[NoCat] Patch: https_redirect-01.patch

Karl Gaissmaier karl.gaissmaier at kiz.uni-ulm.de
Tue, 29 Jul 2003 01:14:27 +0200 

--------------Boundary-00=_3KCRC5GHPBXS7EWKA6WD
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 8bit

Name:
	https_redirect-01.patch

Affected Files:
	lib/NoCat/Firewall.pm
	libexec/iptables/initialize.fw
	etc/httpd.conf
	htdocs/block_initial_https.html
	
Version:
	Patch against 0.82 or later

Severity:
	unimportant, handle clients surfing initial to a https encrypted site

Description:
	when a client surfs to a https site and is not authenticated, the
	gateway captures this connection but can't handle ssl traffic.

	I decided to DNAT this traffic to a http server speaking ssl.
	In my case, this is my already installed authserver, but it could
	be a totally different ssl capable httpd or even a small script
	emualting http behind a stunnel.

	Since I use my authserver I rewrite any url not destined for
	my authserver with mod_rewrite to an informal page, asking
	the user first to surf to a normal http page. The url rewriting
	is a little bit tricky, but you could also DNAT to a different
	port, using a different virtual host.

-- Karl Gaissmaier KIZ/Infrastructure, University of Ulm, Germany 
Email:karl.gaissmaier@kiz.uni-ulm.de Service Group Network
--------------Boundary-00=_3KCRC5GHPBXS7EWKA6WD
Content-Type: text/x-diff;
  charset="us-ascii";
  name="https_redirect-01.patch"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="https_redirect-01.patch"

diff -Naur --exclude '*.orig' --exclude '*.rej' NoCatAuth-nightly/etc/httpd.conf NoCatAuth-mod/etc/httpd.conf
--- NoCatAuth-nightly/etc/httpd.conf	2003-05-19 16:39:18.000000000 +0200
+++ NoCatAuth-mod/etc/httpd.conf	2003-07-26 22:10:25.000000000 +0200
@@ -8,12 +8,21 @@
 #
 #     Include /usr/local/nocat/etc/httpd.conf
 
+# needed for the initial https info page. We've been DNAT'ed
+# from the gateway since the initial connection was https
+RewriteEngine  on
+# auth.nocat.net must be replaced with your own auth server
+RewriteCond  %{HTTP_HOST} !^auth.nocat.net  [NC]
+RewriteCond  %{REQUEST_URI} !^/block_initial_https.html$
+RewriteRule  ^/.*$ /block_initial_https.html [NS]
+
 # Put this in a virtual host entry, if needed, and don't forget
 # the trailing slash.
 
 ScriptAlias /cgi-bin/ /usr/local/nocat/cgi-bin/
 
 <Directory /usr/local/nocat/cgi-bin>
+    RewriteEngine  off
     ##
     # $PERL5LIB tells Perl where to find the NoCat libraries.
     ##
diff -Naur --exclude '*.orig' --exclude '*.rej' NoCatAuth-nightly/htdocs/block_initial_https.html NoCatAuth-mod/htdocs/block_initial_https.html
--- NoCatAuth-nightly/htdocs/block_initial_https.html	1970-01-01 01:00:00.000000000 +0100
+++ NoCatAuth-mod/htdocs/block_initial_https.html	2003-07-26 21:25:36.000000000 +0200
@@ -0,0 +1,18 @@
+<html>
+    <title>NoCat SSL Capture</title>
+<html>
+<body bgcolor="#FFFFFF">
+    <p>
+	<font face="Verdana, Arial, Helvetica, sans-serif" size="3">
+	    <b>Initial https connection detected</b></font>
+    </p>
+    <p>
+	<font face="Verdana, Arial, Helvetica, sans-serif" size="2">
+	    You have requested a ssl encrypted site not being
+	    authenticated to the network.<br>
+	    Please surf first to a nonencrypted site like the
+	    <a href="http://www.nocat.net">NoCat network</a>.
+	</font>
+    </p>
+</body>
+</html>
diff -Naur --exclude '*.orig' --exclude '*.rej' NoCatAuth-nightly/lib/NoCat/Firewall.pm NoCatAuth-mod/lib/NoCat/Firewall.pm
--- NoCatAuth-nightly/lib/NoCat/Firewall.pm	2003-02-12 03:56:42.000000000 +0100
+++ NoCatAuth-mod/lib/NoCat/Firewall.pm	2003-07-26 21:31:07.000000000 +0200
@@ -1,6 +1,7 @@
 package NoCat::Firewall;
 
 use NoCat qw( PUBLIC );
+use Socket qw(inet_aton inet_ntoa);
 use strict;
 use vars qw( @ISA @REQUIRED *ARP *RESOLV );
 use constant BY_MAC	=> 1;
@@ -21,6 +22,9 @@
     MembersOnly RouteOnly IgnoreMAC
 );
 
+# not in qw() in order to have independent patches -- Charly
+push @Perform_Export, qw(AuthServiceIP);
+
 # If /proc/net/arp is available, use it. Otherwise, fork /sbin/arp and read
 # its output to get ARP cache data. Turns out '/sbin/arp -an' gives the same
 # output on both Linux and *BSD. (Thank goodness.)
@@ -41,6 +45,9 @@
     $self->check_config( "AuthServiceAddr" ) 
 	unless $self->{GatewayMode} and $self->{GatewayMode} eq "Open";
 
+    $self->{AuthServiceIP} ||= inet_ntoa(inet_aton($self->{AuthServiceAddr}))
+       if $self->{AuthServiceAddr};
+
     unless ( grep($_, @$self{@Dynamic_Required}) == @Dynamic_Required ) {
 	my %iface   = $self->interfaces;
 	my $default = $self->default_route;
diff -Naur --exclude '*.orig' --exclude '*.rej' NoCatAuth-nightly/libexec/iptables/initialize.fw NoCatAuth-mod/libexec/iptables/initialize.fw
--- NoCatAuth-nightly/libexec/iptables/initialize.fw	2003-03-27 04:21:04.000000000 +0100
+++ NoCatAuth-mod/libexec/iptables/initialize.fw	2003-07-26 20:46:24.000000000 +0200
@@ -163,4 +163,11 @@
 
+# Redirect outbound non-auth https traffic to the AuthServer
+# responding with a proper info page
+for mark in $nonauth; do
+        $redirect -m mark --mark $mark -p tcp --dport 443 -j DNAT \
+	    --to-destination $AuthServiceIP
+done
+
 # Lock down more ports for public users, if specified. Port restrictions
 # are not applied to co-op and owner class users.
 #

--------------Boundary-00=_3KCRC5GHPBXS7EWKA6WD--