wifidog是openwrt上面实现portal认证的一个开源工具,从网关端到服务器都帮你搭建好,通过学习wifidog的原理,后面就可以改造成自己需要的逻辑。
1. openwrt安装wifidog
添加源
vim 14.07/feeds.conf.default
src-git wifidog https://github.com/wifidog/wifidog-gateway.git
feed里面添加wifidog模块
github上面下载https://github.com/wifidog/wifidog-gateway,然后使用里面的/contrib/build-openwrt-kamikazeipk/wifidog内容添加到package下。
├── wifidog
│ ├── files
│ │ ├── wifidog.conf
│ │ └── wifidog.init
│ └── Makefile
.config添加
CONFIG_PACKAGE_wifidog=y
wifidog/Makefile 里面的版本可以自己修改
include $(TOPDIR)/rules.mk
PKG_NAME:=wifidog
PKG_VERSION:=1.3.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:= @SF/wifidog
PKG_MD5SUM:=
PKG_FIXUP = libtool
include $(INCLUDE_DIR)/package.mk
...
2.修改配置文件
编译完成的wifidog烧录后,在/etc/wifidog.conf里面修改配置认证服务器信息
GatewayID default
ExternalInterface apclii0 //WAN口
GatewayInterface br-lan //LAN口
GatewayAddress 192.168.18.1 //LAN口IP
AuthServer {
Hostname 192.168.3.185 //服务器地址
SSLAvailable no
SSLPort 443
HTTPPort 80
Path /
LoginScriptPathFragment login/?
PortalScriptPathFragment portal/?
MsgScriptPathFragment gw_message.php?
PingScriptPathFragment ping/?
AuthScriptPathFragment auth/?
}
//可以有多个AuthServer,Wifidog会从第一个往后找,直到找到可用的认证服务器为止。
# Listen on this port
GatewayPort 2060
ProxyPort 0
HTTPDMaxConn 10
HTTPDRealm WiFiDog
HTTPDUserName admin
HTTPDPassword secret
CheckInterval 60
ClientTimeout 5
FirewallRuleSet validating-users {
FirewallRule allow to 0.0.0.0/0
}
FirewallRuleSet known-users {
FirewallRule allow to 0.0.0.0/0
}
FirewallRuleSet unknown-users {
FirewallRule allow udp port 53
FirewallRule allow tcp port 53
FirewallRule allow udp port 67
FirewallRule allow tcp port 67
}
FirewallRuleSet locked-users {
FirewallRule block to 0.0.0.0/0
}
配置好wifidog.conf后即可启动wifidog
/etc/init.d/wifidog restart
在vim /usr/bin/wifidog-init里面可以把debug打开
OPTIONS="-d7"
3.服务器搭建
在官网下面有搭建过程,不过实际搭建的时候回发现有一些不一样:
http://dev.wifidog.org/wiki/doc/install/ubuntu/auth-server
1 安装apache2、php5、数据库
apache2是代理服务器,php5是wifidog的后台web使用的语言
sudo apt-get update
sudo apt-get install apache2 php5
sudo apt-get install postgresql
sudo apt-get install php5-cgi
sudo apt-get install php5-mhash php5-pgsql php-pear php5-xmlrpc php5-curl php5-mcrypt php5-dev
sudo apt-get install language-pack-en-base
sudo apt-get install openssh-server
2 下载wifidig服务器代码
克隆代码
git clone https://github.com/wifidog/wifidog-auth
拷贝到apach2目录下
sudo mv wifidog-auth/ /var/www/
最新的wifidog-auth不用改下以下信息
hange line 122 to the following:'website' => "http://www.smarty.net/",
Change line 123 to the following: 'installSourceUrl' => "http://www.smarty.net/files/Smarty-2.6.26.tar.gz",
修改sudo vim /var/www/wifidog-auth/wifidog/config.php里面的fr_CA
define('DEFAULT_LANG', 'en_US');
将apach2的默认目录改成wifidog的目录路径
需要找下DocumentRoot设置的路径,我的在/etc/apache2/sites-available/000-default.conf里面
DocumentRoot /var/www/wifidog-auth/wifidog
修改完重启apach2
sudo /etc/init.d/apache2 restart
3 从web安装wifidog-auth
上面都安装好后,web访问本地地址http://localhost/install.php
