luci实现的wifidog认证服务

利用luci写了个wifidog认证服务,实现直接openwrt路由器本地认证。直接安装ipk安装包,然后修改/etc/wifidog.conf文件(需要先安装wifidog),如下:

AuthServer {
    Hostname 192.168.1.1
    Path /cgi-bin/luci/wdas/
    MsgScriptPathFragment gw_message/?
}

主要的源码如下:

module("luci.controller.wifidog.wdas", package.seeall)

local session = require "luci.wifidogsession"
local http = luci.http
local translate = luci.i18n.translate
local wdcfg = require("luci.wifidogconfig")

function index()
    local page    = node("wdas")
    page.target   = alias("wdas", "login")
    page.order    = 90
    page.i18n = "wifidogauth"
    page.setuser  = "nobody"
    page.setgroup = "nogroup"

    entry({"wdas", "login"}, call("login"))
    entry({"wdas", "logincheck"}, call("logincheck"))
    entry({"wdas", "auth"}, call("auth"))
    entry({"wdas", "ping"}, call("ping"))
    entry({"wdas", "portal"}, call("portal"))
    entry({"wdas", "gw_message"}, call("gw_message"))
end

function login()
    --login/?gw_id=&gw_address=&gw_port=&mac=&url=
    luci.template.render("wifidog/wdas_login")
end

function logincheck()
    local username, password = wdcfg.auth.username, wdcfg.auth.password
    local user, pwd, id, addr, port, mac, url, token
    user = http.formvalue("user")
    pwd = http.formvalue("pwd")
    id = http.formvalue("gw_id")
    addr = http.formvalue("gw_address")
    port = http.formvalue("gw_port")
    mac = http.formvalue("mac")
    url = http.formvalue("url")
    token = http.getcookie("wdastok")
    http.prepare_content("application/json")
    if addr and port and mac and (user == username) and (pwd == password) then
        token = token and token:match("^[a-f0-9]*$") or luci.sys.uniqueid(16)
        local sdt = {id=id, addr=addr, port=port, mac=mac, url=url, timestamp=luci.sys.uptime()}
        local path = (http.getenv("SCRIPT_NAME") or "") .. "/wdas"
        session.write(token, sdt)
        http.header("Set-Cookie", "wdastok=" .. token .. "; path=" .. path)
        http.write('{url:"http://' .. addr .. ':' .. port ..
            '/wifidog/auth?token=' .. token .. '"}')
    else
        if addr and port and mac then
            http.write('{error: "' .. translate("Invalid username or password.") .. '"}')
        else
            http.write('{error: "' .. translate("Invalid parameter.") .. '"}')
        end
    end
end

function auth()
    --auth/?stage=&ip=&mac=&token=&incoming=&outgoing=
    local stage, ip, mac, token, incoming, outgoing
    stage = http.formvalue("stage")
    ip = http.formvalue("ip")
    mac = http.formvalue("mac")
    token = http.formvalue("token")
    incoming = http.formvalue("incoming")
    outgoing = http.formvalue("outgoing")
    token = token and token:match("^[a-f0-9]*$")
    local sdt = token and session.read(token)
    if token and sdt and (mac == sdt.mac) then
        http.write("Auth: 1")
    else
        http.write("Auth: 0")
    end
end

function ping()
    --ping/?gw_id=&sys_load=&sys_memfree=&sys_load=&wifidog_uptime=
    local id, sys_uptime, sys_memfree, sys_load, wifidog_uptime
    id = http.formvalue("gw_id")
    sys_uptime = http.formvalue("sys_uptime")
    sys_memfree = http.formvalue("sys_memfree")
    sys_load = http.formvalue("sys_load")
    wifidog_uptime = http.formvalue("wifidog_uptime")
    if id and sys_uptime and sys_memfree and sys_load and wifidog_uptime then
        http.write("Pong")
    else
        http.write("{error:2}")
    end
end

function portal()
    --portal/?gw_id=%s
    local token, sdt, url
    token = http.getcookie("wdastok")
    sdt = token and session.read(token)
    url = sdt and sdt.url or "http://www.baidu.com"
    http.redirect(url)
end

function gw_message()
    local msg = http.formvalue("message")
    http.write(msg)
end

源码编译说明:
modules目录下的wifidogauth目录放到./feeds/luci/modules/下。

po/zh_CN/wifidogauth.po文件放到./feeds/luci/po/zh_CN/下。

./feeds/luci/contrib/package/luci/Makefile增加如下语句:

$(eval $(call module,wifidogauth,wifidog auth server,+luci-base))

