Tweaking iptables for Captive Portal (Anish's Python approach, thx to Nikos Fotiou)

[m-anish]

Fixes Bug

Description of changes proposed in this pull request.

Based on @m-anish 's https://github.com/m-anish/named_redirect which builds off Nikos Fotiou's https://github.com/nikosft/captive-portal/blob/master/captive_portal.py

Smoke-tested in operating system.

Mention a team member for further information or comment using @ name

[holta]

Is this tested with IIAB 6.6/master on Raspbian? (And ideally also on Ubuntu 18.04?)

See background: Captive Portal @m-anish is working on with @tim-moody and @jvonau @ #826

[holta]

How does this PR (#870) compare to Anish's prototype at https://github.com/iiab/iiab/compare/master...m-anish:captive_portal?expand=1 ?

[holta]

@jvonau responded:

I want to see if I can get dnsmasq to do the same job as named does with the blackhole method

[holta]

@m-anish & @jvonau can we change this to Admin/changeme as is used in all other cases?

Currently this username/password creates confusion, breaking with the tradition used by (essentially) all other playbooks.

[holta]

Thx to @jvonau who fixed this from Admin/g0adm1n to Admin/changeme

@m-anish suggests we consider removing the password entirely, "it can just be a simple html page with a button, or as Tim said, a timer"

FYI regardless, @jvonau clarifies this form/pages "adds the iptables rules to allow internet access"

[holta]

Can we place these 3 lines into our local_vars.yml files as well?

# Captive Portal highly experimental as of July 2018: https://github.com/iiab/iiab/pull/870
py_captive_portal_install: True
py_captive_portal_enabled: False

[holta]

CLARIF from @jvonau:

PR #870 tested allows dns_jail to be enabled for both named/bind and dnsmasq.... if you want to test on a preexisting install, please run 'apt install dnsmasq' then do the 'git pull'. You are free to edit local_vars.yml to test dnsmasq, dns_jail, and the py_captive_portal settings

then run ./iiab-network

[m-anish]

Additionally, as promised, here is the apache configuration. I am attaching two things - one the entire sites-available folder, and second 001-captive_portal.conf which in itself should also be enough.
apache2-config-folder.tar.gz
001-captive_portal.conf.txt

Please rename the conf file from .conf.txt to just .conf (github wouldn't let me paste with that extension)

[holta]

Thx to @jvonau who fixed Admin/g0adm1n to Admin/changeme in this PR's roles/network/defaults/main.yml

@m-anish suggests we consider removing the password entirely, "it can just be a simple html page with a button, or as Tim said, a timer"

FYI regardless, @jvonau clarifies this form/pages "adds the iptables rules to allow internet access"

[holta]

Chat Excerpt:

Holt: When should PR #870 be merged, after testing on what OS's/environments?
Jerry: been tested on [IIAB 6.6/master on Raspbian Lite on RPi 3 B+]
Anish: i wud say integrate the apache conf [file] too
test on windows/mac/ios/android
i tested on linux
Jerry: think the catchall vhost config could just be installed as part of the config files we drop into place... the only time it becomes effective is when the dns_jail is active

[holta]

We agreed to merge during our community/team call today (http://minutes.iiab.io)

@jvonau smoke-tested on Raspbian Lite ~10 days ago.

Possible future improvements:

• enabling dns-jail while offline
• similar to @m-anish's cron job which toggles variable in iiab-named.conf (we're already supplying blackhole definition...config file determines if it's used)

[holta]

@m-anish please help us refine & help me document at http://FAQ.IIAB.IO (or other places) so this is increasingly usable by all!

Refs: #608, PR #891

[holta]

@cscott do you have questions here, on how to proceed implementing a basic/offline Captive Portal for Internet-in-a-Box ?