点击install下一步,会提示输入账号密码
账号密码位于cat /tmp/dog_cookie.txt下面
4.交互过程
先介绍一下wifidog与Auth服务器的交互协议:
1 首先是重定向,在首次登陆时,用户访问的url会被重定向到如下的地址:
login/?gw_address=%s&gw_port=%d&gw_id=%s&url=%s(2009版本的wifidog)
login/?gw_address=%s&gw_port=%d&gw_id=%s&mac=%s&url=%s(2013版本的wifidog)
实际数据:
http://192.168.3.185:80/wifidog/login/?gw_address=192.168.18.1&gw_port=2060&gw_id=default&ip=192.168.18.145&mac=20:ab:37:8d:c2:f6&url=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html
这里有一个版本的问题,即2009的wifidog在重定向时不会在链接中带上mac参数,而2013版本的wifidog是会带上的,所以这里需要根据自己的应用特别注意。
在用户首次连接路由上网时,它访问的url会被定向到login页面,并带上如上所述的参数,我们可以利用这些参数做生成token或其它一些判断等。而通常情况是在login中向用户返回通过wifi认证的方法,如带有用户名和密码的登录页面等。
重定向的代码位于wifidog的http.c里面,会返回302暂时重定向代码。
http_send_redirect(request * r, const char *url, const char *text)
{
char *message = NULL;
char *header = NULL;
char *response = NULL;
/* Re-direct them to auth server */
debug(LOG_DEBUG, "Redirecting client browser to %s", url);
safe_asprintf(&header, "Location: %s", url);
safe_asprintf(&response, "302 %s\n", text ? text : "Redirecting");
httpdSetResponse(r, response);
httpdAddHeader(r, header);
free(response);
free(header);
safe_asprintf(&message, "Please <a href='%s'>click here</a>.", url);
send_http_page(r, text ? text : "Redirection to message", message);
free(message);
}
2 用户认证协议:
auth_server:/auth/auth.php?stage=%s&ip=%s&mac=%s&token=%s&incoming=%s&outgoing=%s
一般情况下,认证服务器auth_server会根据用户输入的信息生成一个token,然后将用户重定向到wifidog的监听端口上,这个端口的默认地址为:192.168.1.1:2060/wifidog/auth?token=%s。
wifidog得到这个token后,将其发送到auth_server认证服务器上进行认证。如果认证通过,auth_server返回“Auth: 1”,认证未通过则返回“Auth: 0”。具体参数如下。
认证服务器通过获取以上链接的参数可以判断这个用户是否合法等。这个链接是认证服务器用来判断首次登陆的用户是否合法和正在连接的用户是否可以继续访问链接的方法。
每隔一段时间,wifidog会向认证服务器发送信息,即通过如上所示的链接发送信息,通过这些参数,可以看到某个客户的上传流量、下载流量、mac地址、ip地址、token和、ip和stage。stage可能是两个参数,分别是counters或login。第一次登陆验证时,stage=login,其它时候stage=counters。
3 Ping协议
http://auth_sever/ping/?gw_id=%s&sys_uptime=%lu&sys_memfree=%u&sys_load=%.2f&wifidog_uptime=%lu
wifidog会向认证服务器发送一些信息,来报告wifidog现在的情况,这些信息是通过Http协议发送的,如上的链接所示,参数大概如字面意思,没仔细研究过,而作为认证服务器,auth_server应回应一个“Pong”。
4 认证成功后的跳转
portal/?gw_id=%s
在认证成功后,wifidog会将用户重定向至该页面。
5.若验证失败,则会根据失败原因跳转至如下页面
gw_message.php?message=denied
gw_message.php?message=activate
gw_message.php?message=failed_validation
注意一下,按照我对wifidog.conf的配置,在执行login时,相当于重定向至链接http://justyoung.com/wifidog/login.php?gw_id=XX…等等,其它执行的链接也是如此。
新的连接加入时,log如下:
[6][Mon Jun 22 18:16:20 2020][19347](gateway.c:469) Received connection from 192.168.18.145, spawning worker thread
[7][Mon Jun 22 18:16:20 2020][19347](httpd_thread.c:65) Processing request from 192.168.18.145
[7][Mon Jun 22 18:16:20 2020][19347](httpd_thread.c:66) Calling httpdProcessRequest() for 192.168.18.145
[6][Mon Jun 22 18:16:20 2020][19347](http.c:117) Got client MAC address for ip 192.168.18.145: 20:ab:37:8d:c2:f6
[6][Mon Jun 22 18:16:20 2020][19347](http.c:125) Check host captive.apple.com is in whitelist or not
