[NoCat] Patch: proxy_redirect-01.patch
Karl Gaissmaier
karl.gaissmaier at kiz.uni-ulm.de
Tue, 29 Jul 2003 00:59:25 +0200
--------------Boundary-00=_1VBR189PQPUPD0DYVKZB
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 8bit
Name:
proxy_redirect-01.patch
Affected Files:
lib/NoCat/Gateway.pm
lib/NoCat/Gateway/Captive.pm
lib/NoCat/Gateway/Open.pm
lib/NoCat/Firewall.pm
libexec/iptables/initialize.fw
gateway.conf
htdocs/blockproxy.html
Version:
Patch against 0.82 or later
Severity:
handle clients with http proxy enabled
Description:
at present, when a client has an http proxy enabled in his
browser, it get's not captured. If you would capture on the
ports 3128, 8080 then there is a small bug with uri and url
computation. With a small patch you can improve this, but
then you have the next problem with logout. Since the logout
would come from the proxy, the gateway could not match with
the ip address of the client. If you fix this with logout
via the authserver the next problem would arise,
if the client has although a proxy configured for https.
Therefore I decided here at Ulm University to capture
the proxy configured clients and send a informational message
to disable proxying on our WLAN network.
Status:
Works fine for me.
-- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany
Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network
--------------Boundary-00=_1VBR189PQPUPD0DYVKZB
Content-Type: text/x-diff;
charset="us-ascii";
name="proxy_redirect-01.patch"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="proxy_redirect-01.patch"
diff -Naur --exclude '*.orig' --exclude '*.rej' NoCatAuth-nightly/gateway.conf NoCatAuth-mod/gateway.conf
--- NoCatAuth-nightly/gateway.conf 2003-02-11 02:59:09.000000000 +0100
+++ NoCatAuth-mod/gateway.conf 2003-07-26 20:44:58.000000000 +0200
@@ -68,6 +68,11 @@
#
# LoginTimeout 86400
+# ProxyPorts - space separated list of proxy ports to block
+# Default off
+#
+# ProxyPorts 3128 8080
+
###### Open Portal settings.
#
##
@@ -89,6 +94,10 @@
#
StatusForm status.html
+# BlockProxyForm -- Page informing the user to disable proxy usage
+#
+BlockProxyForm blockproxy.html
+
###### Active/Passive Portal settings.
#
diff -Naur --exclude '*.orig' --exclude '*.rej' NoCatAuth-nightly/htdocs/blockproxy.html NoCatAuth-mod/htdocs/blockproxy.html
--- NoCatAuth-nightly/htdocs/blockproxy.html 1970-01-01 01:00:00.000000000 +0100
+++ NoCatAuth-mod/htdocs/blockproxy.html 2003-07-26 20:44:58.000000000 +0200
@@ -0,0 +1,9 @@
+<html>
+<body bgcolor="#FFFFFF">
+<p><font face="Verdana, Arial, Helvetica, sans-serif" size="3"><b>Proxy Server detected</b></font> </p>
+<p><font face="Verdana, Arial, Helvetica, sans-serif" size="2">You have configured your browser to use a http-proxy.<br>
+Please disable it in your browser's options in order to use the NoCat network.</font>
+</p>
+</body>
+</html>
+
diff -Naur --exclude '*.orig' --exclude '*.rej' NoCatAuth-nightly/lib/NoCat/Firewall.pm NoCatAuth-mod/lib/NoCat/Firewall.pm
--- NoCatAuth-nightly/lib/NoCat/Firewall.pm 2003-02-12 03:56:42.000000000 +0100
+++ NoCatAuth-mod/lib/NoCat/Firewall.pm 2003-07-26 21:31:07.000000000 +0200
@@ -21,6 +22,9 @@
MembersOnly RouteOnly IgnoreMAC
);
+# not in qw() in order to have independent patches -- Charly
+push @Perform_Export, qw(ProxyPorts);
