++ed by:

1 non-PAUSE user.

Karl Gaissmaier
and 1 contributors

NAME

Captive::Portal::Role::Config - config reader for Captive::Portal

DESCRIPTION

Config file parser and storage for cfg hash. The configuration syntax is perl.

PRESET GLOBAL PACKAGE VARIABLES

The following variables are predefined and can be used for interpolation in config values.

 $APP_NAME = 'capo'

 $APP_DIR = "$Bin/../"

PRESET DEFAULTS

DOCUMENT_ROOT => "$APP_DIR/static"

Basedir for static content like images, css or error pages.

TEMPLATE_INCLUDE_PATH => "$APP_DIR/templates/local/:$APP_DIR/templates/orig"

Directories to search for templates.

RUN_USER => 'wwwrun'

Drop privileges to RUN_USER.

RUN_GROUP => 'www',

Drop privileges to RUN_GROUP.

SESSIONS_DIR => "/var/cache/$APP_NAME"

Where to store the session files. This directory must exist und must be readable/writeable by RUN_USER.

SSL_REQUIRED => ON

A JS script looks for SSL encryption of the login/splash page and throws an error when not. Maybe a man-in-the-middle plays http-https proxy like sslstrip(8). If the mitm strips JS then this doesn't help anyway. The users must check the location bar for HTTPS these days, sigh.

SESSION_MAX => 48 * 3600 # 2d

Max session time until a forced disconnect.

IDLE_TIME => 60 * 10 # 10 min

How long to wait for activity from ip/mac until a session is marked idle.

KEEP_OLD_STATE_PERIOD => 1 * 60 * 60, # 1h

How long to keep idle session records on disk for fast reconnect with proper ip/mac/cookie match.

LOCAL PARAMETERS

ADMIN_SECRET

Passphrase for detailed sessions view.

AUTHEN_SIMPLE_MODULES

Authentication is handled by the Authen::Simple framework. You may stack any of the Authen::Simple::... plugins for authentication, see the $Bin/../etc/config.pl template.

IPTABLES->capture_if => 'eth1'

The inside gateway interface, e.g. 'eth1'. All http traffic, not allowed by any predefined rule, is captured and redirected to the capo.fcgi script.

IPTABLES->capture_net => '192.168.0.0/22'

The inside IP network in CIDR notation, e.g. '192.168.0.0/22'

IPTABLES->capture_ports => [80, 8080]

What tcp ports should be captured and redirected, e.g. [ 80, 8080]

IPTABLES->redirect_port => 5281

The port where the HTTP-server is listen in order to rewrite this http request to an https request.

The above settings result in a NAT rule equivalent to:

 iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.0/22 ! -d 192.168.0.0/22 \
          -p tcp -m multiport --dports 80,8080 -j  REDIRECT --to-port 5281
IPTABLES->throttle => OFF

You may throttle HTTP/HTTPS requests/sec per client IP. Some clients/gadgets fire a lot of HTTP traffic without human intervention. Depending on your hardware and your encryption resources this will overload your gateway.

IPTABLES->throttle_ports => [ 80, 5281]

You should protect/throttle port 80 and the redirect_port (see above).

IPTABLES->throttle_seconds => 30
IPTABLES->throttle_hitcount => 15

Both parameters define the average and the burst. Average is hitcount/seconds and burst is hitcount in seconds. With the values of 30 and 15, the average would be 15hits/30s => 1hit/2s. The burst would be 15hits in 30 seconds.

The above settings result in iptable rules equivalent to:

 # throttle/drop new connections
 iptables -t filter -A INPUT -p tcp --syn -m multiport --dports 80,5281 \
    -m recent --name capo_throttle --rcheck --seconds 30 --hitcount 15 -j DROP

 # at last accept new connections but set/update the recent table
 iptables -t filter -A INPUT -p tcp --syn -m multiport --dports 80,5281 \
    -m recent --name capo_throttle --set -j ACCEPT
IPTABLES->open_services

Allow access to open local services like DHCP, DNS, NTP, ...

IPTABLES->open_clients

Allow access for some dumb clients without authentication.

IPTABLES->open_servers

Allow access to some open servers.

IPTABLES->open_networks

Allow access to some open networks.

I18N_LANGUAGES

Supported languages for system messages and HTML templates.

I18N_FALLBACK_LANG

Fallback language if the client message isn't supported in the system message catalog and templates.

I18N_MSG_CATALOG

Translations of the system messages.

ROLES

$capo->parse_cfg_file($filename)

Parse config file, merge with defaults. Die on error.

$capo->cfg()

Getter, return a shallow copy of the config hashref.

AUTHOR

Karl Gaissmaier, <gaissmai at cpan.org>

LICENSE AND COPYRIGHT

Copyright 2010-2013 Karl Gaissmaier, all rights reserved.

This distribution is free software; you can redistribute it and/or modify it under the terms of either:

a) the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version, or

b) the Artistic License version 2.0.