++ed by:

1 non-PAUSE user.

Karl Gaissmaier
and 1 contributors


Captive::Portal::Role::Config - config reader for Captive::Portal


Config file parser and storage for cfg hash. The configuration syntax is perl.


The following variables are predefined and can be used for interpolation in config values.

 $APP_NAME = 'capo'

 $APP_DIR = "$Bin/../"



Basedir for static content like images, css or error pages.

TEMPLATE_INCLUDE_PATH => "$APP_DIR/templates/local/:$APP_DIR/templates/orig"

Directories to search for templates.

RUN_USER => 'wwwrun'

Drop privileges to RUN_USER.

RUN_GROUP => 'www',

Drop privileges to RUN_GROUP.

SESSIONS_DIR => "/var/cache/$APP_NAME"

Where to store the session files. This directory must exist und must be readable/writeable by RUN_USER.

If this attribute is set, the cookie will only be sent to your script if the CGI request is occurring on a secure channel, such as SSL.

SESSION_MAX => 48 * 3600 # 2d

Max session time until a forced disconnect.

IDLE_TIME => 60 * 10 # 10 min

How long to wait for activity from ip/mac until a session is marked idle.

KEEP_OLD_STATE_PERIOD => 1 * 60 * 60, # 1h

How long to keep idle session records on disk for fast reconnect with proper ip/mac/cookie match.

USE_FPING => ON # use fping to trigger idle clients

Use fping(8) to trigger idle clients.

FPING_OPTIONS => [qw(-c 1 -i 1 -t 1 -q)] # SuSe default

fping(8) options for current Linux distribution.



Passphrase for detailed sessions view.


Authentication is handled by the Authen::Simple framework. You may stack any of the Authen::Simple::... plugins for authentication, see the $Bin/../etc/config.pl template.

IPTABLES->capture_if => 'eth1'

The inside gateway interface, e.g. 'eth1'. All http traffic, not allowed by any predefined rule, is captured and redirected to the capo.fcgi script.

IPTABLES->capture_net => ''

The inside IP network in CIDR notation, e.g. ''

IPTABLES->capture_ports => [80, 8080]

What tcp ports should be captured and redirected, e.g. [ 80, 8080]

IPTABLES->redirect_port => 5281

The port where the HTTP-server is listen in order to rewrite this http request to an https request.

The above settings result in a NAT rule equivalent to:

 iptables -t nat -A PREROUTING -i eth1 -s ! -d \
          -p tcp -m multiport --dports 80,8080 -j  REDIRECT --to-port 5281
IPTABLES->throttle => OFF

You may throttle HTTP/HTTPS requests/sec per client IP. Some clients/gadgets fire a lot of HTTP traffic without human intervention. Depending on your hardware and your encryption resources this will overload your gateway.

IPTABLES->throttle_ports => [ 80, 5281]

You should protect/throttle port 80 and the redirect_port (see above).

IPTABLES->throttle_seconds => 30
IPTABLES->throttle_hitcount => 15

Both parameters define the average and the burst. Average is hitcount/seconds and burst is hitcount in seconds. With the values of 30 and 15, the average would be 15hits/30s => 1hit/2s. The burst would be 15hits in 30 seconds.

The above settings result in iptable rules equivalent to:

 # throttle/drop new connections
 iptables -t filter -A INPUT -p tcp --syn -m multiport --dports 80,5281 \
    -m recent --name capo_throttle --rcheck --seconds 30 --hitcount 15 -j DROP

 # at last accept new connections but set/update the recent table
 iptables -t filter -A INPUT -p tcp --syn -m multiport --dports 80,5281 \
    -m recent --name capo_throttle --set -j ACCEPT

Allow access to open local services like DHCP, DNS, NTP, ...


Allow access for some dumb clients without authentication.


Allow access to some open servers.


Allow access to some open networks.


Supported languages for system messages and HTML templates.


Fallback language if the client message isn't supported in the system message catalog and templates.


Translations of the system messages.



Parse config file, merge with defaults. Die on error.


Getter, return a shallow copy of the config hashref.


Karl Gaissmaier, <gaissmai at cpan.org>


Copyright 2010-2012 Karl Gaissmaier, all rights reserved.

This distribution is free software; you can redistribute it and/or modify it under the terms of either:

a) the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version, or

b) the Artistic License version 2.0.