANT!!!"
+echo "Running this may overwrite important configuration files"
+echo "such as /etc/pf.conf /etc/dhcpd.conf /var/named/etc/named.conf"
+echo "It is probably better to adjust and copy the config files manually"
+echo "Either way, you want to read trough this script first and see what it does"
+
+echo -n "Hit enter to continue or CTRL+C to cancel"
+read GOAHEAD
+
+echo "Copying Files, wait a few moments..."
+
+cp etc/rc.conf.local /etc/
+cp etc/pf.conf /etc/
+touch /var/db/whitelist
+cp etc/dhcpd.conf /etc/
+cp etc/hostname.athn0 /etc/
+cp etc/hostname.alc0 /etc/
+cp etc/mygate /etc/
+cp etc/sysctl.conf /etc/
+cp etc/rc.d/obsdcp /etc/rc.d/
+cp etc/resolv.conf /etc/
+
+cp usr/local/bin/obsdcp /usr/local/bin/
+
+cp var/www/conf/Obsdcp_config.pm /var/www/conf/
+cp var/www/conf/httpd.conf /var/www/conf/
+cp var/www/conf/obsdcp_allow.txt /var/www/conf/
+cp var/www/conf/obsdcp_queue.txt /var/www/conf/
+
+cp var/www/htdocs/* /var/www/htdocs/
+cp var/www/htdocs/.htaccess /var/www/htdocs/
+
+cp var/named/etc/named.conf /var/named/etc/
+cp var/named/etc/rndc.conf /var/named/etc/
+cp var/named/etc/rndc.key /var/named/etc/
+
+if [[ ! -e /var/www/usr ]]; then
+ mkdir /var/www/usr
+fi
+
+if [[ ! -e /var/www/usr/bin ]]; then
+ mkdir /var/www/usr/bin
+fi
+
+if [[ ! -e /var/www/usr/lib ]]; then
+ mkdir /var/www/usr/lib
+fi
+
+if [[ ! -e /var/www/usr/libdata ]]; then
+ mkdir /var/www/usr/libdata
+fi
+
+if [[ ! -e /var/www/usr/libexec ]]; then
+ mkdir /var/www/usr/libexec
+fi
+
+cp /usr/bin/perl /var/www/usr/bin/
+cp /usr/lib/libperl.so.* /var/www/usr/lib/
+cp /usr/lib/libm.so.* /var/www/usr/lib/
+cp /usr/lib/libutil.so.* /var/www/usr/lib/
+cp /usr/lib/libc.so.* /var/www/usr/lib/
+cp /usr/libexec/ld.so /var/www/usr/libexec/
+cp -r /usr/libdata/perl5 /var/www/usr/libdata/
+
+echo "----"
+echo "Done"
+echo "Now adjust the configuration files to your needs and reboot"
+echo "Make sure the /etc/hostname.if files are correct and match your interfaces"
+echo "Make sure the right route is set in /etc/mygate"
+echo "Make sure /etc/dhcpd.conf is per your liking"
13 license.txt
@@ -0,0 +1,13 @@
+Copyright (c) 2012 David Schulz admin@bsdguides.org
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 readfirst.txt
@@ -0,0 +1,15 @@
+The files and folders are taken from a working setup.
+Blindly running install.sh could work for you without
+further configuration, if:
+
+ - You are running OpenBSD 5.2 i386
+ - Your wireless Network card was named athn0
+ - Your wired Network card was named alc0
+ - You wanted your wireless network to be 10.0.3.1/24
+ - Your wired network was 10.0.1.1/24
+ - Your default router was at 10.0.1.2
+ - You had no existing system configuration that mattered
+
+In all other cases, you will need to adjust the example config files
+to match your own setup, make backups of /etc/pf.conf etc, and only
+then copy over the given example configuration files.
178 usr/local/bin/obsdcp
@@ -0,0 +1,178 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use diagnostics;
+use Sys::Syslog;
+
+use lib '/var/www/conf/';
+use Obsdcp_config;
+
+my $debug = 0;
+
+$SIG{'INT' } = 'interrupt';
+$SIG{'QUIT'} = 'interrupt';
+$SIG{'HUP' } = 'interrupt';
+$SIG{'TRAP'} = 'interrupt';
+$SIG{'ABRT'} = 'interrupt';
+$SIG{'STOP'} = 'interrupt';
+$SIG{'TERM'} = 'interrupt';
+
+sub interrupt {
+ my($signal) = @_;
+ &logit('info', "Interrupt caught, shutting down");
+ exit(1);
+}
+
+&daemonize;
+
+&logit('info', "Starting up");
+
+# $queue is defined in Obsdcp_config.pm
+if( ! -e $queue ){
+ &logit('info', "$queue does no exist");
+ exit(1);
+}
+
+# $allow is defined in Obsdcp_config.pm
+if( ! -e $allow ){
+ &logit('info', "$allow does no exist");
+ exit(1);
+}
+
+# $whitelist is defined in Obsdcp_config.pm
+if( ! -e $whitelist ){
+ &logit('info', "$whitelist does not exist");
+ exit(1);
+}
+
+my $last_purge = time();
+
+while(1){
+ my $current_time = time();
+ my $queue_filesize = (stat($queue))[7];
+ if($queue_filesize > 0 || $current_time - $last_purge > $purge_interval){
+ &logit('info', "Processing Queue") if $debug;
+ &process_queue();
+ $last_purge = time();
+ }
+ sleep(5);
+}
+
+sub process_queue(){
+ my $current_timestamp = time();
+ my @queue;
+ open QUEUE, "<", $queue or &logit('info', "Cannot open $queue file") && exit;
+ while(<QUEUE>){
+ chomp;
+ push(@queue,$_);
+ }
+ close QUEUE;
+
+ open QUEUE, ">", $queue or &logit('info', "Cannot open $queue file") && exit;
+ close QUEUE;
+
+ my %allow;
+ open ALLOW, "<", $allow or &logit('info', "Cannot open $allow file") && exit;
+ foreach(<ALLOW>){
+ chomp;
+ my($ip_address,$mac_address,$timestamp) = split(/ /,$_);
+ if($current_timestamp - $timestamp < $expiry_time){
+ $allow{$ip_address} = $mac_address . " " . $timestamp;
+ } else {
+ &untie_mac($ip_address,$mac_address);
+ &logit('info', "Expired $ip_address");
+ }
+ }
+ close ALLOW;
+
+ foreach(@queue){
+ if(!exists($allow{$_})){
+ my $mac_address = &get_mac($_);
+ &tie_mac($_,$mac_address);
+ $allow{$_} = $mac_address . " " . $current_timestamp;
+ &logit('info', "Added $_");
+ } else {
+ &logit('info', "Skipping $_");
+ }
+ }
+
+ my @whitelist;
+
+ open ALLOW, ">",$allow or &logit('info', "Cannot open $allow file") && exit;
+ foreach my $ip_address (keys %allow){
+ print ALLOW "$ip_address $allow{$ip_address}\n";
+ push(@whitelist,$ip_address);
+ }
+ close ALLOW;
+
+ @whitelist = sort(@whitelist);
+ open WHITE, ">", $whitelist or &logit('info', "Cannot open $whitelist file") && exit;
+ foreach(@whitelist){
+ print WHITE $_ . "\n";
+ }
+ close WHITE;
+
+ reload_pf();
+}
+
+sub reload_pf(){
+ system("pfctl -f /etc/pf.conf");
+}
+
+sub get_mac($){
+ my $ip = shift;
+ chomp(my @arp_table = `arp -an`);
+ foreach(@arp_table){
+ my @arp_entry = split(" ",$_);
+ if($arp_entry[1] =~ /\($ip\)/){
+ return $arp_entry[3];
+ }
+ }
+ return 0;
+}
+
+sub daemonize {
+ use POSIX;
+ POSIX::setsid or die "setsid: $!";
+ my $pid = fork ();
+ if ($pid < 0) {
+ die "fork: $!";
+ } elsif ($pid) {
+ exit 0;
+ }
+ chdir "/";
+ umask 0;
+ foreach (0 .. (POSIX::sysconf (&POSIX::_SC_OPEN_MAX) || 1024))
+ { POSIX::close $_ }
+ open (STDIN, "</dev/null");
+ open (STDOUT, ">/dev/null");
+ open (STDERR, ">&STDOUT");
+}
+
+sub logit {
+ my ($priority, $msg) = @_;
+ return 0 unless ($priority =~ /info|err|debug/);
+ openlog("obsdcp", 'pid,cons', 'user');
+ syslog($priority, $msg);
+ closelog();
+ return 1;
+}
+
+# This ARP idea needs a lot more work
+# Not even sure how useful it is.