然后 make menuconfig在luci-->Modules下找到luci-mod-wifidogauth选上。

make package/feeds/luci/luci/compile V=s

认证的用户名、密码的配置文件路径/etc/config/wifidogauth

本文章由 http://www.wifidog.pro/2015/02/05/luci-wifidog.html 整理编辑,转载请注明出处

openwrt下wifidog+authpuppy搭建web认证系统

client采用wifidog,可以在openwrt的menuconfig后network – captive portals下找到
server采用wifidog新推荐的authpuppy

authpuppy的安装配置可参考http://www.authpuppy.org/doc/Getting_Started
除了部分细节,基本可完全按其成功配置

目前遗留问题:

mysql配置好后无法通过安装页面登录,虽然在终端下正常。只能转而采用postgresql。

路由器wifidog启动后,访问web是会跳转到认证登录界面,但选择连接network login成功登录后还是无法访问internet而还是跳转到认证页面。

原因不知是否是因为server在路由的内部网络,或者wifidog的配置问题。
附wifidog配置wifidog.conf

GatewayID default

ExternalInterface pppoe-wan

GatewayInterface br-lan

AuthServer {

Hostname 192.168.1.111

HTTPPort 80

Path /authpuppy/web/

}

HTTPDMaxConn 100

ClientTimeout 10

FirewallRuleSet global {

FirewallRule allow to 123.150.205.139 #S

FirewallRule allow to 125.39.111.239 #S

FirewallRule allow to 42.121.98.148 #S

FirewallRule allow to 74.117.62.156 #S

FirewallRule allow to 74.117.62.157 #S

FirewallRule allow to 8.8.8.8 #S

}

FirewallRuleSet validating-users {

FirewallRule allow to 0.0.0.0/0

}

FirewallRuleSet known-users {

FirewallRule allow to 0.0.0.0/0

}

FirewallRuleSet unknown-users {

FirewallRule allow udp port 53

FirewallRule allow tcp port 53

FirewallRule allow udp port 67

FirewallRule allow tcp port 67

FirewallRule block udp port 8000

}

wifidog.conf字段的含义可参考http://dev.wifidog.org/browser/trunk/wifidog/wifidog.conf

本文章由 http://www.wifidog.pro/2015/02/05/openwrt-wifidog-3.html 整理编辑,转载请注明出处

wifidog配置中文说明

#网关ID
GatewayID default
#外部网卡
ExternalInterface eth0
#无线网卡
GatewayInterface eth0
#无线IP
GatewayAddress 192.168.1.1
#路由状态HTML
HtmlMessageFile wifidog-msg.html 
#验证服务器
#AuthServer {
#    Hostname                 (Mandatory; Default: NONE)
#    SSLAvailable             (Optional; Default: no; Possible values: yes, no)
#    SSLPort                  (Optional; Default: 443)
#    HTTPPort                 (Optional; Default: 80)
#    Path                     (Optional; Default: /wifidog/ Note:  The path must be both prefixed and suffixed by /.  Use a single / for server root.)
#   LoginScriptPathFragment  (Optional; Default: login/? Note:  未用户登录重定向地址.)
#   PortalScriptPathFragment (Optional; Default: portal/? Note:  登录成功后重定向地址.)
#   MsgScriptPathFragment    (Optional; Default: gw_message.php? Note:  退出登录后重定向地址.)
#   PingScriptPathFragment    (Optional; Default: ping/? Note:  路由状态心跳地址.)
#   AuthScriptPathFragment    (Optional; Default: auth/? Note:  路由请求服务器验证地址 and 验证心跳地址(stage=counters).)
#}

AuthServer {
    Hostname auth.com
    #SSLAvailable yes
    Path /
}

# 是否后台进程
# Daemon 1
#默认网关端口
# Default: 2060
GatewayPort 80

# HTTP进程名
# HTTPDName WiFiDog

# HTTP最大连接数
# Default: 10
# HTTPDMaxConn 10

# WEB页面加密码后显示名
# Default: WiFiDog
# HTTPDRealm WiFiDog

# WEB加验证
# HTTPDUserName admin
# HTTPDPassword secret

# 心跳间隔时间
# Default: 60
CheckInterval 60

# 心跳间隔次数 验证超时数等于 CheckInterval*ClientTimeout 
ClientTimeout 2

# 信任的MAC地址,加入信任列表将不用登录可访问
#TrustedMACList 00:00:DE:AD:BE:AF,00:00:C0:1D:F0:0D

#其他防火墙设置

#全局
FirewallRuleSet global {
    ## To block SMTP out, as it's a tech support nightmare, and a legal liability
    #FirewallRule block tcp port 25

    ## Use the following if you don't want clients to be able to access machines on 
    ## the private LAN that gives internet access to wifidog.  Note that this is not
    ## client isolation;  The laptops will still be able to talk to one another, as
    ## well as to any machine bridged to the wifi of the router.
    # FirewallRule block to 192.168.0.0/16
    # FirewallRule block to 172.16.0.0/12
    # FirewallRule block to 10.0.0.0/8

    ## This is an example ruleset for the Teliphone service.
    #FirewallRule allow udp to 69.90.89.192/27
    #FirewallRule allow udp to 69.90.85.0/27
    #FirewallRule allow tcp port 80 to 69.90.89.205
}

# 新验证用户
FirewallRuleSet validating-users {
    FirewallRule allow to 0.0.0.0/0
}

#正常用户
FirewallRuleSet known-users {
    FirewallRule allow to 0.0.0.0/0
}

#未知用户
FirewallRuleSet unknown-users {
#域名已修改源码实现,直接下载的不行的...
    FirewallRule allow to baidu.com
    FirewallRule allow udp port 53
    FirewallRule allow tcp port 53
    FirewallRule allow udp port 67
    FirewallRule allow tcp port 67
}

#锁住用户
FirewallRuleSet locked-users {
    FirewallRule block to 0.0.0.0/0
}

本文章由 http://www.wifidog.pro/2015/02/04/wifidog-conf.html 整理编辑,转载请注明出处