[6][Mon Jun 22 18:16:20 2020][19347](http.c:162) Captured 192.168.18.145 requesting [http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html] and re-directing them to login page
[7][Mon Jun 22 18:16:20 2020][19347](http.c:240) Redirecting client browser to http://192.168.3.185:80/wifidog/login/?gw_address=192.168.18.1&gw_port=2060&gw_id=default&ip=192.168.18.145&mac=20:ab:37:8d:c2:f6&url=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html
[7][Mon Jun 22 18:16:20 2020][19347](httpd_thread.c:68) Returned from httpdProcessRequest() for 192.168.18.145
[7][Mon Jun 22 18:16:20 2020][19347](httpd_thread.c:73) Closing connection with 192.168.18.145
[6][Mon Jun 22 18:16:22 2020][19347](gateway.c:469) Received connection from 192.168.18.145, spawning worker thread
[7][Mon Jun 22 18:16:22 2020][19347](httpd_thread.c:65) Processing request from 192.168.18.145
[7][Mon Jun 22 18:16:22 2020][19347](httpd_thread.c:66) Calling httpdProcessRequest() for 192.168.18.145
[6][Mon Jun 22 18:16:22 2020][19347](http.c:117) Got client MAC address for ip 192.168.18.145: 20:ab:37:8d:c2:f6
[6][Mon Jun 22 18:16:22 2020][19347](http.c:125) Check host captive.apple.com is in whitelist or not
[6][Mon Jun 22 18:16:22 2020][19347](http.c:162) Captured 192.168.18.145 requesting [http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html] and re-directing them to login page
[7][Mon Jun 22 18:16:22 2020][19347](http.c:240) Redirecting client browser to http://192.168.3.185:80/wifidog/login/?gw_address=192.168.18.1&gw_port=2060&gw_id=default&ip=192.168.18.145&mac=20:ab:37:8d:c2:f6&url=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html
[7][Mon Jun 22 18:16:22 2020][19347](httpd_thread.c:68) Returned from httpdProcessRequest() for 192.168.18.145
[7][Mon Jun 22 18:16:22 2020][19347](httpd_thread.c:73) Closing connection with 192.168.18.145
[6][Mon Jun 22 18:16:22 2020][19347](gateway.c:469) Received connection from 192.168.18.233, spawning worker thread
[7][Mon Jun 22 18:16:22 2020][19347](httpd_thread.c:65) Processing request from 192.168.18.233
[7][Mon Jun 22 18:16:22 2020][19347](httpd_thread.c:66) Calling httpdProcessRequest() for 192.168.18.233
[7][Mon Jun 22 18:16:22 2020][19347](httpd_thread.c:68) Returned from httpdProcessRequest() for 192.168.18.233
[7][Mon Jun 22 18:16:22 2020][19347](httpd_thread.c:73) Closing connection with 192.168.18.233
[6][Mon Jun 22 18:16:24 2020][19347](gateway.c:469) Received connection from 192.168.18.145, spawning worker thread
[7][Mon Jun 22 18:16:24 2020][19347](httpd_thread.c:65) Processing request from 192.168.18.145
[7][Mon Jun 22 18:16:24 2020][19347](httpd_thread.c:66) Calling httpdProcessRequest() for 192.168.18.145
[6][Mon Jun 22 18:16:24 2020][19347](http.c:117) Got client MAC address for ip 192.168.18.145: 20:ab:37:8d:c2:f6
[6][Mon Jun 22 18:16:24 2020][19347](http.c:125) Check host captive.apple.com is in whitelist or not