+# Maybe better would be to get PF filter by MAC
+
+sub tie_mac {
+# my $ip = shift;
+# my $mac = shift;
+# system("arp -s $ip $mac permanent");
+ return 1;
+}
+
+sub untie_mac {
+# my $ip = shift;
+# my $mac = shift;
+# system("arp -d $ip");
+ return 1;
+}
63 var/named/etc/named.conf
@@ -0,0 +1,63 @@
+acl clients {
+ localnets;
+ ::1;
+};
+
+key "rndc-key" {
+ algorithm hmac-md5;
+ secret "FbxGpQ7kUF55caHrmmeZwfbfqKaLF367DYsQnJuTcQA=";
+};
+
+controls {
+ inet 127.0.0.1 port 953
+ allow { 127.0.0.1; } keys { "rndc-key"; };
+};
+
+options {
+ version ""; // remove this to allow version queries
+ listen-on { any; };
+ listen-on-v6 { any; };
+ empty-zones-enable yes;
+ allow-recursion { clients; };
+};
+
+logging {
+ category lame-servers { null; };
+ channel query_info {
+ file "query.log" versions 3 size 10m;
+ severity info;
+ print-category yes;
+ print-time yes;
+ };
+ category queries { query_info; };
+ category resolver { query_info; };
+};
+
+# This is to setup a wifi trap
+#zone "." {
+# type master;
+# file "master/root.master";
+#};
+
+zone "." {
+ type hint;
+ file "etc/root.hint";
+};
+
+zone "localhost" {
+ type master;
+ file "standard/localhost";
+ allow-transfer { localhost; };
+};
+
+zone "127.in-addr.arpa" {
+ type master;
+ file "standard/loopback";
+ allow-transfer { localhost; };
+};
+
+zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
+ type master;
+ file "standard/loopback6.arpa";
+ allow-transfer { localhost; };
+};
9 var/named/etc/rndc.conf
@@ -0,0 +1,9 @@
+key "rndc-key" {
+ algorithm hmac-md5;
+ secret "FbxGpQ7kUF55caHrmmeZwfbfqKaLF367DYsQnJuTcQA=";
+};
+options {
+ default-key "rndc-key";
+ default-server 127.0.0.1;
+ default-port 953;
+};
4 var/named/etc/rndc.key
@@ -0,0 +1,4 @@
+key "rndc-key" {
+ algorithm hmac-md5;
+ secret "43PacxW7/dPoubqn3ODq3Q==";
+};
33 var/www/conf/Obsdcp_config.pm
@@ -0,0 +1,33 @@
+#!/usr/bin/perl
+
+package Obsdcp_config;
+use strict;
+use warnings;
+use Exporter;
+
+our @ISA = 'Exporter';
+our @EXPORT = qw(%accounts $queue $whitelist_timeout $whitelist $allow $purge_interval $expiry_time);
+
+our %accounts;
+$accounts{'guest1'} = "guest1";
+$accounts{'guest2'} = "guest2";
+
+if($> == 0){
+ our $queue = "/var/www/conf/obsdcp_queue.txt";
+} else {
+ our $queue = "/conf/obsdcp_queue.txt";
+}
+
+# Time to allow authenticated client access before
+# removing him from the list again and asking for
+# re-auth. Default is 300 seconds = 5 minutes :-)
+our $expiry_time = 300;
+
+# How many times the process_obsdcp_queue program
+# checks for expired IPs and rewrites the allow
+# table. Lets make it every two minutes.
+our $purge_interval = 120;
+
+our $allow = "/var/www/conf/obsdcp_allow.txt";
+
+our $whitelist = "/var/db/whitelist";
1,113 var/www/conf/httpd.conf
@@ -0,0 +1,1113 @@
+# $OpenBSD: httpd.conf,v 1.26 2009/06/03 18:28:21 robert Exp $
+#
+# Based upon the NCSA server configuration files originally by Rob McCool.
+#
+# This is the main Apache server configuration file. It contains the
+# configuration directives that give the server its instructions.
+# See <URL:http://www.apache.org/docs/> for detailed information about
+# the directives.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do. They're here only as hints or reminders. If you are unsure
+# consult the online docs. You have been warned.
+#
+# After this file is processed, the server will look for and process
+# /var/www/conf/srm.conf and then /var/www/conf/access.conf
+# unless you have overridden these with ResourceConfig and/or
+# AccessConfig directives here.
+#
+# The configuration directives are grouped into three basic sections:
+# 1. Directives that control the operation of the Apache server process as a
+# whole (the 'global environment').
+# 2. Directives that define the parameters of the 'main' or 'default' server,
+# which responds to requests that aren't handled by a virtual host.
+# These directives also provide default values for the settings
+# of all virtual hosts.
+# 3. Settings for virtual hosts, which allow Web requests to be sent to
+# different IP addresses or hostnames and have them handled by the
+# same Apache server process.
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32), the
+# server will use that explicit path. If the filenames do *not* begin
+# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
+# with ServerRoot set to "/usr/local/apache" will be interpreted by the
+# server as "/usr/local/apache/logs/foo.log".
+#
+
+### Section 1: Global Environment
+#
+# The directives in this section affect the overall operation of Apache,
+# such as the number of concurrent requests it can handle or where it
+# can find its configuration files.
