Karl Gaissmaier > Captive-Portal-4.10 > Captive::Portal::Role::Config

Download:
Captive-Portal-4.10.tar.gz

Dependencies

Annotate this POD

View/Report Bugs
Module Version: 4.10   Source  

NAME ^

Captive::Portal::Role::Config - config reader for Captive::Portal

DESCRIPTION ^

Config file parser and storage for cfg hash. The configuration syntax is perl.

PRESET GLOBAL PACKAGE VARIABLES ^

The following variables are predefined and can be used for interpolation in config values.

 $APP_NAME = 'capo'

 $APP_DIR = "$Bin/../"

PRESET DEFAULTS ^

DOCUMENT_ROOT => "$APP_DIR/static"

Basedir for static content like images, css or error pages.

TEMPLATE_INCLUDE_PATH => "$APP_DIR/templates/local/:$APP_DIR/templates/orig"

Directories to search for templates.

RUN_USER => 'wwwrun'

Drop privileges to RUN_USER.

RUN_GROUP => 'www',

Drop privileges to RUN_GROUP.

SESSIONS_DIR => "/var/cache/$APP_NAME"

Where to store the session files. This directory must exist und must be readable/writeable by RUN_USER.

SSL_REQUIRED => ON

A JS script looks for SSL encryption of the login/splash page and throws an error when not. Maybe a man-in-the-middle plays http-https proxy like sslstrip(8). If the mitm strips JS then this doesn't help anyway. The users must check the location bar for HTTPS these days, sigh.

SESSION_MAX => 48 * 3600 # 2d

Max session time until a forced disconnect.

IDLE_TIME => 60 * 10 # 10 min

How long to wait for activity from ip/mac until a session is marked idle.

KEEP_OLD_STATE_PERIOD => 1 * 60 * 60, # 1h

How long to keep idle session records on disk for fast reconnect with proper ip/mac/cookie match.

LOCAL PARAMETERS ^

ADMIN_SECRET

Passphrase for detailed sessions view.

AUTHEN_SIMPLE_MODULES

Authentication is handled by the Authen::Simple framework. You may stack any of the Authen::Simple::... plugins for authentication, see the $Bin/../etc/config.pl template.

IPTABLES->capture_if => 'eth1'

The inside gateway interface, e.g. 'eth1'. All http traffic, not allowed by any predefined rule, is captured and redirected to the capo.fcgi script.

IPTABLES->capture_net => '192.168.0.0/22'

The inside IP network in CIDR notation, e.g. '192.168.0.0/22'

IPTABLES->capture_ports => [80, 8080]

What tcp ports should be captured and redirected, e.g. [ 80, 8080]

IPTABLES->redirect_port => 5281

The port where the HTTP-server is listen in order to rewrite this http request to an https request.

The above settings result in a NAT rule equivalent to:

 iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.0/22 ! -d 192.168.0.0/22 \
          -p tcp -m multiport --dports 80,8080 -j  REDIRECT --to-port 5281
IPTABLES->throttle => OFF

You may throttle HTTP/HTTPS requests/sec per client IP. Some clients/gadgets fire a lot of HTTP traffic without human intervention. Depending on your hardware and your encryption resources this will overload your gateway.

IPTABLES->throttle_ports => [ 80, 5281]

You should protect/throttle port 80 and the redirect_port (see above).

IPTABLES->throttle_seconds => 30
IPTABLES->throttle_hitcount => 15

Both parameters define the average and the burst. Average is hitcount/seconds and burst is hitcount in seconds. With the values of 30 and 15, the average would be 15hits/30s => 1hit/2s. The burst would be 15hits in 30 seconds.

The above settings result in iptable rules equivalent to:

 # throttle/drop new connections
 iptables -t filter -A INPUT -p tcp --syn -m multiport --dports 80,5281 \
    -m recent --name capo_throttle --rcheck --seconds 30 --hitcount 15 -j DROP

 # at last accept new connections but set/update the recent table
 iptables -t filter -A INPUT -p tcp --syn -m multiport --dports 80,5281 \
    -m recent --name capo_throttle --set -j ACCEPT
IPTABLES->open_services

Allow access to open local services like DHCP, DNS, NTP, ...

IPTABLES->open_clients

Allow access for some dumb clients without authentication.

IPTABLES->open_servers

Allow access to some open servers.

IPTABLES->open_networks

Allow access to some open networks.

I18N_LANGUAGES

Supported languages for system messages and HTML templates.

I18N_FALLBACK_LANG

Fallback language if the client message isn't supported in the system message catalog and templates.

I18N_MSG_CATALOG

Translations of the system messages.

ROLES ^

$capo->parse_cfg_file($filename)

Parse config file, merge with defaults. Die on error.

$capo->cfg()

Getter, return a shallow copy of the config hashref.

AUTHOR ^

Karl Gaissmaier, <gaissmai at cpan.org>

LICENSE AND COPYRIGHT ^

Copyright 2010-2013 Karl Gaissmaier, all rights reserved.

This distribution is free software; you can redistribute it and/or modify it under the terms of either:

a) the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version, or

b) the Artistic License version 2.0.

syntax highlighting: