OpenWrt portal认证

俺不懂真郁闷

已于 2024-09-23 12:40:13 修改

阅读量1k

点赞数 10

文章标签：网络协议

于 2024-09-23 12:31:53 首次发布

本文链接：https://blog.csdn.net/wu1013251335/article/details/142454648

版权

一、openwrt支持的portal认证类型
[OpenWrt Wiki] Captive portals (splash pages for free or paid WiFi)
1. CoovaChilli Captive Portal
用途: CoovaChilli 是一个功能非常强大的开源捕获门户软件，广泛用于公共 Wi-Fi 网络。它是基于原有的 ChilliSpot 项目进行开发和扩展的，支持复杂的认证流程，如 RADIUS、PAP、CHAP 等协议，能与外部认证服务器（如 FreeRADIUS）进行集成。它还支持 QoS、带宽控制等功能。
应用场景: CoovaChilli 被广泛应用于大型公共 Wi-Fi 环境中，例如酒店、商场、机场等需要复杂认证、计费以及用户管理的场景。
优点: 功能强大、适用于复杂的网络环境，支持多种认证方式和计费模式，社区活跃，开发持续进行。
缺点: 配置和管理复杂，学习曲线较高。
2. Nodogsplash (Outdated Document) & NoDogSplash Captive Portal
用途: NoDogSplash 是一款轻量级的捕获门户工具，主要用于简单的无线网络接入控制。它可以拦截用户的初始 HTTP 请求并将其重定向到自定义的登录页面或欢迎页面，在认证后放行用户的请求。NoDogSplash 起源于 Nodogsplash，但 Nodogsplash 项目已经停止维护。
应用场景: NoDogSplash 适用于小型或中型的网络场景，特别是那些不需要复杂认证机制的小型公共 Wi-Fi 场景，例如咖啡店、小型社区无线网络等。
优点: 安装和配置简单，轻量级，适合资源有限的路由器或嵌入式设备上运行。
缺点: 功能有限，不适用于需要复杂认证和用户管理的大型网络。
3. OpenNDS Captive Portal
用途: OpenNDS 是 NoDogSplash 的进化版本，它提供了更现代化和高效的解决方案。与 NoDogSplash 类似，它用于捕获用户的初始请求并重定向到登录或认证页面。OpenNDS 增加了更多功能，如增强的 API 支持、多用户管理、灵活的配置文件等。
应用场景: OpenNDS 适用于需要比 NoDogSplash 更高性能的场景，但仍然主要面向小型和中型公共 Wi-Fi 网络。它适用于小型酒店、社区 Wi-Fi 或那些需要基础用户管理和认证的场景。
优点: 比 NoDogSplash 具备更强的可扩展性，支持更多的认证方式和功能，性能优化更好。
缺点: 虽然功能增强，但复杂度增加，可能需要更多的配置和管理经验。
4. WiFiDog Captive Portal (Defunct)
用途: WiFiDog 是早期开发的一款捕获门户，曾广泛应用于开源无线网络中。它负责截取用户的请求并重定向到认证页面，登录后用户才能访问互联网。该项目功能相对基础，但支持第三方的认证服务接入。
应用场景: WiFiDog 主要应用于小型或中型网络环境，尤其是那些需要简单认证或用户统计功能的场景。但由于项目停止维护，越来越少的场景会使用它。
优点: 最初的设计简单且稳定，对于小型企业或社区 Wi-Fi 网络非常适用。
缺点: 项目已停止维护，安全性和稳定性可能不如其他现代方案，功能相对落后。
主要区别和应用场景总结
功能复杂度和适用规模：
- CoovaChilli: 功能最强大，适用于复杂的认证流程和大规模公共 Wi-Fi 环境（如酒店、商场、机场等）。
- NoDogSplash: 轻量级、简单，适合资源有限的小型 Wi-Fi 网络（如咖啡店、小型社区）。
- OpenNDS: 介于复杂性和简单性之间，适用于中小型公共 Wi-Fi，提供更灵活的用户管理功能。
- WiFiDog: 适用于较小型的网络环境，但由于项目已停止维护，不建议用于新部署。
社区和更新：
- CoovaChilli 和 OpenNDS 社区较为活跃，功能不断更新。
- NoDogSplash 是较为稳定的轻量级方案。
- WiFiDog 项目已终止，用户应该考虑转向其他解决方案。
适用场景总结：
小型网络（咖啡店、小型办公室）: NoDogSplash、OpenNDS
中型网络（小型酒店、社区 Wi-Fi）: OpenNDS、CoovaChilli
大型网络（机场、购物中心、酒店）: CoovaChilli
二、opennds 适配
A. openwrt端opennds编译
第一步：安装 OpenNDS