+
# If /proc/net/arp is available, use it. Otherwise, fork /sbin/arp and read
# its output to get ARP cache data. Turns out '/sbin/arp -an' gives the same
# output on both Linux and *BSD. (Thank goodness.)
diff -Naur --exclude '*.orig' --exclude '*.rej' NoCatAuth-nightly/lib/NoCat/Gateway/Captive.pm NoCatAuth-mod/lib/NoCat/Gateway/Captive.pm
--- NoCatAuth-nightly/lib/NoCat/Gateway/Captive.pm 2003-02-11 02:59:09.000000000 +0100
+++ NoCatAuth-mod/lib/NoCat/Gateway/Captive.pm 2003-07-26 20:44:58.000000000 +0200
@@ -35,6 +35,10 @@
}
+ # it's a user with proxy enabled in his browser
+ } elsif ($request->{proxy_on} and $self->{ProxyPorts}) {
+ $self->respond($peer, BlockProxyForm => $request);
+
# Otherwise, it's a user who needs to be captured and
# sent to the auth service.
} else {
diff -Naur --exclude '*.orig' --exclude '*.rej' NoCatAuth-nightly/lib/NoCat/Gateway/Open.pm NoCatAuth-mod/lib/NoCat/Gateway/Open.pm
--- NoCatAuth-nightly/lib/NoCat/Gateway/Open.pm 2002-08-09 06:45:08.000000000 +0200
+++ NoCatAuth-mod/lib/NoCat/Gateway/Open.pm 2003-07-26 20:44:58.000000000 +0200
@@ -55,6 +55,11 @@
} else {
$self->serve( $peer => $request );
}
+
+ # it's a user with proxy enabled in his browser
+ } elsif ($request->{proxy_on} and $self->{ProxyPorts}) {
+ $self->respond($peer, BlockProxyForm => $request);
+
} else {
# The user was trying to get out. Capture them.
$self->capture( $peer => $request );
diff -Naur --exclude '*.orig' --exclude '*.rej' NoCatAuth-nightly/lib/NoCat/Gateway.pm NoCatAuth-mod/lib/NoCat/Gateway.pm
--- NoCatAuth-nightly/lib/NoCat/Gateway.pm 2003-03-10 17:50:51.000000000 +0100
+++ NoCatAuth-mod/lib/NoCat/Gateway.pm 2003-07-26 20:44:58.000000000 +0200
@@ -352,7 +352,16 @@
$head{Method} = $method || "GET";
$head{URI} = $uri || "/";
- $head{URL} = ($head{Host} ? "http://$head{Host}$head{URI}" : $self->{HomePage}) || "";
+
+ # captured http request via www proxy?
+ if ($head{URI} =~ m#^http://#i) {
+ $head{URL} = $head{URI};
+ $head{URI} =~ s#^http://[^/]*##oi;
+ $head{proxy_on} = 1;
+ } else {
+ $head{URL} = ($head{Host} ? "http://$head{Host}$head{URI}"
+ : $self->{HomePage}) || "";
+ }
return \%head;
}
diff -Naur --exclude '*.orig' --exclude '*.rej' NoCatAuth-nightly/libexec/iptables/initialize.fw NoCatAuth-mod/libexec/iptables/initialize.fw
--- NoCatAuth-nightly/libexec/iptables/initialize.fw 2003-03-27 04:21:04.000000000 +0100
+++ NoCatAuth-mod/libexec/iptables/initialize.fw 2003-07-26 20:46:24.000000000 +0200
@@ -153,7 +153,8 @@
else
nonauth="4"
fi
-for port in 80 443; do
+
+for port in 80 $ProxyPorts; do
for mark in $nonauth; do
$redirect -m mark --mark $mark -d windowsupdate.microsoft.com -j DROP
$redirect -m mark --mark $mark -p tcp --dport $port -j REDIRECT \
--------------Boundary-00=_1VBR189PQPUPD0DYVKZB--