+#
+
+#
+# ServerType is either inetd, or standalone. Inetd mode is only supported on
+# Unix platforms.
+#
+ServerType standalone
+
+#
+# ServerTokens is either Full, OS, Minimal, or ProductOnly.
+# The values define what version information is returned in the
+# Server header in HTTP responses.
+#
+# ServerTokens ProductOnly
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# NOTE! If you intend to place this on an NFS (or otherwise network)
+# mounted filesystem then please read the LockFile documentation
+# (available at <URL:http://www.apache.org/docs/mod/core.html#lockfile>);
+# you will save yourself a lot of trouble.
+#
+# Do NOT add a slash at the end of the directory path.
+#
+ServerRoot "/var/www"
+
+#
+# The LockFile directive sets the path to the lockfile used when Apache
+# is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or
+# USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at
+# its default value. The main reason for changing it is if the logs
+# directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL
+# DISK. The PID of the main server process is automatically appended to
+# the filename.
+#
+#LockFile logs/accept.lock
+
+#
+# PidFile: The file in which the server should record its process
+# identification number when it starts.
+#
+PidFile logs/httpd.pid
+#
+# ScoreBoardFile: File used to store internal server process information.
+# Not all architectures require this. But if yours does (you'll know because
+# this file will be created when you run Apache) then you *must* ensure that
+# no two invocations of Apache share the same scoreboard file.
+#
+ScoreBoardFile logs/apache_runtime_status
+
+#
+# In the standard configuration, the server will process httpd.conf,
+# srm.conf, and access.conf in that order. The latter two files are
+# now deprecated and not installed any more, as it is recommended that
+# all directives be kept in a single file for simplicity.
+#
+#ResourceConfig conf/srm.conf
+#AccessConfig conf/access.conf
+
+#
+# Timeout: The number of seconds before receives and sends time out.
+#
+Timeout 300
+
+#
+# KeepAlive: Whether or not to allow persistent connections (more than
+# one request per connection). Set to "Off" to deactivate.
+#
+KeepAlive On
+
+#
+# MaxKeepAliveRequests: The maximum number of requests to allow
+# during a persistent connection. Set to 0 to allow an unlimited amount.
+# We recommend you leave this number high, for maximum performance.
+#
+MaxKeepAliveRequests 100
+
+#
+# KeepAliveTimeout: Number of seconds to wait for the next request from the
+# same client on the same connection.
+#
+KeepAliveTimeout 15
+
+#
+# Server-pool size regulation. Rather than making you guess how many
+# server processes you need, Apache dynamically adapts to the load it
+# sees --- that is, it tries to maintain enough server processes to
+# handle the current load, plus a few spare servers to handle transient
+# load spikes (e.g., multiple simultaneous requests from a single
+# Netscape browser).
+#
+# It does this by periodically checking how many servers are waiting
+# for a request. If there are fewer than MinSpareServers, it creates
+# a new spare. If there are more than MaxSpareServers, some of the
+# spares die off. The default values in httpd.conf-dist are probably OK
+# for most sites.
+#
+MinSpareServers 5
+MaxSpareServers 10
+
+#
+# Number of servers to start initially --- should be a reasonable ballpark
+# figure.
+#
+StartServers 5
+
+#
+# Limit on total number of servers running, i.e., limit on the number
+# of clients who can simultaneously connect --- if this limit is ever
+# reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW.
+# It is intended mainly as a brake to keep a runaway server from taking
+# the system with it as it spirals down...
+#
+MaxClients 150
+
+#
+# MaxRequestsPerChild: the number of requests each child process is
+# allowed to process before the child dies. The child will exit so
+# as to avoid problems after prolonged use when Apache (and maybe the
+# libraries it uses) leak memory or other resources. On most systems, this
+# isn't really needed, but a few (such as Solaris) do have notable leaks
+# in the libraries.
+#
+MaxRequestsPerChild 0
+
+#
+# MaxFOOPerChild: these directives set the current and hard rlimits for
+# the child processes. Attempts to exceed them will cause the OS to
+# take appropriate action. See the setrlimit(2) and signal(3).
+#
+MaxCPUPerChild 0
+MaxDATAPerChild 0
+MaxNOFILEPerChild 0
+MaxRSSPerChild 0
+MaxSTACKPerChild 0
+
+#
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, in addition to the default. See also the <VirtualHost>
+# directive.
+#
+#Listen 3000
+#Listen 12.34.56.78:80
+Listen *:80
+
+#
+# BindAddress: You can support virtual hosts with this option. This directive
+# is used to tell the server which IP address to listen to. It can either
+# contain "*", an IP address, or a fully qualified Internet domain name.
+# See also the <VirtualHost> and Listen directives.
+#
+BindAddress *
+
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# have to place corresponding `LoadModule' lines at this location so the
+# directives contained in it are actually available _before_ they are used.
+# Please read the file README.DSO in the Apache 1.3 distribution for more
+# details about the DSO mechanism and run `httpd -l' for the list of already
+# built-in (statically linked and thus always available) modules in your httpd
+# binary.
+#
+# Note: The order is which modules are loaded is important. Don't change
+# the order below without expert advice.
+#
+# Example:
+# LoadModule foo_module libexec/mod_foo.so
+
+# "anonymous" user access to authenticated areas
+# LoadModule anon_auth_module /usr/lib/apache/modules/mod_auth_anon.so
+
+# user authentication using Berkeley DB files
+# LoadModule db_auth_module /usr/lib/apache/modules/mod_auth_db.so
+
+# user authentication using DBM files
+# LoadModule dbm_auth_module /usr/lib/apache/modules/mod_auth_dbm.so
+
+# authentication using new-style MD5 Digest Authentication (experimental)
+# LoadModule digest_auth_module /usr/lib/apache/modules/mod_auth_digest.so
+
+# CERN httpd metafile semantics
+# LoadModule cern_meta_module /usr/lib/apache/modules/mod_cern_meta.so
+
+# configuration defines ($xxx)
+# LoadModule define_module /usr/lib/apache/modules/mod_define.so
+
+# user authentication using old-style MD5 Digest Authentication
+# LoadModule digest_module /usr/lib/apache/modules/mod_digest.so
+
+# generation of Expires HTTP headers according to user-specified criteria
+LoadModule expires_module /usr/lib/apache/modules/mod_expires.so
+
+# customization of HTTP response headers
+# LoadModule headers_module /usr/lib/apache/modules/mod_headers.so
+
+# comprehensive overview of the server configuration
+# LoadModule info_module /usr/lib/apache/modules/mod_info.so
+
+# logging of the client user agents (deprecated in favor of mod_log_config)
+# LoadModule agent_log_module /usr/lib/apache/modules/mod_log_agent.so
+
+# logging of referers (deprecated in favor of mod_log_config)
+# LoadModule referer_log_module /usr/lib/apache/modules/mod_log_referer.so
+
+# determining the MIME type of a file by looking at a few bytes of its contents
+# LoadModule mime_magic_module /usr/lib/apache/modules/mod_mime_magic.so
+
+# mmap()ing of a statically configured list of frequently requested but
+# not changed files (experimental)
+# LoadModule mmap_static_module /usr/lib/apache/modules/mod_mmap_static.so
+
+# rule-based rewriting engine to rewrite requested URLs on the fly
+LoadModule rewrite_module /usr/lib/apache/modules/mod_rewrite.so
+
+# attempt to correct misspellings of URLs that users might have entered
+# LoadModule speling_module /usr/lib/apache/modules/mod_speling.so
+
+# provides an environment variable with a unique identifier for each request
+# LoadModule unique_id_module /usr/lib/apache/modules/mod_unique_id.so
+
+# uses cookies to provide for a clickstream log of user activity on a site
+# LoadModule usertrack_module /usr/lib/apache/modules/mod_usertrack.so
+
+# dynamically configured mass virtual hosting
+# LoadModule vhost_alias_module /usr/lib/apache/modules/mod_vhost_alias.so
+
+# caching proxy
+# LoadModule proxy_module /usr/lib/apache/modules/libproxy.so
+
+#
+# Include extra module configuration files
+#
+Include /var/www/conf/modules/*.conf
+
+#
+# ExtendedStatus controls whether Apache will generate "full" status
+# information (ExtendedStatus On) or just basic information (ExtendedStatus
+# Off) when the "server-status" handler is called. The default is Off.