登录到 OpenWRT
ssh root@your-openwrt-ip
更新 OpenWRT 软件包列表
opkg update
安装 OpenNDS
使用 opkg 安装 OpenNDS：
opkg install opennds
配置 OpenNDS
关键配置参数如下：
保存并退出编辑器。
重启 OpenNDS
配置完成后，重启 OpenNDS 以使更改生效：
/etc/init.d/opennds restart

第二步：配置 OpenNDS
编辑 opennds.conf 配置文件
使用你喜欢的编辑器编辑 OpenNDS 配置文件（例如，vi）：
sudo vi /etc/config/opennds
你需要修改以下关键参数：
fasremoteip：设置为远程 FAS 服务器的 IP 地址。
fasremotefqdn：设置为远程 FAS 服务器的完全合格域名（FQDN）。
fasport：FAS 服务器的端口号，通常为 443（如果使用 HTTPS）或 80（如果使用 HTTP）。
faskey：用于加密 FAS 通信的预共享密钥（PSK），该密钥需要在 FAS 服务器上使用相同的密钥来进行解密。
fas_secure_enabled：设置为 2 或 3 时，表示启用 AES-256 加密通信。设置为 3 时，还需要使用 HTTPS 进行安全通信。
保存并退出编辑器。
重启 OpenNDS 服务
sudo systemctl restart opennds
B. web服务器搭建
安装 Apache Web 服务器
由于 FAS 通常是一个基于 Web 的服务，首先需要安装 Apache：
sudo apt install apache2
确保 Apache 服务已启动并设置为开机启动：
sudo systemctl enable apache2 sudo systemctl start apache2
创建 FAS 脚本
sudo mkdir /var/www/html/fas
编写 php 文件
在 /var/www/html/fas/ 目录下创建并编辑 fas.php 文件（可以将官方提供的脚本直接替换）
OpenNDS 提供的示例脚本（如 fas-hid.php, fas-aes.php, fas-hid-https.php, 和 fas-aes-https.php）主要展示了如何根据不同的安全需求，处理不同级别的 Forward Authentication Service (FAS) 认证。以下是这些脚本的具体作用：
fas-hid.php：这个脚本用于资源有限的系统，特别是那些无法运行 PHP 服务的设备。它可以在 HTTP 协议下运行，并且支持远程 FAS 认证。它的特点是适用于较低安全性需求的环境，在客户端和服务器之间传递令牌时不进行加密，因此适合对安全要求不高的本地系统。

<?php
/* (c) Blue Wave Projects and Services 2015-2023. This software is released under the GNU GPL license.

 This is a FAS script designed to provide an http login sequence served from an **Internet hosted** http web server supporting PHP
 It is an example of remote Forward Authentication for openNDS (NDS) that **does not require PHP support on the openNDS router**.
 It is the **http only** version of the example fas-hid scripts.
 It is less secure than the aes encrypted version (fas-aes.php), but with openNDS installed on routers with severe resource limitations, it is more likely to work.

 The following NDS configurations must be set:
 1. fasport: Set to the port number the remote webserver is using (typically port 80)

 2. faspath: This is the path from the FAS Web Root to the location of this FAS script (not from the file system root).
	eg. /nds/fas-hid.php

 3. fasremoteip: The remote IPv4 address of the remote server eg. 46.32.240.41

 4. fasremotefqdn: The fully qualified domain name of the remote web server.
	This is required in the case of a shared web server (ie. a server that hosts multiple domains on a single IP),
	but is optional for a dedicated web server (ie. a server that hosts only a single domain on a single IP).
	eg. onboard-wifi.net

 5. faskey: Matching $key as set in this script (see below this introduction).
	This is a key phrase for NDS to encrypt the query string sent to FAS.
	It can be any combination of A-Z, a-z and 0-9, with no white space.
	eg 1234567890

 6. fas_secure_enabled:  set to level 1
	The NDS parameters: clientip, clientmac, gatewayname, hid and redir
	are passed to FAS in the query string.


