HTTPS New User Drop-Out



  • Hi All-

    I'm very new to all of this, but I was able to get pfSense and the captive portal feature working (the main reason I found pfSense). Everything is just about perfect for what I need, however upon testing it I noticed one issue. When a user first enters a web address using https (for instance, https://google.com as opposed to http://google.com) they don't get redirected to the captive portal page. Instead, the page just times out. Regular http requests go through just fine.

    Also, once they are authorized, any further https websites then work. I'm not sure if this is a bug or an issue with how I set things up.

    Thanks in advance!



  • There is no clean way to do transparent redirection of https (unless you have full control over the client's PC and can load your own CA cert onto it; in which case you'd be effectively performing a MitM attack).

    The only way is to have people point their browser to any http address, so that the CP can redirect them to its auth page …

    This limitation applies to all captive portal implementation that do web authentication.



  • Hello,

    I do not understand why it is impossible to perform an unconditional redirection to the login page when the user is not authenticated and it requires a https site. Transparent redirection is not a requirement for me.
    Could you help me understand this problem?

    Regards.



  • The OP refers to a situation where the new CP user tries to initally load an https URL (for instance, https://google.com as opposed to http://google.com)

    You could redirect his initial connection to e.g. https://google.com to your own https server ("impersonating" google.com in order to further redirect him to your CP login page) but unless the user's browser has loaded your CAcert, it would result into various scary-looking warnings by his browser about "problems with the security certificate" recommending to him to close the page.


Log in to reply