+#
+#ExtendedStatus On
+
+### Section 2: 'Main' server configuration
+#
+# The directives in this section set up the values used by the 'main'
+# server, which responds to any requests that aren't handled by a
+# <VirtualHost> definition. These values also provide defaults for
+# any <VirtualHost> containers you may define later in the file.
+#
+# All of these directives may appear inside <VirtualHost> containers,
+# in which case these default settings will be overridden for the
+# virtual host being defined.
+#
+
+#
+# If your ServerType directive (set earlier in the 'Global Environment'
+# section) is set to "inetd", the next few directives don't have any
+# effect since their settings are defined by the inetd configuration.
+# Skip ahead to the ServerAdmin directive.
+#
+
+#
+# Port: The port to which the standalone server listens. For
+# ports < 1023, you will need httpd to be run as root initially.
+#
+Port 80
+
+##
+## SSL Support
+##
+## When we also provide SSL we have to listen to the
+## standard HTTP port (see above) and to the HTTPS port
+##
+<IfDefine SSL>
+Listen 80
+Listen 443
+</IfDefine>
+
+#
+# If you wish httpd to run as a different user or group, you must run
+# httpd as root initially and it will switch.
+#
+# User/Group: The name (or #number) of the user/group to run httpd as.
+# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
+# . On HPUX you may not be able to use shared memory as nobody, and the
+# suggested workaround is to create a user www and use that user.
+# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
+# when the value of (unsigned)Group is above 60000;
+# don't use Group #-1 on these systems!
+# On OpenBSD, use user www, group www.
+#
+User www
+Group www
+
+#
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed. This address appears on some server-generated pages, such
+# as error documents.
+#
+ServerAdmin you@your.address
+
+#
+# ServerName allows you to set a host name which is sent back to clients for
+# your server if it's different than the one the program would get (i.e., use
+# "www" instead of the host's real name).
+#
+# Note: You cannot just invent host names and hope they work. The name you
+# define here must be a valid DNS name for your host. If you don't understand
+# this, ask your network administrator.
+# If your host doesn't have a registered DNS name, enter its IP address here.
+# You will have to access it by its address (e.g., http://123.45.67.89/)
+# anyway, and this will make redirections work in a sensible way.
+#
+#ServerName new.host.name
+ServerName localhost
+#
+# DocumentRoot: The directory out of which you will serve your
+# documents. By default, all requests are taken from this directory, but
+# symbolic links and aliases may be used to point to other locations.
+#
+DocumentRoot "/var/www/htdocs"
+
+#
+# Each directory to which Apache has access, can be configured with respect
+# to which services and features are allowed and/or disabled in that
+# directory (and its subdirectories).
+#
+# First, we configure the "default" to be a very restrictive set of
+# permissions.
+#
+<Directory />
+ Options FollowSymLinks
+ AllowOverride None
+</Directory>
+
+#
+# Note that from this point forward you must specifically allow
+# particular features to be enabled - so if something's not working as
+# you might expect, make sure that you have specifically enabled it
+# below.
+#
+
+#
+# This should be changed to whatever you set DocumentRoot to.
+#
+<Directory "/var/www/htdocs">
+
+#
+# This may also be "None", "All", or any combination of "Indexes",
+# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
+#
+# Note that "MultiViews" must be named *explicitly* --- "Options All"
+# doesn't give it to you.
+#
+ Options Indexes FollowSymLinks
+
+#
+# This controls which options the .htaccess files in directories can
+# override. Can also be "All", or any combination of "Options", "FileInfo",
+# "AuthConfig", and "Limit"
+#
+ AllowOverride All
+
+#
+# Controls who can get stuff from this server.
+#
+ Order allow,deny
+ Allow from all
+</Directory>
+
+#
+# UserDir: The directory which is prepended onto a users username, within
+# which a users's web pages are looked for if a ~user request is received.
+# Relative paths are relative to the user's home directory.
+#
+# "disabled" turns this feature off.
+#
+# Since httpd will chroot(2) to the ServerRoot path by default,
+# you should use
+# UserDir /var/www/users
+# and create per user directories in /var/www/users/<username>
+#
+
+UserDir disabled
+
+#
+# Control access to UserDir directories. The following is an example
+# for a site where these directories are restricted to read-only and
+# are located under /users/<username>
+# You will need to change this to match your site's home directories.
+#
+#<Directory /users/*>
+# AllowOverride FileInfo AuthConfig Limit
+# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+# <Limit GET POST OPTIONS PROPFIND>
+# Order allow,deny
+# Allow from all
+# </Limit>
+# <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
+# Order deny,allow
+# Deny from all
+# </Limit>
+#</Directory>
+
+#
+# DirectoryIndex: Name of the file or files to use as a pre-written HTML
+# directory index. Separate multiple entries with spaces.
+#
+DirectoryIndex index.html
+
+#
+# AccessFileName: The name of the file to look for in each directory
+# for access control information.
+#
+AccessFileName .htaccess
+
+#
+# The following lines prevent .htaccess files from being viewed by
+# Web clients. Since .htaccess files often contain authorization
+# information, access is disallowed for security reasons. Comment
+# these lines out if you want Web visitors to see the contents of
+# .htaccess files. If you change the AccessFileName directive above,
+# be sure to make the corresponding changes here.
+#
+<Files .htaccess>
+ Order allow,deny
+ Deny from all
+</Files>
+
+#
+# CacheNegotiatedDocs: By default, Apache sends "Pragma: no-cache" with each
+# document that was negotiated on the basis of content. This asks proxy
+# servers not to cache the document. Uncommenting the following line disables
+# this behavior, and proxies will be allowed to cache the documents.