 This script requires the client user to enter their Fullname and email address. This information is stored in a log file kept
 in /tmp or the same folder as this script.

 This script requests the client CPD to display the NDS splash.jpg image directly from the 
	/etc/opennds/htdocs/images folder of the NDS device.

 This script displays an example Terms of Service. You should modify this for your local legal juristiction

*/

// Allow immediate flush to browser
if (ob_get_level()){ob_end_clean();}

#####################################################################################
// The pre-shared key "faskey" (this must be the same as in the openNDS config):
$key="1234567890";
#####################################################################################

// Setup some basics:
date_default_timezone_set("UTC");

$fullname=$email=$gatewayname=$clientip=$gatewayaddress=$hid=$gatewaymac=$clientif=$redir=$client_zone="";

//Parse the querystring

//Decode and Parse the querystring

if (isset($_GET['status'])) {
	$redir=$_GET['redir'];
	$redir_r=explode("fas=", $redir);
	$fas=$redir_r[1];
} else if (isset($_GET['fas']))  {
	$fas=$_GET['fas'];
} else {
	exit(0);
}

if (isset($fas)) {
	$decoded=base64_decode($fas);
	$dec_r=explode(", ",$decoded);

	foreach ($dec_r as $dec) {
		@list($name,$value)=explode("=",$dec);
		if ($name == "clientip") {$clientip=$value;}
		if ($name == "clientmac") {$clientmac=$value;}
		if ($name == "gatewayname") {$gatewayname=$value;}
		if ($name == "gatewayurl") {$gatewayurl=rawurldecode($value);}
		if ($name == "version") {$version=$value;}
		if ($name == "hid") {$hid=$value;}
		if ($name == "client_type") {$client_type=$value;}
		if ($name == "gatewayaddress") {$gatewayaddress=$value;}
		if ($name == "gatewaymac") {$gatewaymac=$value;}
		if ($name == "authdir") {$authdir=$value;}
		if ($name == "originurl") {$originurl=$value;}
		if ($name == "cpi_query") {$cpi_query=$value;}
		if ($name == "clientif") {$clientif=$value;}
		if ($name == "admin_email") {$admin_email=$value;}
		if ($name == "location") {$location=$value;}
	}
}

// Work out the client zone:
$client_zone_r=explode(" ",trim($clientif));

if ( ! isset($client_zone_r[1])) {
	$client_zone="LocalZone:".$client_zone_r[0];
} else {
	$client_zone="MeshZone:".str_replace(":","",$client_zone_r[1]);
}

// Set the path to an image to display. This must be accessible to the client (hint: set up a Walled Garden if you want an Internet based image).
$imagepath="http://$gatewayaddress/images/splash.jpg";

#######################################################
//Start Outputting the requested responsive page:
#######################################################

splash_header();

if (isset($_GET["terms"])) {
	// ToS requested
	display_terms();
	footer();
} elseif (isset($_GET["status"])) {
	// The status page is triggered by a client if already authenticated by openNDS (eg by clicking "back" on their browser)
	status_page();
	footer();
} elseif (isset($_GET["landing"])) {
	// The landing page is served to the client immediately after openNDS authentication, but many CPDs will immediately close
	landing_page();
	footer();
} else {
	login_page();
	footer();
}

// Functions:
function thankyou_page() {
	# Output the "Thankyou page" with a continue button
	# You could include information or advertising on this page
	# Be aware that many devices will close the login browser as soon as
	# the client taps continue, so now is the time to deliver your message.

