-
Notifications
You must be signed in to change notification settings - Fork 320
/
wifidog.conf
361 lines (316 loc) · 12.2 KB
/
wifidog.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
# $Id$
# WiFiDog Configuration file
# Parameter: GatewayID
# Default: default
# Optional
#
# Set this to the node ID on the auth server
# This is used to give a customized login page to the clients and for
# monitoring/statistics purpose. If you run multiple gateways on the same
# machine each gateway needs to have a different gateway id.
# If none is supplied, the mac address of the GatewayInterface interface will be used,
# without the : separators
# GatewayID default
# Parameter: ExternalInterface
# Default: NONE
# Optional
#
# Set this to the external interface (the one going out to the Inernet or your larger LAN).
# Typically vlan1 for OpenWrt, and eth0 or ppp0 otherwise,
# Normally autodetected
# ExternalInterface eth0
# Parameter: GatewayInterface
# Default: NONE
# Mandatory
#
# Set this to the internal interface (typically your wifi interface).
# Typically br-lan for Openwrt (by default the wifi interface is bridged with wired lan in openwrt)
# and eth1, wlan0, ath0, etc. otherwise
# You can get this interface with the ifconfig command and finding your wifi interface
GatewayInterface br-lan
# Parameter: GatewayAddress
# Default: Find it from GatewayInterface
# Optional
#
# Set this to the internal IP address of the gateway. Not normally required.
# GatewayAddress 192.168.1.1
# Parameter: HtmlMessageFile
# Default: wifidog-msg.html
# Optional
#
# This allows you to specify a custome HTML file which will be used for
# system errors by the gateway. Any $title, $message and $node variables
# used inside the file will be replaced.
#
# HtmlMessageFile /opt/wifidog/etc/wifidog-.html
# Parameter: AuthServer
# Default: NONE
# Mandatory, repeatable
#
# This allows you to configure your auth server(s). Each one will be tried in order, untill one responds.
# Set this to the hostname or IP of your auth server(s), the path where
# WiFiDog-auth resides in and the port it listens on.
#AuthServer {
# Hostname (Mandatory; Default: NONE)
# SSLAvailable (Optional; Default: no; Possible values: yes, no)
# SSLPort (Optional; Default: 443)
# HTTPPort (Optional; Default: 80)
# Path (Optional; Default: /wifidog/ Note: The path must be both prefixed and suffixed by /. Use a single / for server root.)
# LoginScriptPathFragment (Optional; Default: login/? Note: This is the script the user will be sent to for login.)
# PortalScriptPathFragment (Optional; Default: portal/? Note: This is the script the user will be sent to after a successfull login.)
# MsgScriptPathFragment (Optional; Default: messages/? Note: This is the script the user will be sent to upon error to read a readable message.)
# PingScriptPathFragment (Optional; Default: ping/? Note: This is the wifidog-ping protocol. See http://dev.wifidog.org/wiki/doc/developer/WiFiDogProtocol_V1)
# AuthScriptPathFragment (Optional; Default: auth/? Note: This is the wifidog-auth protocol. See http://dev.wifidog.org/wiki/doc/developer/WiFiDogProtocol_V1)