+#
+#CacheNegotiatedDocs
+
+#
+# UseCanonicalName: (new for 1.3) With this setting turned on, whenever
+# Apache needs to construct a self-referencing URL (a URL that refers back
+# to the server the response is coming from) it will use ServerName and
+# Port to form a "canonical" name. With this setting off, Apache will
+# use the hostname:port that the client supplied, when possible. This
+# also affects SERVER_NAME and SERVER_PORT in CGI scripts.
+#
+UseCanonicalName On
+
+#
+# TypesConfig describes where the mime.types file (or equivalent) is
+# to be found.
+#
+TypesConfig conf/mime.types
+
+#
+# DefaultType is the default MIME type the server will use for a document
+# if it cannot otherwise determine one, such as from filename extensions.
+# If your server contains mostly text or HTML documents, "text/plain" is
+# a good value. If most of your content is binary, such as applications
+# or images, you may want to use "application/octet-stream" instead to
+# keep browsers from trying to display binary files as though they are
+# text.
+#
+DefaultType text/plain
+
+#
+# The mod_mime_magic module allows the server to use various hints from the
+# contents of the file itself to determine its type. The MIMEMagicFile
+# directive tells the module where the hint definitions are located.
+# mod_mime_magic is not part of the default server (you have to add
+# it yourself with a LoadModule [see the DSO paragraph in the 'Global
+# Environment' section], or recompile the server and include mod_mime_magic
+# as part of the configuration), so it's enclosed in an <IfModule> container.
+# This means that the MIMEMagicFile directive will only be processed if the
+# module is part of the server.
+#
+<IfModule mod_mime_magic.c>
+ MIMEMagicFile conf/magic
+</IfModule>
+
+#
+# HostnameLookups: Log the names of clients or just their IP addresses
+# e.g., www.apache.org (on) or 204.62.129.132 (off).
+# The default is off because it'd be overall better for the net if people
+# had to knowingly turn this feature on, since enabling it means that
+# each client request will result in AT LEAST one lookup request to the
+# nameserver.
+#
+HostnameLookups Off
+
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here. If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+# Either a filename or the text "syslog:" followed by a facility
+# name may be specified here.
+#
+#ErrorLog syslog:daemon
+ErrorLog logs/error_log
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+#
+# The following directives define some format nicknames for use with
+# a CustomLog directive (see below).
+#
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+LogFormat "%h %l %u %t \"%r\" %>s %b" common
+LogFormat "%{Referer}i -> %U" referer
+LogFormat "%{User-agent}i" agent
+
+#
+# The location and format of the access logfile (Common Logfile Format).
+# If you do not define any access logfiles within a <VirtualHost>
+# container, they will be logged here. Contrariwise, if you *do*
+# define per-<VirtualHost> access logfiles, transactions will be
+# logged therein and *not* in this file.
+#
+CustomLog logs/access_log common
+
+#
+# If you would like to have agent and referer logfiles, uncomment the
+# following directives.
+#
+#CustomLog logs/referer_log referer
+#CustomLog logs/agent_log agent
+
+#
+# If you prefer a single logfile with access, agent, and referer information
+# (Combined Logfile Format) you can use the following directive.
+#
+#CustomLog logs/access_log combined
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (error documents, FTP directory listings,
+# mod_status and mod_info output etc., but not CGI generated documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of: On | Off | EMail
+#
+# ServerSignature Off
+
+#
+# Aliases: Add here as many aliases as you need (with no limit). The format is
+# Alias fakename realname
+#
+# Note that if you include a trailing / on fakename then the server will
+# require it to be present in the URL. So "/icons" isn't aliased in this
+# example, only "/icons/"..
+#
+Alias /icons/ "/var/www/icons/"
+
+<Directory "/var/www/icons">
+ Options Indexes MultiViews
+ AllowOverride None
+ Order allow,deny
+ Allow from all
+</Directory>
+
+#
+# ScriptAlias: This controls which directories contain server scripts.
+# ScriptAliases are essentially the same as Aliases, except that
+# documents in the realname directory are treated as applications and
+# run by the server when requested rather than as documents sent to the client.
+# The same rules about trailing "/" apply to ScriptAlias directives as to
+# Alias.
+#
+ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+
+#
+# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
+# CGI directory exists, if you have that configured.
+#
+<Directory "/var/www/cgi-bin">
+ AllowOverride None
+ Options None
+ Order allow,deny
+ Allow from all
+</Directory>
+
+#
+# Redirect allows you to tell clients about documents which used to exist in
+# your server's namespace, but do not anymore. This allows you to tell the
+# clients where to look for the relocated document.
+# Format: Redirect old-URI new-URL
+#
+
+#
+# Directives controlling the display of server-generated directory listings.
+#
+
+#
+# FancyIndexing is whether you want fancy directory indexing or standard
+#
+IndexOptions FancyIndexing
+
+#
+# AddIcon* directives tell the server which icon to show for different
+# files or filename extensions. These are only displayed for
+# FancyIndexed directories.
+#
+AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
+
+AddIconByType (TXT,/icons/text.gif) text/*
+AddIconByType (IMG,/icons/image2.gif) image/*
+AddIconByType (SND,/icons/sound2.gif) audio/*
+AddIconByType (VID,/icons/movie.gif) video/*
+
+AddIcon /icons/binary.gif .bin .exe
+AddIcon /icons/binhex.gif .hqx
+AddIcon /icons/tar.gif .tar
+AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
+AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
+AddIcon /icons/a.gif .ps .ai .eps
+AddIcon /icons/layout.gif .html .shtml .htm .pdf
+AddIcon /icons/text.gif .txt
+AddIcon /icons/c.gif .c
+AddIcon /icons/p.gif .pl .py
+AddIcon /icons/f.gif .for
+AddIcon /icons/dvi.gif .dvi
+AddIcon /icons/uuencoded.gif .uu
+AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+AddIcon /icons/tex.gif .tex
+AddIcon /icons/bomb.gif core
+
+AddIcon /icons/back.gif ..
+AddIcon /icons/hand.right.gif README
+AddIcon /icons/folder.gif ^^DIRECTORY^^
+AddIcon /icons/blank.gif ^^BLANKICON^^
+
+#
+# DefaultIcon is which icon to show for files which do not have an icon
+# explicitly set.
+#
+DefaultIcon /icons/unknown.gif
+
+#
+# AddDescription allows you to place a short description after a file in
+# server-generated indexes. These are only displayed for FancyIndexed
+# directories.
+# Format: AddDescription "description" filename
+#
+#AddDescription "GZIP compressed document" .gz
+#AddDescription "tar archive" .tar
+#AddDescription "GZIP compressed tar archive" .tgz
+
+#
+# ReadmeName is the name of the README file the server will look for by
+# default, and append to directory listings.
+#
+# HeaderName is the name of a file which should be prepended to
+# directory indexes.