	$me=$_SERVER['SCRIPT_NAME'];
	$host=$_SERVER['HTTP_HOST'];
	$fas=$GLOBALS["fas"];
	$clientip=$GLOBALS["clientip"];
	$gatewayname=$GLOBALS["gatewayname"];
	$gatewayaddress=$GLOBALS["gatewayaddress"];
	$gatewaymac=$GLOBALS["gatewaymac"];
	$key=$GLOBALS["key"];
	$hid=$GLOBALS["hid"];
	$clientif=$GLOBALS["clientif"];
	$client_zone=$GLOBALS["client_zone"];
	$originurl=$GLOBALS["originurl"];
	$fullname=$_GET["fullname"];
	$email=$_GET["email"];

	$authaction="http://$gatewayaddress/opennds_auth/";
	$redir="http://".$host.$me."?fas=$fas&landing=1";
	$tok=hash('sha256', $hid.$key);

	/*	You can also send a custom data string to BinAuth. Set the variable $custom to the desired value
		It can contain any information that could be used for post authentication processing
		eg. the values set per client for Time, Data and Data Rate quotas can be sent to BinAuth for a custom script to use
		This string will be b64 encoded before sending to binauth and will appear in the output of ndsctl json
	*/

	$custom="fullname=$fullname, email=$email";
	$custom=base64_encode($custom);


	echo "
		<big-red>
			Thankyou!
		</big-red>
		<br>
		<b>Welcome $fullname</b>
		<br>
		<med-blue>You are connected to $client_zone</med-blue><br>
		<italic-black>
			Your News or Advertising could be here, contact the owners of this Hotspot to find out how!
		</italic-black>
		<form action=\"".$authaction."\" method=\"get\">
			<input type=\"hidden\" name=\"tok\" value=\"".$tok."\">
			<input type=\"hidden\" name=\"custom\" value=\"$custom\">
			<input type=\"hidden\" name=\"redir\" value=\"".$redir."\"><br>
			<input type=\"submit\" value=\"Continue\" >
		</form>
		<hr>
	";

	read_terms();
	flush();
	write_log();
}

function write_log() {
	# In this example we have decided to log all clients who are granted access
	# Note: the web server daemon must have read and write permissions to the folder defined in $logpath
	# By default $logpath is null so the logfile will be written to the folder this script resides in,
	# or the /tmp directory if on the NDS router

	if (file_exists("/etc/config/opennds")) {
		$logpath="/tmp/";
	} elseif (file_exists("/etc/opennds/opennds.conf")) {
		$logpath="/run/";
	} else {
		$logpath="";
	}

	if (!file_exists("$logpath"."ndslog")) {
		mkdir("$logpath"."ndslog", 0700);
	}

	$me=$_SERVER['SCRIPT_NAME'];
	$script=basename($me, '.php');
	$host=$_SERVER['HTTP_HOST'];
	$user_agent=$_SERVER['HTTP_USER_AGENT'];
	$clientip=$GLOBALS["clientip"];
	$clientmac=$GLOBALS["clientmac"];
	$client_type=$GLOBALS["client_type"];
	$gatewayname=$GLOBALS["gatewayname"];
	$gatewayaddress=$GLOBALS["gatewayaddress"];
	$gatewaymac=$GLOBALS["gatewaymac"];
	$clientif=$GLOBALS["clientif"];
	$originurl=$GLOBALS["originurl"];
	$redir=rawurldecode($originurl);
	$cpi_query=$GLOBALS["cpi_query"];
	$fullname=$_GET["fullname"];
	$email=$_GET["email"];

	$log=date('Y-m-d H:i:s', $_SERVER['REQUEST_TIME']).
		", $script, $gatewayname, $fullname, $email, $clientip, $clientmac, $client_type, $clientif, $user_agent, $cpi_query, $redir\n";

	if ($logpath == "") {
		$logfile="ndslog/ndslog_log.php";

		if (!file_exists($logfile)) {
			@file_put_contents($logfile, "<?php exit(0); ?>\n");
		}
	} else {
		$logfile="$logpath"."ndslog/ndslog.log";
	}