#}
# If SSLAvailable is set, then the client will be redirected to the
# auth daemon on its HTTPS port. If Wifidog is compiled with SSL support,
# then Wifidog will also use HTTPS to talk to the auth server instead of
# plain HTTP.
#
#AuthServer {
# Hostname auth.ilesansfil.org
# SSLAvailable yes
# Path /
#}
#AuthServer {
# Hostname auth2.ilesansfil.org
# SSLAvailable yes
# Path /
#}
# Parameter: DeltaTraffic
# Default: no
# Optional
#
# Set this to true if you want to reset each user's traffic (Outgoing and Incoming) value after each Auth operation.
# If this is enabled, Wifidog will add two new parameters to the AuthScriptPathFragment: Incoming_Delta, Outgoing_delta.
# DeltaTraffic no
# Parameter: Daemon
# Default: 1
# Optional
#
# Set this to true if you want to run as a daemon
# Daemon 1
# Parameter: GatewayPort
# Default: 2060
# Optional
#
# Listen on this port
# GatewayPort 2060
# Parameter: ProxyPort
# Default: 0 (disable)
# Optional
#
# Redirect http traffic of knowns & probations users
# to a local transparent proxy listening on ProxyPort port
# ProxyPort 0
# Parameter: HTTPDName
# Default: WiFiDog
# Optional
#
# Define what name the HTTPD server will respond
# HTTPDName WiFiDog
# Parameter: HTTPDMaxConn
# Default: 10
# Optional
#
# How many sockets to listen to
# HTTPDMaxConn 10
# Parameter: HTTPDRealm
# Default: WiFiDog
# Optional
#
# The name of the HTTP authentication realm. This only used when a user
# tries to access a protected WiFiDog internal page. See HTTPUserName.
# HTTPDRealm WiFiDog
# Parameter: HTTPDUserName / HTTPDPassword
# Default: unset
# Optional
#
# The gateway exposes some information such as the status page through its web
# interface. This information can be protected with a username and password,
# which can be set through the HTTPDUserName and HTTPDPassword parameters.
# HTTPDUserName admin
# HTTPDPassword secret
# Parameter: CheckInterval
# Default: 60
# Optional
#
# How many seconds should we wait between timeout checks. This is also
# how often the gateway will ping the auth server and how often it will
# update the traffic counters on the auth server. Setting this too low
# wastes bandwidth, setting this too high will cause the gateway to take
# a long time to switch to it's backup auth server(s).
# CheckInterval 60
# Parameter: ClientTimeout
# Default: 5
# Optional
#
# Set this to the desired of number of CheckInterval of inactivity before a client is logged out
# The timeout will be INTERVAL * TIMEOUT
ClientTimeout 5
# Parameter: SSLPeerVerification
# Default: yes
# Optional
#
# Enable peer certificate verification when talking to the auth
# server over SSL/TLS. Disabling this setting is mainly useful if
# you do not want to install ca-certificates.
#
# If this setting is set to yes, then the certificates in
# the directory indicated by SSLCertPath will be used to
# verify the auth server.
#
# This setting requires that WifiDog is compiled with SSL support.
# It will be ignored otherwise.
#
# To disable SSL completely for testing purposes, set SSLAvailable
# to False for the auth server in question. Note that this will disable
# HTTPS when redirecting clients to your auth server.
#
# SSLPeerVerification yes
# Parameter: SSLCertPath
# Default: /etc/ssl/certs/
# Optional
#
# Where to look for SSL certificates to verify the auth servers
# certificate. Note that these will only be used if the auth server
# in question is configured with SSLAvailable yes.
#
# The certificates in this directory must be named by their hash
# value. For OpenWRT, you need a ca-certificates package newer
# than what is shipped in Barrier Breaker (see
# https://dev.openwrt.org/ticket/16537).
#
# This setting requires that WifiDog is compiled with SSL support.
# It will be ignored otherwise.
#
# SSLCertPath /etc/ssl/certs/
# Parameter: SSLAllowedCipherList
# Default: all ciphers supported
# Optional
#
# Which cipher suite to allow. Note that CyaSSL will ignore cipher
# suites that use algorithms that aren't compiled in or cipher
# suites *WITH ERRORS IN THEIR NAMES*.
#
# Please see CyaSSL documentation for allowed values, format is a
# string where the ciphers are separated by colons (:) with no
# spaces. Ciphers are ordered from most desirable to least desirable.
#
# SSLAllowedCipherList ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:AES128-SHA:AES256-SHA
# Parameter: SSLUseSNI
# Default: no
# Optional
#
# Enable SNI (Server Name Indication) TLS extension.
# Enabling this setting is mainly useful if the auth server is hosted
# multiple secure (HTTPS) websites. The WifiDog should indicate which hostname
# it is attempting to connect to at the start of the handshaking process.
#
# This setting requires that WifiDog is compiled with SSL support.
# It will be ignored otherwise.
#
# SSLUseSNI no
# Parameter: TrustedMACList
# Default: none
# Optional
#
# Check DNS health by querying IPs of these hosts
PopularServers kernel.org,ieee.org