[6][Mon Jun 22 18:16:24 2020][19347](http.c:162) Captured 192.168.18.145 requesting [http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html] and re-directing them to login page
[7][Mon Jun 22 18:16:24 2020][19347](http.c:240) Redirecting client browser to http://192.168.3.185:80/wifidog/login/?gw_address=192.168.18.1&gw_port=2060&gw_id=default&ip=192.168.18.145&mac=20:ab:37:8d:c2:f6&url=http%3A%2F%2Fcaptive.apple.com%2Fhotspot-detect.html
[7][Mon Jun 22 18:16:24 2020][19347](httpd_thread.c:68) Returned from httpdProcessRequest() for 192.168.18.145
[7][Mon Jun 22 18:16:24 2020][19347](httpd_thread.c:73) Closing connection with 192.168.18.145
[6][Mon Jun 22 18:16:27 2020][19347](gateway.c:469) Received connection from 192.168.18.231, spawning worker thread
[7][Mon Jun 22 18:16:27 2020][19347](httpd_thread.c:65) Processing request from 192.168.18.231
[7][Mon Jun 22 18:16:27 2020][19347](httpd_thread.c:66) Calling httpdProcessRequest() for 192.168.18.231
[7][Mon Jun 22 18:16:27 2020][19347](httpd_thread.c:68) Returned from httpdProcessRequest() for 192.168.18.231
[7][Mon Jun 22 18:16:27 2020][19347](httpd_thread.c:73) Closing connection with 192.168.18.231
[6][Mon Jun 22 18:16:32 2020][19347](gateway.c:469) Received connection from 192.168.18.233, spawning worker thread
[7][Mon Jun 22 18:16:32 2020][19347](httpd_thread.c:65) Processing request from 192.168.18.233
[7][Mon Jun 22 18:16:32 2020][19347](httpd_thread.c:66) Calling httpdProcessRequest() for 192.168.18.233
[7][Mon Jun 22 18:16:32 2020][19347](httpd_thread.c:68) Returned from httpdProcessRequest() for 192.168.18.233
[7][Mon Jun 22 18:16:32 2020][19347](httpd_thread.c:73) Closing connection with 192.168.18.233
[6][Mon Jun 22 18:16:35 2020][19347](gateway.c:469) Received connection from 192.168.18.233, spawning worker thread
[7][Mon Jun 22 18:16:35 2020][19347](httpd_thread.c:65) Processing request from 192.168.18.233
[7][Mon Jun 22 18:16:35 2020][19347](httpd_thread.c:66) Calling httpdProcessRequest() for 192.168.18.233
[6][Mon Jun 22 18:16:35 2020][19347](http.c:117) Got client MAC address for ip 192.168.18.233: d0:17:c2:9a:b7:d1
[6][Mon Jun 22 18:16:35 2020][19347](http.c:125) Check host weixin.qq.com is in whitelist or not
[6][Mon Jun 22 18:16:35 2020][19347](http.c:162) Captured 192.168.18.233 requesting [http%3A%2F%2Fweixin.qq.com%2F] and re-directing them to login page
[7][Mon Jun 22 18:16:35 2020][19347](http.c:240) Redirecting client browser to http://192.168.3.185:80/wifidog/login/?gw_address=192.168.18.1&gw_port=2060&gw_id=default&ip=192.168.18.233&mac=d0:17:c2:9a:b7:d1&url=http%3A%2F%2Fweixin.qq.com%2F
[7][Mon Jun 22 18:16:35 2020][19347](httpd_thread.c:68) Returned from httpdProcessRequest() for 192.168.18.233
[7][Mon Jun 22 18:16:35 2020][19347](httpd_thread.c:73) Closing connection with 192.168.18.233