	@file_put_contents($logfile, $log,  FILE_APPEND );
}

function login_page() {
	$fullname=$email="";
	$me=$_SERVER['SCRIPT_NAME'];
	$fas=$_GET["fas"];
	$clientip=$GLOBALS["clientip"];
	$clientmac=$GLOBALS["clientmac"];
	$gatewayname=$GLOBALS["gatewayname"];
	$gatewayaddress=$GLOBALS["gatewayaddress"];
	$gatewaymac=$GLOBALS["gatewaymac"];
	$clientif=$GLOBALS["clientif"];
	$client_zone=$GLOBALS["client_zone"];
	$originurl=$GLOBALS["originurl"];

	if (isset($_GET["fullname"])) {
		$fullname=ucwords($_GET["fullname"]);
	}

	if (isset($_GET["email"])) {
		$email=$_GET["email"];
	}

	if ($fullname == "" or $email == "") {
		echo "
			<big-red>Welcome!</big-red><br>
			<med-blue>You are connected to $client_zone</med-blue><br>
			<b>Please enter your Full Name and Email Address</b>
		";

		if (! isset($_GET['fas']))  {
			echo "<br><b style=\"color:red;\">ERROR! Incomplete data passed from NDS</b>\n";
		} else {
			echo "
				<form action=\"$me\" method=\"get\" >
					<input type=\"hidden\" name=\"fas\" value=\"$fas\">
					<hr>Full Name:<br>
					<input type=\"text\" name=\"fullname\" value=\"$fullname\">
					<br>
					Email Address:<br>
					<input type=\"email\" name=\"email\" value=\"$email\">
					<br><br>
					<input type=\"submit\" value=\"Accept Terms of Service\">
				</form>
				<hr>
			";

			read_terms();
			flush();
		}
	} else {
		thankyou_page();
	}
}

function status_page() {
	$me=$_SERVER['SCRIPT_NAME'];
	$clientip=$GLOBALS["clientip"];
	$clientmac=$GLOBALS["clientmac"];
	$gatewayname=$GLOBALS["gatewayname"];
	$gatewayaddress=$GLOBALS["gatewayaddress"];
	$gatewaymac=$GLOBALS["gatewaymac"];
	$clientif=$GLOBALS["clientif"];
	$client_zone=$GLOBALS["client_zone"];
	$originurl=$GLOBALS["originurl"];
	$redir=rawurldecode($originurl);

	// Is the client already logged in?
	if ($_GET["status"] == "authenticated") {
		echo "
			<med-blue>You are connected to $client_zone</med-blue><br>
			<p><big-red>You are already logged in and have access to the Internet.</big-red></p>
			<hr>
			<p><italic-black>You can use your Browser, Email and other network Apps as you normally would.</italic-black></p>
		";

		read_terms();

		echo "
			<p>
			Your device originally requested <b>$redir</b>
			<br>
			Click or tap Continue to go to there.
			</p>
			<form>
				<input type=\"button\" VALUE=\"Continue\" onClick=\"location.href='".$redir."'\" >
			</form>
		";
	} else {
		echo "
			<p><big-red>ERROR 404 - Page Not Found.</big-red></p>
			<hr>
			<p><italic-black>The requested resource could not be found.</italic-black></p>
		";
	}
	flush();
}

function landing_page() {
	$me=$_SERVER['SCRIPT_NAME'];
	$fas=$_GET["fas"];
	$originurl=$GLOBALS["originurl"];
	$gatewayaddress=$GLOBALS["gatewayaddress"];
	$gatewayname=$GLOBALS["gatewayname"];
	$gatewayurl=$GLOBALS["gatewayurl"];
	$clientif=$GLOBALS["clientif"];
	$client_zone=$GLOBALS["client_zone"];
	$redir=rawurldecode($originurl);

	echo "
		<med-blue>You are connected to $client_zone</med-blue><br>
		<p>
			<big-red>
				You are now logged in and have been granted access to the Internet.
			</big-red>
		</p>
		<hr>
		<p>
			<italic-black>
				You can use your Browser, Email and other network Apps as you normally would.
			</italic-black>
		</p>
		<p>
		(Your device originally requested $redir)
		<hr>
		Click or tap Continue to show the status of your account.
		</p>
		<form>
			<input type=\"button\" VALUE=\"Continue\" onClick=\"location.href='".$gatewayurl."'\" >
		</form>
		<hr>
	";

	read_terms();
	flush();
}

function splash_header() {
	$gatewayname=$GLOBALS["gatewayname"];
	$imagepath=$GLOBALS["imagepath"];
	$gatewayname=htmlentities(rawurldecode($gatewayname), ENT_HTML5, "UTF-8", FALSE);

	// Add headers to stop browsers from cacheing 
	header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
	header("Cache-Control: no-cache");
	header("Pragma: no-cache");