# Comma separated list of MAC addresses who are allowed to pass
# through without authentication.
# N.B.: weak security, since MAC addresses are easy to spoof.
#
#TrustedMACList 00:00:DE:AD:BE:AF,00:00:C0:1D:F0:0D
# Parameter: FirewallRuleSet
# Default: none
# Mandatory
#
# Groups a number of FirewallRule statements together.
# Parameter: FirewallRule
# Default: none
#
# Define one firewall rule in a rule set.
# Rule Set: global
#
# Used for rules to be applied to all other rulesets except locked.
FirewallRuleSet global {
# FirewallRule syntax:
# FirewallRule (block|drop|allow|log|ulog) [(tcp|udp|icmp) [port X or port-range X:Y]] [to IP/CIDR]
## To block SMTP out, as it's a tech support nightmare, and a legal liability
#FirewallRule block tcp port 25
## Use the following if you don't want clients to be able to access machines on
## the private LAN that gives internet access to wifidog. Note that this is not
## client isolation; The laptops will still be able to talk to one another, as
## well as to any machine bridged to the wifi of the router.
# FirewallRule block to 192.168.0.0/16
# FirewallRule block to 172.16.0.0/12
# FirewallRule block to 10.0.0.0/8
## This is an example ruleset for the Teliphone service.
#FirewallRule allow udp to 69.90.89.192/27
#FirewallRule allow udp to 69.90.85.0/27
#FirewallRule allow tcp port 80 to 69.90.89.205
## This is an example ruleset for example.com
## example.com means example.com and *.example.com
#FirewallRule allow tcp to example.com
## Use the following if you are having problems with Apple iOS 7 clients.
## See #7 and #14 at https://github.com/wifidog/wifidog-gateway/issues/
#FirewallRule allow tcp to apple.com
#FirewallRule allow tcp to icloud.com
## Use the following to log or ulog the traffic you want to allow or block.
# For OPENWRT: use of these feature requires modules ipt_LOG or ipt_ULOG present in dependencies
# iptables-mod-extra and iptables-mod-ulog (to adapt it to the linux distribution).
# Note: the log or ulog rule must be passed before, the rule you want to match.
# for openwrt: use of these feature requires modules ipt_LOG or ipt_ULOG present in dependencies
# iptables-mod-extra and iptables-mod-ulog
# For example, you want to log (ulog works the same way) the traffic allowed on port 80 to the ip 69.90.89.205:
#FirewallRule log tcp port 80 to 69.90.89.205
#FirewallRule allow tcp port 80 to 69.90.89.205
# And you want to know, who matche your block rule:
#FirewallRule log to 0.0.0.0/0
#FirewallRule block to 0.0.0.0/0
}
# Rule Set: validating-users
#
# Used for new users validating their account
FirewallRuleSet validating-users {
FirewallRule allow to 0.0.0.0/0
}
# Rule Set: known-users
#
# Used for normal validated users.
FirewallRuleSet known-users {
FirewallRule allow to 0.0.0.0/0
}
# Rule Set: auth-is-down
#
# Does nothing when not configured.
#
# Used when auth server is down
#FirewallRuleSet auth-is-down {
# FirewallRule allow to 0.0.0.0/0
#}
# Rule Set: unknown-users
#
# Used for unvalidated users, this is the ruleset that gets redirected.
#
# XXX The redirect code adds the Default DROP clause.
FirewallRuleSet unknown-users {
# Use to-ipset to block or allow externally specified hosts.
# Ipsets are created with the ipset utility. This is useful to
# block or allow hosts at runtime externally.
# For example, if your auth server requires users to log in
# via Facebook, use the ipset feature built into dnsmasq to
# to populate a list of various IPs used by the Facebook networks.
#FirewallRule allow to-ipset fb
FirewallRule allow udp port 53
FirewallRule allow tcp port 53
FirewallRule allow udp port 67
FirewallRule allow tcp port 67
}
# Rule Set: locked-users
#
# Not currently used
FirewallRuleSet locked-users {
FirewallRule block to 0.0.0.0/0
}