Saturday, July 7, 2012

Captive Portal with Transparent Proxy

Captive portal and transparent proxy both are good, the only difference at client end is that In captive Portal the first page is a advertising or agreement or login or all of these. But proxy server generally comes with system login window, where you cannot communicate (Show agreement / advertisement / notice about data limit) with the user.

So if we can add this thing to our proxy server then our proxy server will be enough to act like a captive portal. This can be done by adding splash page. Detail documentation is also available at the squid site.

But here is the idea in few lines skipping the long manual files.

Splash page is a page to which an user is redirected on first HTTP request ( the first page request). This sets a session for the user at the server. If the user goes silent for long duration(configurable) it will again redirect the user to the splash page.


NOTE: in the examples below:



  • The session overall timeout is 7200 seconds. Once this length of time has passed, the splash screen will be shown again to the user. If you want a fixed timeout, use the "-T" option instead (available in version 1.1 of the session helper).
  • The session is checked once every 60 seconds at most. This means that the splash screen will be shown to the user for 60 seconds, during which time they will not be able to browse any other websites.
  • The ACL is called "splash_page". This can be changed as required.
  • It is assumed that the Squid helpers are installed in /usr/local/sbin/squid. Change this as required for your installation.
  • A session database file is required. Create an empty file "/var/lib/squid/session.db" and ensure it is writeable to by the Squid user




For Squid versions less than 3.2


# mind the wrap. this is one line:
external_acl_type splash_page ttl=60 concurrency=100 %SRC /usr/local/sbin/squid/squid_session -t 7200 -b /var/lib/squid/session.db

acl existing_users external splash_page

deny_info http://example.com/splash.html existing_users

http_access deny !existing_users


Squid 3.2 and after




# mind the wrap. this is one line:
external_acl_type splash_page ttl=60 concurrency=100 %SRC /usr/local/sbin/squid/ext_session_acl -t 7200 -b /var/lib/squid/session.db

acl existing_users external splash_page

http_access deny !existing_users

# Deny page to display
deny_info 511:/etc/squid/splash.html existing_users



You may find that when using the example above that the splash page is not always displayed to users. That is because other processes on the user's computer (such as automatic security updates) can reset the session counter, so it is that process rather than the user's browsing which receives the splash screen.
The following configuration example adds in a url_regex rule to force the user to browse to a particular website before the session is reset. This example is for Squid 3.2 and later, but can be adapted for earlier versions.
# Set up the session helper in active mode. Mind the wrap - this is one line:
external_acl_type session concurrency=100 ttl=3 %SRC /usr/lib/squid3/ext_session_acl -a -T 10800 -b /var/lib/squid/session/

# Pass the LOGIN command to the session helper with this ACL
acl session_login external session LOGIN

# Set up the normal session helper. Mind the wrap - this is one line:
external_acl_type session_active_def concurrency=100 ttl=3 %SRC /usr/lib/squid3/ext_session_acl -a -T 10800 -b /var/lib/squid/session/

# Normal session ACL as per simple example
acl session_is_active external session_active_def

# ACL to match URL
acl clicked_login_url url_regex -i a-url-that-must-match$

# First check for the login URL. If present, login session
http_access allow clicked_login_url session_login

# If we get here, URL not present, so renew session or deny request.
http_access deny !session_is_active

# Deny page to display
deny_info 511:/etc/squid/splash.html session_is_active



No comments:

Post a Comment