Background: #412, #608, #826, PR #891

[holta]

[Aside: @m-anish had tested on NUC with named/BIND ...if confirmed/refined, this should later be written up as part of #608 in http://FAQ.IAB.IO]

FYI TK Kang is looking into whether this works (on IIAB 6.6/master on his RPi 3) by placing @m-anish's 001-captive_portal.conf in /etc/apache2/sites-available and then changing these 3 variables in /etc/iiab/local_vars.yml from False to True:

dnsmasq_enabled: True
dns_jail_enabled: True
py_captive_portal_enabled: True

And then running:

cd /opt/iiab/iiab
./iiab-network
reboot

Then he's trying @tim-moody's test:

1. Configure [as above] with an internet connection.
2. Connect to hotspot with android (or other) device and verify that you are taken to the [http://box or http://box.lan] home page.
3. Power off and remove internet connection.
4. Power on and verify you are taken to the home page from the hotspot.

[holta]

TK Kang confirms the above works for him:

Visiting site http://any-random-letters.org takes him to http://any-random-letters.org/home (showing IIAB's actual home page & content).

Others kindly please confirm, and help create a PR.

[holta]

After a few more days of testing this Captive Portal, TK writes:

had some instalbility...the apache failed to start. It was working earlier before reboot.
Had to delete /etc/apache2/sites-enabled/001-captive_portal.conf and try to restart apache2 again.

[holta]

TK corroborates a problem @tim-moody has found:

in some of my testing, after [Captive Portal] was working OK (it loads [ http://box/home ]) the error ["service unavailable" appears]

[holta]

To help @tim-moody understand what install recipe is best to try, @jvonau suggests:

• server name might be wrong in @m-anish's above, where "ServerName: iiab.io" should probably be "ServerName: box.lan"
• also try removing the Apache config file entirely (e.g. 001-captive_portal.conf) as python "microserver" (without the need for Apache) may well display login box on port 9090 (?)

[georgejhunt]

What follows is a log of testing the captive portal receipe above -ghunt

1. Start with 2018-6-27 raspbian lite on 16GB SD.
2. copy local_var_min to /etc/iiab, install 6.6 master (hash d599b), admin-conole, menu, change ssid, run iiab-network, associate to ssid, verify box.lan/home, and box.lan/admin function as expected.
3. Use Imager to freeze an image onto laptop hard disk(rate 10MB/s), shrink from 16GB to 3.7GB, copy it to a test SD (32B), did not boot.
4. Repeat the same copy from reduced size image to same SD card a second time. Booted successfully. Expansion to 32GB verified.
5. Confirm that box.lan/home and box.lan/admin still work (association to SSID took a full 2 minutes) -- maybe it was busy expanding the file system.
6. Follow instructions:

dnsmasq_enabled: True
dns_jail_enabled: True
py_captive_portal_enabled: True
cd /opt/iiab/iiab
./iiab-network
reboot

and copy apache config file to /etc/apache2/sites-available. Then create symbolic link from that file to sites-enabled (did TK know that was required? -- not listed in the receipe)

RESULTS: (first with ethernet wire connected)

1. At association attempt, Mac did not display popup. Displayed: "Trying to connect. To edit offline, turn on offline sync when you reconnect." Attempted to go to http://download.iiab.io. Browser returned error 503 "Service Unavailable"
2. On android: "Service has no internet connection. Touch for options". When I touch, a window says "This AP has no internet access. Stay connected? YES/NO". Touch yes. Then: open browser, url=box.lan. Android prepends https: and access fails. URL=http://box.lan -> Service unavailable

Disconnect the ethernet wire and collect more data:

No change in behavior -- mac or android

[tim-moody]

Thanks for your careful documentation.

[jvonau]

Thought part of the test was to exclude the apache config file to see if the 503 Service unavailable changes

…

On Thu, Aug 9, 2018 at 9:10 PM Tim Moody ***@***.***> wrote: Thanks for your careful documentation. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#870 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AFUjvmacgysrSaWyBvqWr-KDET5yrbg7ks5uPOujgaJpZM4VBBcp> .