+#
+# The server will first look for name.html and include it if found.
+# If name.html doesn't exist, the server will then look for name.txt
+# and include it as plaintext if found.
+#
+ReadmeName README
+HeaderName HEADER
+
+#
+# IndexIgnore is a set of filenames which directory indexing should ignore
+# and not include in the listing. Shell-style wildcarding is permitted.
+#
+IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
+
+#
+# AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress
+# information on the fly. Note: Not all browsers support this.
+# Despite the name similarity, the following Add* directives have nothing
+# to do with the FancyIndexing customization directives above.
+#
+AddEncoding x-compress Z
+AddEncoding x-gzip gz
+
+#
+# AddLanguage allows you to specify the language of a document. You can
+# then use content negotiation to give a browser a file in a language
+# it can understand. Note that the suffix does not have to be the same
+# as the language keyword --- those with documents in Polish (whose
+# net-standard language code is pl) may wish to use "AddLanguage pl .po"
+# to avoid the ambiguity with the common suffix for perl scripts.
+#
+AddLanguage en .en
+AddLanguage fr .fr
+AddLanguage de .de
+AddLanguage da .da
+AddLanguage el .el
+AddLanguage it .it
+
+#
+# LanguagePriority allows you to give precedence to some languages
+# in case of a tie during content negotiation.
+# Just list the languages in decreasing order of preference.
+#
+LanguagePriority en fr de
+
+#
+# AddType allows you to tweak mime.types without actually editing it, or to
+# make certain files to be certain types.
+#
+# For example, the PHP module (not part of the Apache distribution)
+# will typically use:
+#
+#AddType application/x-httpd-php .php
+
+#
+# AddHandler allows you to map certain file extensions to "handlers",
+# actions unrelated to filetype. These can be either built into the server
+# or added with the Action command (see below)
+#
+# If you want to use server side includes, or CGI outside
+# ScriptAliased directories, uncomment the following lines.
+#
+# To use CGI scripts:
+#
+AddHandler cgi-script .cgi
+
+#
+# To use server-parsed HTML files
+#
+#AddType text/html .shtml
+#AddHandler server-parsed .shtml
+
+#
+# Uncomment the following line to enable Apache's send-asis HTTP file
+# feature
+#
+#AddHandler send-as-is asis
+
+#
+# If you wish to use server-parsed imagemap files, use
+#
+#AddHandler imap-file map
+
+#
+# To enable type maps, you might want to use
+#
+#AddHandler type-map var
+
+#
+# Action lets you define media types that will execute a script whenever
+# a matching file is called. This eliminates the need for repeated URL
+# pathnames for oft-used CGI file processors.
+# Format: Action media/type /cgi-script/location
+# Format: Action handler-name /cgi-script/location
+#
+
+#
+# MetaDir: specifies the name of the directory in which Apache can find
+# meta information files. These files contain additional HTTP headers
+# to include when sending the document
+#
+#MetaDir .web
+
+#
+# MetaSuffix: specifies the file name suffix for the file containing the
+# meta information.
+#
+#MetaSuffix .meta
+
+#
+# Customizable error response (Apache style)
+# these come in three flavors
+#
+# 1) plain text
+#ErrorDocument 500 "The server made a boo boo.
+# n.b. the (") marks it as text, it does not get output
+#
+# 2) local redirects
+#ErrorDocument 404 /missing.html
+# to redirect to local URL /missing.html
+#ErrorDocument 404 /cgi-bin/missing_handler.pl
+# N.B.: You can redirect to a script or a document using server-side-includes.
+#
+# 3) external redirects
+#ErrorDocument 402 http://some.other_server.com/subscription_info.html
+# N.B.: Many of the environment variables associated with the original
+# request will *not* be available to such a script.
+
+#
+# The following directives modify normal HTTP response behavior.
+# The first directive disables keepalive for Netscape 2.x and browsers that
+# spoof it. There are known problems with these browser implementations.
+# The second directive is for Microsoft Internet Explorer 4.0b2
+# which has a broken HTTP/1.1 implementation and does not properly
+# support keepalive when it is used on 301 or 302 (redirect) responses.
+#
+BrowserMatch "Mozilla/2" nokeepalive
+BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+
+#
+# The following directive disables HTTP/1.1 responses to browsers which
+# are in violation of the HTTP/1.0 spec by not being able to grok a
+# basic 1.1 response.
+#
+BrowserMatch "RealPlayer 4\.0" force-response-1.0
+BrowserMatch "Java/1\.0" force-response-1.0
+BrowserMatch "JDK/1\.0" force-response-1.0
+
+#
+# Allow server status reports, with the URL of http://servername/server-status
+# Change the ".your_domain.com" to match your domain to enable. By default we
+# allow server-status requests from 127.0.0.1 to make apachectl's status and
+# fullstatus commands work.
+#
+<Location /server-status>
+ SetHandler server-status
+ Order deny,allow
+ Deny from all
+ Allow from 127.0.0.1
+# Allow from .your_domain.com
+</Location>
+
+#
+# Allow remote server configuration reports, with the URL of
+# http://servername/server-info (requires that mod_info.c be loaded).
+# Change the ".your_domain.com" to match your domain to enable.
+#
+#<Location /server-info>
+# SetHandler server-info
+# Order deny,allow
+# Deny from all
+# Allow from .your_domain.com
+#</Location>
+
+#
+# There have been reports of people trying to abuse an old bug from pre-1.1
+# days. This bug involved a CGI script distributed as a part of Apache.
+# By uncommenting these lines you can redirect these attacks to a logging
+# script on phf.apache.org. Or, you can record them yourself, using the script
+# support/phf_abuse_log.cgi.
+#
+#<Location /cgi-bin/phf*>
+# Deny from all
+# ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
+#</Location>
+
+#
+# Proxy Server directives. Uncomment the following lines to
+# enable the proxy server:
+#
+#<IfModule mod_proxy.c>
+#ProxyRequests On
+#
+#<Directory proxy:*>
+# Order deny,allow
+# Deny from all
+# Allow from .your_domain.com
+#</Directory>
+
+#
+# Enable/disable the handling of HTTP/1.1 "Via:" headers.
+# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
+# Set to one of: Off | On | Full | Block
+#
+#ProxyVia On
+
+#
+# To enable the cache as well, edit and uncomment the following lines:
+# (no cacheing without CacheRoot)
+#
+#CacheRoot "/var/www/proxy"
+#CacheSize 5
+#CacheGcInterval 4
+#CacheMaxExpire 24
+#CacheLastModifiedFactor 0.1
+#CacheDefaultExpire 1
+#NoCache a_domain.com another_domain.edu joes.garage_sale.com
+
+#</IfModule>
+# End of proxy directives.
+
+### Section 3: Virtual Hosts
+#
+# VirtualHost: If you want to maintain multiple domains/hostnames on your
+# machine you can setup VirtualHost containers for them.
+# Please see the documentation at <URL:http://www.apache.org/docs/vhosts/>
+# for further details before you try to setup virtual hosts.
