[help me]pfsense not redirect to Captive portal when user type HTTPS website url?
-
Hi my friend. I have a trouble with my pfsense Captive portal:
When user has not login, user type an URL in browser, if URL not HTTPS, Captive portal redirect well, but user type HTTPS url (such as google.com), Captive portal is not redirect?
I don't understand why? Please help me, show me how to solve: user type https website, pfsense redirect to Captive portal.
Thankyou very much.
-
https://forum.netgate.com/search?term=https&in=posts&matchWords=all&categories[]=3&sortBy=relevance&sortDirection=desc&showAs=posts
-
I want a way to solve, because I try to read more but i don't understand, don't know what i should do.
-
He is saying: You can't
-
https://forum.netgate.com/post/642020
-
@TuanNghia103 said in [help me]pfsense not redirect to Captive portal when user type HTTPS website url?:
I want a way to solve, because I try to read more but i don't understand, don't know what i should do.
you can't.
HTTPS has bien designed specifically for blocking this
there is no way for bypassing this, this is a feature of HTTPS.
however, I do have an alternative solution : ask your users to use one of the majors browsers (Edge/firefox/google chrome/safari, etc...)
all major Web browsers have a feature called "captive portal detention":
the way it works is every time you open your browser, an HTTP request is made to a random URL. if this URL is unreachable, then the web browser consider that your internet is blocked and shows you a message.
the URL requested are usually :
- http://connectivitycheck.gstatic.com/generate_204 (google chome, chrome OS, android)
- http://clients3.google.com/generate_204 (Chromium)
- http://www.msftncsi.com/ncsi.txt (Internet Explorer)
- http://www.msftconnecttest.com/connecttest.txt (Edge)
- http://detectportal.firefox.com/success.txt (Firefox)
they may vary a bit depending on the location/the version used, though
more info here (for chrome) and here (for firefox)
-
@free4 said in [help me]pfsense not redirect to Captive portal when user type HTTPS website url?:
the URL requested are usually :
http://connectivitycheck.gstatic.com/generate_204 (google chome, chrome OS, android)
http://clients3.google.com/generate_204 (Chromium)
http://www.msftncsi.com/ncsi.txt (Internet Explorer)
http://www.msftconnecttest.com/connecttest.txt (Edge)
http://detectportal.firefox.com/success.txt (Firefox)Hummm. Nice list !!
One is missing :
http://captive.apple.com/hotspot-detect.html (Any iOS based device = Apple)The final answer to this question
[help me]pfsense not redirect to Captive portal when user type HTTPS website url?
is : no user should have to do anything so the captive portal login sows up.
Better yet : the user doesn't even need to know that they are using a Captive portal.
As soon as the Ethernet connection comes up, it's the OS of the user's device that will ask for an IP, a DNS, a gateway. After that's done, the OS will throw out a basic http request (see list above) and there should be an answer, just click on the links above to check for yourself.
This http request (on port 80 !) will be redirected to the captive portal web interface running on pfSense.
What happens then is known : the captive portal login page will show up. The user can interact with this page, like authenticate himself.If this doesn't happen : see here.
Again : a captive portal user doesn't have to open a browser an launch some http request him self. The OS already did that - and knows that it should open a web browser when needed.
I'm running a captive portal on a hotel.
This means that I don't know who will be using our captive portal.
I don't know what device they bring with them.
Neither how they set it up ...
I do not publish any instructions about how to connect - except fro the fact that our free Wi-fi network is called "OurHotelNetwork" - the SSID.
I know that our clients connect to our network. I have the stats and usage as a proof. Anyway, if the free Wi-fi isn't working I'll be out of business very quickly.It's very rare that our clients contact me because they can't connect to our network. Ones or twice a year ?!
-
@Gertjan Other one are missing,
because of google being blocked in china, cellphones and multiple chinese garbage browsers (360browser, etc...) are usually using one of these URL:
- https://connect.rom.miui.com/generate_204 (Xiaomi)
- http://www.qualcomm.cn/generate_204 (Huawei)
- http://www.265.com/generate_204 (Google Chrome, Asus cellphones. This website is owned by google)
I also heard that nintendo devices are using http://conntest.nintendowifi.net for captive portal detection
but anyway, i don't think that's very important..