Captive::Portal::Role::Config - config reader for Captive::Portal
Config file parser and storage for cfg hash. The configuration syntax is perl.
The following variables are predefined and can be used for interpolation in config values.
$APP_NAME = 'capo' $APP_DIR = "$Bin/../"
Basedir for static content like images, css or error pages.
Directories to search for templates.
Drop privileges to RUN_USER.
Drop privileges to RUN_GROUP.
Where to store the session files. This directory must exist und must be readable/writeable by RUN_USER.
A JS script looks for SSL encryption of the login/splash page and throws an error when not. Maybe a man-in-the-middle plays http-https proxy like sslstrip(8). If the mitm strips JS then this doesn't help anyway. The users must check the location bar for HTTPS these days, sigh.
Max session time until a forced disconnect.
How long to wait for activity from ip/mac until a session is marked idle.
How long to keep idle session records on disk for fast reconnect with proper ip/mac/cookie match.
Passphrase for detailed sessions view.
Authentication is handled by the Authen::Simple framework. You may stack any of the Authen::Simple::... plugins for authentication, see the $Bin/../etc/config.pl template.
The inside gateway interface, e.g. 'eth1'. All http traffic, not allowed by any predefined rule, is captured and redirected to the capo.fcgi script.
The inside IP network in CIDR notation, e.g. '192.168.0.0/22'
What tcp ports should be captured and redirected, e.g. [ 80, 8080]
The port where the HTTP-server is listen in order to rewrite this http request to an https request.
The above settings result in a NAT rule equivalent to:
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.0/22 ! -d 192.168.0.0/22 \ -p tcp -m multiport --dports 80,8080 -j REDIRECT --to-port 5281
You may throttle HTTP/HTTPS requests/sec per client IP. Some clients/gadgets fire a lot of HTTP traffic without human intervention. Depending on your hardware and your encryption resources this will overload your gateway.
You should protect/throttle port 80 and the redirect_port (see above).
Both parameters define the average and the burst. Average is hitcount/seconds and burst is hitcount in seconds. With the values of 30 and 15, the average would be 15hits/30s => 1hit/2s. The burst would be 15hits in 30 seconds.
The above settings result in iptable rules equivalent to:
# throttle/drop new connections iptables -t filter -A INPUT -p tcp --syn -m multiport --dports 80,5281 \ -m recent --name capo_throttle --rcheck --seconds 30 --hitcount 15 -j DROP # at last accept new connections but set/update the recent table iptables -t filter -A INPUT -p tcp --syn -m multiport --dports 80,5281 \ -m recent --name capo_throttle --set -j ACCEPT
Allow access to open local services like DHCP, DNS, NTP, ...
Allow access for some dumb clients without authentication.
Allow access to some open servers.
Allow access to some open networks.
Supported languages for system messages and HTML templates.
Fallback language if the client message isn't supported in the system message catalog and templates.
Translations of the system messages.
Parse config file, merge with defaults. Die on error.
Getter, return a shallow copy of the config hashref.
<gaissmai at cpan.org>
Copyright 2010-2013 Karl Gaissmaier, all rights reserved.
This distribution is free software; you can redistribute it and/or modify it under the terms of either:
a) the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version, or
b) the Artistic License version 2.0.