+# You may use the command line option '-S' to verify your virtual host
+# configuration.
+
+#
+# If you want to use name-based virtual hosts you need to define at
+# least one IP address (and port number) for them.
+#
+#NameVirtualHost 12.34.56.78:80
+#NameVirtualHost 12.34.56.78
+
+#
+# VirtualHost example:
+# Almost any Apache directive may go into a VirtualHost container.
+#
+#<VirtualHost ip.address.of.host.some_domain.com>
+# ServerAdmin webmaster@host.some_domain.com
+# DocumentRoot /www/docs/host.some_domain.com
+# ServerName host.some_domain.com
+# ErrorLog logs/host.some_domain.com-error_log
+# CustomLog logs/host.some_domain.com-access_log common
+#</VirtualHost>
+
+#<VirtualHost _default_:*>
+#</VirtualHost>
+
+
+##
+## SSL Global Context
+##
+## All SSL configuration in this context applies both to
+## the main server and all SSL-enabled virtual hosts.
+##
+
+#
+# Some MIME-types for downloading Certificates and CRLs
+#
+<IfDefine SSL>
+AddType application/x-x509-ca-cert .crt
+AddType application/x-pkcs7-crl .crl
+</IfDefine>
+
+<IfModule mod_ssl.c>
+
+# Pass Phrase Dialog:
+# Configure the pass phrase gathering process.
+# The filtering dialog program (`builtin' is a internal
+# terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog builtin
+
+# Inter-Process Session Cache:
+# Configure the SSL Session Cache: First either `none'
+# or `dbm:/path/to/file' for the mechanism to use and
+# second the expiring timeout (in seconds).
+SSLSessionCache dbm:logs/ssl_scache
+SSLSessionCacheTimeout 300
+
+# Semaphore:
+# Configure the path to the mutual exclusion semaphore the
+# SSL engine uses internally for inter-process synchronization.
+SSLMutex sem
+
+# Pseudo Random Number Generator (PRNG):
+# Configure one or more sources to seed the PRNG of the
+# SSL library. The seed data should be of good random quality.
+SSLRandomSeed startup builtin
+SSLRandomSeed connect builtin
+#SSLRandomSeed startup file:/dev/random 512
+#SSLRandomSeed startup file:/dev/urandom 512
+#SSLRandomSeed connect file:/dev/random 512
+#SSLRandomSeed connect file:/dev/urandom 512
+SSLRandomSeed startup file:/dev/arandom 512
+
+# Logging:
+# The home of the dedicated SSL protocol logfile. Errors are
+# additionally duplicated in the general error log file. Put
+# this somewhere where it cannot be used for symlink attacks on
+# a real server (i.e. somewhere where only root can write).
+# Log levels are (ascending order: higher ones include lower ones):
+# none, error, warn, info, trace, debug.
+SSLLog logs/ssl_engine_log
+SSLLogLevel info
+
+</IfModule>
+
+<IfDefine SSL>
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:443>
+
+# General setup for the virtual host
+DocumentRoot /var/www/htdocs
+ServerName new.host.name
+ServerAdmin you@your.address
+ErrorLog logs/error_log
+TransferLog logs/access_log
+
+# SSL Engine Switch:
+# Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+# SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+#SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
+
+# Server Certificate:
+# Point SSLCertificateFile at a PEM encoded certificate. If
+# the certificate is encrypted, then you will be prompted for a
+# pass phrase. Note that a kill -HUP will prompt again. A test
+# certificate can be generated with `make certificate' under
+# built time.
+SSLCertificateFile /etc/ssl/server.crt
+
+# Server Private Key:
+# If the key is not combined with the certificate, use this
+# directive to point at the key file.
+SSLCertificateKeyFile /etc/ssl/private/server.key
+
+# Certificate Authority (CA):
+# Set the CA certificate verification path where to find CA
+# certificates for client authentication or alternatively one
+# huge file containing all of them (file must be PEM encoded)
+# Note: Inside SSLCACertificatePath you need hash symlinks
+# to point to the certificate files. Use the provided
+# Makefile to update the hash symlinks after changes.
+#SSLCACertificatePath /var/www/conf/ssl.crt
+#SSLCACertificateFile /var/www/conf/ssl.crt/ca-bundle.crt
+
+# Client Authentication (Type):
+# Client certificate verification type and depth. Types are
+# none, optional, require and optional_no_ca. Depth is a
+# number which specifies how deeply to verify the certificate
+# issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth 10
+
+# Access Control:
+# With SSLRequire you can do per-directory access control based
+# on arbitrary complex boolean expressions containing server
+# variable checks and other lookup directives. The syntax is a
+# mixture between C and Perl. See the mod_ssl documentation
+# for more details.
+#<Location />
+#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
+# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
+# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+# SSL Engine Options:
+# Set various options for the SSL engine.
+# FakeBasicAuth:
+# Translate the client X.509 into a Basic Authorisation. This means that
+# the standard Auth/DBMAuth methods can be used for access control. The
+# user name is the `one line' version of the client's X.509 certificate.
+# Note that no password is obtained from the user. Every entry in the user
+# file needs this password: `xxj31ZMTZzkVA'.
+# ExportCertData:
+# This exports two additional environment variables: SSL_CLIENT_CERT and
+# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+# server (always existing) and the client (only existing when client
+# authentication is used). This can be used to import the certificates
+# into CGI scripts.
+# CompatEnvVars:
+# This exports obsolete environment variables for backward compatibility
+# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
+# to provide compatibility to existing CGI scripts.
+#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars
+
+# Per-Server Logging:
+# The home of a custom SSL log file. Use this when you want a
+# compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
+
+</IfDefine>
1  var/www/conf/obsdcp_allow.txt
@@ -0,0 +1 @@
+10.0.1.211 00:08:ca:85:5c:c1 1355034123
0  var/www/conf/obsdcp_queue.txt
No changes.
