FreeBSD7.0+opengate+ipfw(网页网关认证)Captive Portal(2)

最新推荐文章于 2024-09-24 10:47:43 发布

潜行狙击

最新推荐文章于 2024-09-24 10:47:43 发布

阅读量1.8k

点赞数

分类专栏： linux系统文章标签： freebsd interface ssl apache network module

linux系统专栏收录该内容

42 篇文章 0 订阅

订阅专栏

安装apache22
# cd /usr/ports/www/apache22
# make install clean ; rehash
做一个SSL的private key,因为后面要用的SSL来验证..
# cd /usr/local/etc/apache22
# mkdir ssl.key ssl.crt
# chmod 700 ssl.key ssl.crt
# /usr/bin/openssl genrsa -out /usr/local/etc/apache22/server.key 1024
做一个证书:
# /usr/bin/openssl req -new -x509 -days 365 -key /usr/local/etc/apache22/server.key
-out /usr/local/etc/apache22/server.crt
后面就自己看提示输入东西了.呵呵.只要把证书生成就可以了..
设置apache的SSL:
在/usr/local/etc/apache22/extra/httpd-ssl.conf文件最后添加类似这样来设置SSL的虚拟主
机:
<VirtualHost _default_:443>
DocumentRoot "/usr/local/www/apache22/data"
ServerName gateway.opengate.cn:443
ServerAdmin wawnglin@cqie.cn
ErrorLog "|/usr/bin/logger -p local6.info"
CustomLog "|/usr/bin/logger -p local5.info" combined
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/etc/apache22/server.crt
SSLCertificateKeyFile /usr/local/etc/apache22/server.key
</VirtualHost>

修改/usr/local/etc/apache22/httpd.conf文件:
①：找到:
#ErrorDocument 404 /missing.html
修改为:
ErrorDocument 404 /

②：找到:
<Directory "/usr/local/www/apache22/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
修改为:
<Directory "/usr/local/www/apache22/cgi-bin">
AllowOverride None
Options None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
③：取消:
AddHandler cgi-script .cgi
AddHandler type-map .var
前的注释.
④：找到:
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
修改为:
<IfModule dir_module>
DirectoryIndex index.html.var index.html
</IfModule>
⑤：设置ServerName这行为你自己的主机名,其实不设置也可以.
我的设置为:
ServerName gateway.opengate.cn
⑥：在httpd.conf最后添加一行:
Include etc/apache22/extra/httpd-ssl.conf
⑦：最后还要做一个软连接:
#ln –s /usr/local/www/apache22/cgi-bin /usr/local/www/cgi-bin
rc.conf文件的基本配置
前期工作做完后,开始设置所有服务启动.我的/etc/rc.conf是这样的:
ns# cat /etc/rc.conf
defaultrouter="192.168.0.1"
font8x14="NO"
font8x16="NO"
font8x8="NO"
gateway_enable="YES"
hostname="ns.opengate.cn"
ifconfig_le0="inet 192.168.0.100 netmask 255.255.255.0"
ifconfig_le1="inet 192.168.15.1 netmask 255.255.255.0"
ipv6_enable="NONE"
keymap="us.iso"
moused_enable="YES"
sshd_enable="YES"
sendmail_enable="NONE"
firewall_enable="YES"
firewall_script="/etc/opengate/rc.firewall"
这行这里暂时你可能看不懂,后面安装好了就知道了.
firewall_type="open"
natd_enable="YES"
natd_interface="le0"
named_enable="YES"
named_program="/usr/sbin/named"
named_flags="-c /etc/namedb/named.conf"
dhcpd_enable="YES"
dhcpd_ifaces="le1"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
apache22_enable="YES"
apache22ssl_enable="YES"

安装opengate
http://www.cc.saga-u.ac.jp/opengate/download/opengate1.4.36.tar.gz 下载软件包
#tar zxvf opengate1.4.36.tar.gz
#cd opengate1.4.36
#ee opengatesrv/Makefile
把前面几行如果不是这样的话就改成这样.
WWWTOP = /usr/local/www/apache22
DOCDIR = /data
CGIDIR = /cgi-bin
OPENGATEDIR = /opengate
CONFIGPATH = /etc/opengate
LOCKFILE = /tmp/opengate.lock
#make clean
#make install
#cd /etc/opengate/
#cp opengatesrv.conf.sample opengatesrv.conf
#ee opengatesrv.conf
前面找找最前面几行.自己改一下认证的协议我用的pam就是直接可以用系统帐户.后面有
很多用其他协议认证的方式.自己可以参考例子.如radius ldap等等.
<OpengateServerName>gateway.opengate.cn</OpengateServerName>
<AuthServer>
<Protocol>pam</Protocol>
<Address>192.168.15.1</Address>
<Timeout>10</Timeout>
</AuthServer>
设置ipfw防火墙
这里他是有例子的.但是你自己要稍微修改一下ipfw其实我也不是很熟,只是觉得他的流量
整形有点霸道.
# cd /etc/opengate
# cp rc.firewall.sample rc.firewall
# cat rc.virewall
### set these to your outside interface network and netmask and ip
oif="le0"
onet="192.168.0.0"
omask="255.255.255.0"
oip="192.168.0.100"
### set these to your inside interface network and netmask and ip
iif="le1"
inet="192.168.15.0"
imask="255.255.255.0"
iip="192.168.15.1"
fwcmd="/sbin/ipfw"
### divert packet to NATD
$fwcmd add 1 divert natd ip4 from any to any via ${oif}

### Stop spoofing
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}

### Allow from / to myself
$fwcmd add pass all from ${iip} to any via ${iif}
$fwcmd add pass all from ${oip} to any via ${oif}
$fwcmd add pass all from any to ${iip} via ${iif}
$fwcmd add pass all from any to ${oip} via ${oif}

### Allow DNS queries out in the world
### (if DNS is on localhost, delete passDNS)
$fwcmd add pass udp from any 53 to any
$fwcmd add pass udp from any to any 53
$fwcmd add pass tcp from any to any 53
$fwcmd add pass tcp from any 53 to any

### Allow RA RS NS NA Redirect...
$fwcmd add pass ipv6-icmp from any to any