CaptivePortal no redirect https

woni

I have read the topic https://forum.pfsense.org/index.php?topic=53630.0
They say: redirect of https is impossible. But, other CPs like the ALLNET HOTSPOT can do this.

Is there realy no solution?

Thx

Trel

@woni:

I have read the topic https://forum.pfsense.org/index.php?topic=53630.0
They say: redirect of https is impossible. But, other CPs like the ALLNET HOTSPOT can do this.

Is there realy no solution?

Thx

It's my biggest show stopper in actually using this.

Gertjan

Hi there.

Intercepting and redirecting a SSL connection to a non SSL one isn't a big deal.
But no one will be able to 'control' the behavior of the web browser: it will show the famous "security alert" because the the certificate received (the one from our portal) doesn't mention "www.facebook.com" ….
So, why not, adding some SSL man-in-de-middle scheme to pfSEnse and all will be fine .... ?!

I understood that the direction of pfSense refuses to build such a thing.
You, as an admin, will have the possibility to analyses any of your clients private SSL connections (bank, paypal, fisc, company, .... - your portal visitors will be happy because your https portal works without issues, but when they find out that you have the possibility to 'read' their ssl sessions you'll be looking for a lawyer very soon ...)

The good news is that some browsers (with some OS help) are already captive-portal 'prepared' and launch a simple 'http request' to see if the connection is behind some (firewall) portal.
As far as I know the iDevices (iPhone, iPpad, iEtc) handle the salutation very well.
Others might follow.

And, maybe, Wifi user will get used to the fact that they should:
Connection to the Wifi access point.
Browse to some random 'http' site NOT and https site.
They will find the login page .....
Now, they can start using other programs (mail clients, P2P, SSH, etc etc etc) and start https sessions ...

Btw: no one ever complained that Outlook can't connect to a captive portal - "You should use a browser first to unlock ...."
Well, just add 4 words to that rule: " .. using a http site".

Trel

Someone elsewhere mentioned there's HTTPS redirection in 2.2 if you enable the HTTPS captive portal page?

Is this accurate?

Gertjan

Source ?

Trel

@Gertjan:

Source ?

It was a reply to something on reddit.  It's not a source.  That's why I'm asking if there's anything accurate about that.