26 var/www/htdocs/.htaccess
@@ -0,0 +1,26 @@
+DirectoryIndex index.cgi
+Options +ExecCGI -Indexes
+
+RewriteEngine on
+RewriteBase /
+RewriteCond %{REQUEST_FILENAME} !-f
+RewriteCond %{REQUEST_FILENAME} !-d
+RewriteRule ^(.*)$ / [QSA,L]
+
+ExpiresActive On
+ExpiresDefault "access plus 1 second"
+
+<filesMatch "\.(html|htm|js|css|cgi|php|asp|aspx)$">
+ FileETag None
+ <ifModule mod_headers.c>
+ Header unset ETag
+ Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
+ Header set Pragma "no-cache"
+ Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
+ </ifModule>
+</filesMatch>
+
+<Files .htaccess>
+ order allow,deny
+ deny from all
+</Files>
BIN  var/www/htdocs/banner.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
139 var/www/htdocs/index.cgi
@@ -0,0 +1,139 @@
+#!/usr/bin/perl
+
+use CGI;
+use CGI::Carp 'fatalsToBrowser';
+use strict;
+use warnings;
+
+use lib '/conf/';
+use Obsdcp_config;
+
+my $query = new CGI;
+
+if(! -e -w $queue){
+ die("$queue is not writeable or does not exist");
+}
+
+my $ip_address = $ENV{'REMOTE_ADDR'};
+
+if ($query->param("submit")) {
+ process_form ();
+} else {
+ display_form ();
+}
+
+
+sub process_form {
+if(validate_form()){
+ print $query->header();
+ enable_access();
+ print <<END_HTML;
+<html>
+ <head>
+ <title>Captive Portal</title>
+ <link rel="stylesheet" type="text/css" href="/main.css" />
+ <meta http-equiv="Pragma" content="no-cache" />
+ <meta http-equiv="Expires" content="-1" />
+ <meta http-equiv="CACHE-CONTROL" content="NO-CACHE" />
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />
+ </head>
+ <body>
+ <div id="wrapper">
+ <div id="header">
+ <h2>Access granted!</h2>
+ </div>
+ <div id="content">
+ <p>Your access will expire in $expiry_time seconds.</p>
+
+ <h3>A few useful Links</h3>
+ <a href="http://www.duckduckgo.com/">DuckDuckGo</a><br />
+ <a href="http://www.openbsd.org/">OpenBSD</a><br />
+ <a href="http://www.bsdguides.org/">BSDGuides</a><br />
+ </div>
+ <div id="footer">
+ <img src="banner.png" />
+ </div>
+ <div id="push"></div>
+ </div>
+ <div id="credit">
+ <p>Powered by <a href="http://www.openbsd.org">OpenBSD</a></p>
+ </div>
+ </body>
+</html>
+
+END_HTML
+}
+}
+
+sub enable_access {
+ open FILE, ">>",$queue or die $!;
+ print FILE "$ip_address\n";
+ close FILE;
+}
+
+sub validate_form {
+ my $username = $query->param("username");
+ my $password = $query->param("password");
+
+ my $error_message = "";
+
+ $error_message .= "Please enter username<br />" if ( !$username);
+ $error_message .= "Please enter password<br />" if ( !$password);
+
+ if(!exists($accounts{$username}) || $accounts{$username} ne $password){
+ $error_message .= "Authentication failed<br />";
+ }
+
+ if ( $error_message ) {
+ $error_message = "<div id='error_msg'>" . $error_message . "</div>";
+ display_form ($error_message);
+ return 0;
+ } else {
+ return 1;
+ }
+}
+
+sub display_form {
+ print $query->header();
+ my $error_message = shift;
+
+ print <<END_HTML;
+<html>
+ <head>
+ <title>Captive Portal</title>
+ <link rel="stylesheet" type="text/css" href="/main.css" />
+ <meta http-equiv="Pragma" content="no-cache" />
+ <meta http-equiv="Expires" content="-1" />
+ <meta http-equiv="CACHE-CONTROL" content="NO-CACHE" />
+ <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no" />
+ </head>
+ <body OnLoad="document.loginform.username.focus();">
+ <div id="wrapper">
+ <div id="header">
+ <h2>Access restricted!</h2>
+ </div>
+ <div id="content">
+ <p>Please authenticate yourself for Internet access.</p>
+ <form name="loginform" action="" method="post">
+ <input type="hidden" name="submit" value="Submit">
+ <label>Username:</label>
+ <input type="text" name="username" value="" tabindex="1" />
+ <label>Password:</label>
+ <input type="password" name="password" value="" tabindex="2" />
+ <input type="submit" value="Submit" name="submit" class="submit" tabindex="3" />
+ <p style="font-size: 0.8em;">By clicking Submit you agree to our Terms of Use</p>
+ $error_message
+ </form>
+ </div>
+ <div id="footer">
+ <img src="banner.png" />
+ </div>
+ <div id="push"></div>
+ </div>
+ <div id="credit">
+ <p>Powered by <a href="http://www.openbsd.org">OpenBSD</a></p>
+ </div>
+ </body>
+</html>
+END_HTML
+}
129 var/www/htdocs/main.css
@@ -0,0 +1,129 @@
+* {
+ margin: 0px;
+ padding: 0px;
+}
+
+html, body {
+ height: 100%;
+}
+
+body {
+ font-family: Century Gothic, sans-serif;
+ background: #7EB5D6;
+ font-size: 16px;
+ color: #FFF;
+}
+
+p {
+ margin-bottom: 15px;
+}
+
+a {
+ color: yellow;
+}
+
+h1,h2,h3,h4,h5,h6 {
+ margin-bottom: 15px;
+}
+
+#credit {
+ font-size: 0.8em;
+ width: 100%;
+ text-align: center;
+ margin: 0px;
+ height: 25px;
+ clear: both;
+}
+
+#credit p {
+ margin: 0px;
+}
+
+#push {
+ height: 25px;
+}
+
+#wrapper {
+ max-width: 740px;
+ min-height: 100%;
+ height: auto !important;
+ height: 100%;
+ margin: 0 auto -25px;
+ padding: 0px 10px 0px 10px;
+}
+
+#header {
+ padding-top: 20px;
+}
+
+#header h2 {
+ font-family: "Trebuchet MS", Helvetica, sans-serif;
+ font-size: 28px;
+ text-transform: uppercase;
+}
+
+#content {
+}
+
+#footer {
+ text-align: center;
+ padding: 25px 0px 25px 0px;
+}
+
+#footer img {
+ max-width: 100%;
+ border: 1px solid #555;
+}
+
+#error_msg {
+ border: 2px solid red;
+ padding: 20px;
+ color: #FFF;
+ font-weight: bold;
+}
+
+form {
+ padding: 20px;
+ border: 1px solid #666;
+
+ background:-moz-linear-gradient(19% 75% 90deg,#274257, #2A75A9);
+ background:-webkit-gradient(linear, 0% 0%, 0% 100%, from(#274257), to(#2A75A9));
+}
+
+input {
+ width: 100%;
+ background: #447294;
+ padding: 6px;
+ height: 34px;
+ margin-bottom: 20px;
+ border: 1px solid #888;
+ color: #FFF;
+ font-weight: bold;
+ font-size: 1em;
+}
+
+input:hover {
+ -webkit-box-shadow: 0px 0px 4px #000;
+ background: #547296;
+}
+
+label {
+ color: #fff;
+ text-transform: uppercase;
+ text-shadow: #000 1px 1px;
+ margin-bottom: 10px;
+}
+
+input.submit {
+ width: 100px;
+ color: #fff;
+ text-transform: uppercase;
+ text-shadow: #000 1px 1px;
+ border-top: 1px solid #888;
+ background: -webkit-gradient(linear, 0% 0%, 0% 100%, from(#447294), to(#8FBCDB));
+ background: -moz-linear-gradient(19% 75% 90deg,#447294, #8FBCDB);
+}
+
+div.clear_both {
+ clear: both;
+}
Please sign in to comment.
Something went wrong with that request. Please try again.