	// Output the common header html
	echo "<!DOCTYPE html>\n<html>\n<head>
		<meta charset=\"utf-8\" />
		<meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">
		<link rel=\"shortcut icon\" href=$imagepath type=\"image/x-icon\">
		<title>$gatewayname</title>
		<style>
	";

	insert_css();

	echo "
		</style>
		</head>
		<body>
		<div class=\"offset\">
		<med-blue>
			$gatewayname
		</med-blue><br>
		<div class=\"insert\">
	";
	flush();
}

function footer() {
	$imagepath=$GLOBALS["imagepath"];
	$version=$GLOBALS["version"];
	$year=date("Y");
	echo "
		<hr>
		<div style=\"font-size:0.5em;\">
			<img style=\"height:60px; width:60px; float:left;\" src=\"$imagepath\" alt=\"Splash Page: For access to the Internet.\">
			&copy; The openNDS Project 2015 - $year<br>
			Portal Version: $version
			<br><br><br><br>
		</div>
		</div>
		</div>
		</body>
		</html>
	";
	exit(0);
}

function read_terms() {
	#terms of service button
	$me=$_SERVER['SCRIPT_NAME'];
	$fas=$GLOBALS["fas"];
	echo "
		<form action=\"$me\" method=\"get\">
			<input type=\"hidden\" name=\"fas\" value=\"$fas\">
			<input type=\"hidden\" name=\"terms\" value=\"yes\">
			<input type=\"submit\" value=\"Read Terms of Service\" >
		</form>
	";
}

function display_terms () {
	# This is the all important "Terms of service"
	# Edit this long winded generic version to suit your requirements.
	####
	# WARNING #
	# It is your responsibility to ensure these "Terms of Service" are compliant with the REGULATIONS and LAWS of your Country or State.
	# In most locations, a Privacy Statement is an essential part of the Terms of Service.
	####

	#Privacy
	echo "
		<b style=\"color:red;\">Privacy.</b><br>
		<b>
			By logging in to the system, you grant your permission for this system to store any data you provide for
			the purposes of logging in, along with the networking parameters of your device that the system requires to function.<br>
			All information is stored for your convenience and for the protection of both yourself and us.<br>
			All information collected by this system is stored in a secure manner and is not accessible by third parties.<br>
			In return, we grant you FREE Internet access.
		</b><hr>
	";

	# Terms of Service
	echo "
		<b style=\"color:red;\">Terms of Service for this Hotspot.</b> <br>

		<b>Access is granted on a basis of trust that you will NOT misuse or abuse that access in any way.</b><hr>

		<b>Please scroll down to read the Terms of Service in full or click the Continue button to return to the Acceptance Page</b>

		<form>
			<input type=\"button\" VALUE=\"Continue\" onClick=\"history.go(-1);return true;\">
		</form>
	";

	# Proper Use
	echo "
		<hr>
		<b>Proper Use</b>

		<p>
			This Hotspot provides a wireless network that allows you to connect to the Internet. <br>
			<b>Use of this Internet connection is provided in return for your FULL acceptance of these Terms Of Service.</b>
		</p>

		<p>
			<b>You agree</b> that you are responsible for providing security measures that are suited for your intended use of the Service.
			For example, you shall take full responsibility for taking adequate measures to safeguard your data from loss.
		</p>

		<p>
			While the Hotspot uses commercially reasonable efforts to provide a secure service,
			the effectiveness of those efforts cannot be guaranteed.
		</p>

		<p>
			<b>You may</b> use the technology provided to you by this Hotspot for the sole purpose
			of using the Service as described here.
			You must immediately notify the Owner of any unauthorized use of the Service or any other security breach.<br><br>
			We will give you an IP address each time you access the Hotspot, and it may change.
			<br>
			<b>You shall not</b> program any other IP or MAC address into your device that accesses the Hotspot.
			You may not use the Service for any other reason, including reselling any aspect of the Service.
			Other examples of improper activities include, without limitation:
		</p>

			<ol>
				<li>
					downloading or uploading such large volumes of data that the performance of the Service becomes
					noticeably degraded for other users for a significant period;
				</li>

				<li>
					attempting to break security, access, tamper with or use any unauthorized areas of the Service;
				</li>