[6][Mon Jun 22 18:16:36 2020][19347](gateway.c:469) Received connection from 192.168.18.231, spawning worker thread
[7][Mon Jun 22 18:16:36 2020][19347](httpd_thread.c:65) Processing request from 192.168.18.231
[7][Mon Jun 22 18:16:36 2020][19347](httpd_thread.c:66) Calling httpdProcessRequest() for 192.168.18.231
[7][Mon Jun 22 18:16:36 2020][19347](httpd_thread.c:68) Returned from httpdProcessRequest() for 192.168.18.231
[7][Mon Jun 22 18:16:36 2020][19347](httpd_thread.c:73) Closing connection with 192.168.18.231
[6][Mon Jun 22 18:16:40 2020][19347](gateway.c:469) Received connection from 192.168.18.233, spawning worker thread
[7][Mon Jun 22 18:16:40 2020][19347](httpd_thread.c:65) Processing request from 192.168.18.233
[7][Mon Jun 22 18:16:40 2020][19347](httpd_thread.c:66) Calling httpdProcessRequest() for 192.168.18.233
[6][Mon Jun 22 18:16:40 2020][19347](http.c:117) Got client MAC address for ip 192.168.18.233: d0:17:c2:9a:b7:d1
[6][Mon Jun 22 18:16:40 2020][19347](http.c:125) Check host weixin.qq.com is in whitelist or not
[6][Mon Jun 22 18:16:40 2020][19347](http.c:162) Captured 192.168.18.233 requesting [http%3A%2F%2Fweixin.qq.com%2F] and re-directing them to login page
[7][Mon Jun 22 18:16:40 2020][19347](http.c:240) Redirecting client browser to http://192.168.3.185:80/wifidog/login/?gw_address=192.168.18.1&gw_port=2060&gw_id=default&ip=192.168.18.233&mac=d0:17:c2:9a:b7:d1&url=http%3A%2F%2Fweixin.qq.com%2F
[7][Mon Jun 22 18:16:40 2020][19347](httpd_thread.c:68) Returned from httpdProcessRequest() for 192.168.18.233
[7][Mon Jun 22 18:16:40 2020][19347](httpd_thread.c:73) Closing connection with 192.168.18.233
[6][Mon Jun 22 18:16:45 2020][19347](gateway.c:469) Received connection from 192.168.18.231, spawning worker thread
[7][Mon Jun 22 18:16:45 2020][19347](httpd_thread.c:65) Processing request from 192.168.18.231
[7][Mon Jun 22 18:16:45 2020][19347](httpd_thread.c:66) Calling httpdProcessRequest() for 192.168.18.231
[7][Mon Jun 22 18:16:45 2020][19347](httpd_thread.c:68) Returned from httpdProcessRequest() for 192.168.18.231
[7][Mon Jun 22 18:16:45 2020][19347](httpd_thread.c:73) Closing connection with 192.168.18.231
[6][Mon Jun 22 18:16:54 2020][19347](gateway.c:469) Received connection from 192.168.18.231, spawning worker thread
[7][Mon Jun 22 18:16:54 2020][19347](httpd_thread.c:65) Processing request from 192.168.18.231
[7][Mon Jun 22 18:16:54 2020][19347](httpd_thread.c:66) Calling httpdProcessRequest() for 192.168.18.231
[7][Mon Jun 22 18:16:54 2020][19347](httpd_thread.c:68) Returned from httpdProcessRequest() for 192.168.18.231
[7][Mon Jun 22 18:16:54 2020][19347](httpd_thread.c:73) Closing connection with 192.168.18.231
参考文档
wifidog官网:
https://sources.openwrt.org/
http://dev.wifidog.org/wiki/Download
https://github.com/wifidog/wifidog-gateway
https://www.jianshu.com/u/3c937c88e6c0
https://blog.csdn.net/just_young/article/details/38003015