				<li>
					removing any copyright, trademark or other proprietary rights notices contained in or on the Service;
				</li>

				<li>
					attempting to collect or maintain any information about other users of the Service
					(including usernames and/or email addresses) or other third parties for unauthorized purposes;
				</li>

				<li>
					logging onto the Service under false or fraudulent pretenses;
				</li>

				<li>
					creating or transmitting unwanted electronic communications such as SPAM or chain letters to other users
					or otherwise interfering with other user's enjoyment of the service;
				</li>

				<li>
					transmitting any viruses, worms, defects, Trojan Horses or other items of a destructive nature; or
				</li>

				<li>
					using the Service for any unlawful, harassing, abusive, criminal or fraudulent purpose.
				</li>
			</ol>
	";

	# Content Disclaimer
	echo "
		<hr>
		<b>Content Disclaimer</b>

		<p>
			The Hotspot Owners do not control and are not responsible for data, content, services, or products
			that are accessed or downloaded through the Service.
			The Owners may, but are not obliged to, block data transmissions to protect the Owner and the Public.
		</p>

		The Owners, their suppliers and their licensors expressly disclaim to the fullest extent permitted by law,
		all express, implied, and statutary warranties, including, without limitation, the warranties of merchantability
		or fitness for a particular purpose.
		<br><br>
		The Owners, their suppliers and their licensors expressly disclaim to the fullest extent permitted by law
		any liability for infringement of proprietory rights and/or infringement of Copyright by any user of the system.
		Login details and device identities may be stored and be used as evidence in a Court of Law against such users.
		<br>
	";

	# Limitation of Liability
	echo "

		<hr><b>Limitation of Liability</b>

		<p>
			Under no circumstances shall the Owners, their suppliers or their licensors be liable to any user or
			any third party on account of that party's use or misuse of or reliance on the Service.
		</p>

		<hr><b>Changes to Terms of Service and Termination</b>

		<p>
			We may modify or terminate the Service and these Terms of Service and any accompanying policies,
			for any reason, and without notice, including the right to terminate with or without notice,
			without liability to you, any user or any third party. Please review these Terms of Service
			from time to time so that you will be apprised of any changes.
		</p>

		<p>
			We reserve the right to terminate your use of the Service, for any reason, and without notice.
			Upon any such termination, any and all rights granted to you by this Hotspot Owner shall terminate.
		</p>
	";

	# Inemnity
	echo "
		<hr><b>Indemnity</b>

		<p>
			<b>You agree</b> to hold harmless and indemnify the Owners of this Hotspot,
			their suppliers and licensors from and against any third party claim arising from
			or in any way related to your use of the Service, including any liability or expense arising from all claims,
			losses, damages (actual and consequential), suits, judgments, litigation costs and legal fees, of every kind and nature.
		</p>

		<hr>
		<form>
			<input type=\"button\" VALUE=\"Continue\" onClick=\"history.go(-1);return true;\">
		</form>
	";
	flush();
}

function insert_css() {
	echo "
	body {
		background-color: lightgrey;
		color: #140f07;
		margin: 0;
		padding: 10px;
		font-family: sans-serif;
	}

	hr {
		display:block;
		margin-top:0.5em;
		margin-bottom:0.5em;
		margin-left:auto;
		margin-right:auto;
		border-style:inset;
		border-width:5px;
	}

	.offset {
		background: rgba(300, 300, 300, 0.6);
		border-radius: 10px;
		margin-left:auto;
		margin-right:auto;
		max-width:600px;
		min-width:200px;
		padding: 5px;
	}

	.insert {
		background: rgba(350, 350, 350, 0.7);
		border: 2px solid #aaa;
		border-radius: 10px;
		min-width:200px;
		max-width:100%;
		padding: 5px;
	}

	.insert > h1 {
		font-size: medium;
		margin: 0 0 15px;
	}

	img {
		width: 40%;
		max-width: 180px;
		margin-left: 0%;
		margin-right: 10px;
		border-radius: 3px;
	}

	input[type=text], input[type=email], input[type=password], input[type=number], input[type=tel] {
		font-size: 1em;
		line-height: 2em;
		height: 2em;
		color: #0c232a;
		background: lightgrey;
	}

	input[type=submit], input[type=button] {
			font-size: 1em;
		line-height: 2em;
		height: 2em;
		font-weight: bold;
		border: 0;
		border-radius: 10px;
		background-color: #1a7856;
		padding: 0 10px;
		color: #fff;
		cursor: pointer;
		box-shadow: rgba(50, 50, 93, 0.1) 0 0 0 1px inset,
		rgba(50, 50, 93, 0.1) 0 2px 5px 0, rgba(0, 0, 0, 0.07) 0 1px 1px 0;
	}

	med-blue {
		font-size: 1.2em;
		color: #0073ff;
		font-weight: bold;
		font-style: normal;
	}

	big-red {
		font-size: 1.5em;
		color: #c20801;
		font-weight: bold;
	}

	italic-black {
		font-size: 1em;
		color: #0c232a;
		font-weight: bold;
		font-style: italic;
		margin-bottom: 10px;
	}

	copy-right {
		font-size: 0.7em;
		color: darkgrey;
		font-weight: bold;
		font-style: italic;
	}

	";
	flush();
}

?>

fas-aes.php：此脚本引入了 AES-256 加密技术，用于加密客户端的敏感数据（如 IP 地址、MAC 地址等）。虽然仍然使用 HTTP 传输，但通过加密增强了安全性。这个脚本适用于需要更高安全性但不需要 HTTPS 的场景。这些脚本通过提供不同的安全层级，适应了从本地简单系统到远程安全环境的不同需求。你可以根据你的网络环境和安全需求，选择合适的脚本来实现认证功能。
fas-hid-https.php：这个脚本强制要求使用 HTTPS 协议，确保客户端与远程 FAS 服务器之间的所有数据传输都是加密的。由于它依赖于 HTTPS，因此不能在本地网络中运行，适合在互联网上的远程服务器上托管，确保高安全性传输。
fas-aes-https.php：与 fas-aes.php 类似，但它要求通过 HTTPS 来进行通信。这个脚本不仅对数据进行 AES-256 加密，还强制使用 HTTPS 来保护数据的传输，适合对安全性有更高要求的环境。此外，它可以使用 authmon 守护进程，允许跨防火墙或 NAT 进行认证处理。
根据fas-hid.php自定义重定向界面

<?php

session_start();
header("Cache-Control: no-cache, no-store, must-revalidate");
header("Pragma: no-cache");
header("Expires: 0");


// 预共享密钥 faskey（OpenNDS 和 FAS 共享）

$faskey = 'your_pre_shared_key';  // 将此处的 faskey 替换为 OpenNDS 中配置的 faskey
$authdir="opennds_auth";


// 从GET请求中获取NDS传递的变量
$gatewayaddress = isset($_GET['gatewayaddress']) ? $_GET['gatewayaddress'] : '';
$redir = isset($_GET['redir']) ? $_GET['redir'] : '';
#$clientip = isset($_GET['clientip']) ? $_GET['clientip'] : '';
#$clientmac = isset($_GET['clientmac']) ? $_GET['clientmac'] : '';
$hid = isset($_GET['hid']) ? $_GET['hid'] : '';

$custom="Custom data sent to BinAuth";

$tok=hash('sha256', $hid.$faskey);



// 返回给 OpenNDS 的验证 URL
$authUrl = "http://$gatewayaddress/$authdir/?tok=$tok&custom=$custom&redir=$redir";


// 重定向客户端到验证 URL

header("Location: $authUrl");

exit(0);

?>

设置 Apache 权限
确保 Apache 拥有正确的权限访问和执行 FAS 脚本：
sudo chown -R www-data:www-data /var/www/html/fas sudo chmod -R 755 /var/www/html/fas
配置 OpenNDS 使用 FAS
返回到 OpenNDS 的配置文件 /etc/opennds/opennds.conf 中，将 FASServerURL 设置为你
FASServerURL http://your-server-ip/fas/fas.php
第四步：测试 FAS 服务
重启 OpenNDS 服务
在完成配置后，重启 OpenNDS 服务：
sudo systemctl restart opennds
连接 Wi-Fi 网络并测试
使用客户端设备连接到你的 Wi-Fi 网络，当设备连接时，OpenNDS 应该会重定向用户到 FAS 脚本，简化认证过程。