[pfsense-2.3.1] captive portal redirect-url before auth



  • Hey

    On captive portal i use redirection url before authentication.

    Before pf 2.3 for come back to index captive portal  i used https://mydomain.com:8003 and everything work fine but since 2.3 when i use the same nothing happen (not redirecting, blank page)

    if i use captive portal without redirection it's work

    if i use the same url in redirection case it's not work i loop on redirection and i never get the index captive portal

    Any idea

    i try :
    https://domain.com:8003/index.php = blank page
    and
    https://domain.com:8003/index.php?zone=zone_name = loop on redirect



  • The problem is not of url but of this code

    it doesn't works in 2.3 version can you help me

    
    require("globals.inc");
    $request_uri = urldecode(str_replace("/index.php?redirurl=", "",  $_SERVER["REQUEST_URI"]));
    $portal_redirurl = urldecode("$PORTAL_REDIRURL$");
    if(!stristr(urldecode("$PORTAL_REDIRURL$"), $request_uri)) {
    	Header("Location: $PORTAL_REDIRURL$");
    	exit;
    }
    ?>
    
    


  • :8000 ?

    From what version did you upgrade ?
    What I recall is that port "8000" hasn't been used for years - and, first of all, shouldn't be hard coded anywhere.

    It easy to proof this to yourself : use a no tampered pfsense portal  (clean install - minimal setting) and a clean browser.
    Then go to http://www.google.com (NOT https://www.goolge.com) and it works ….

    If you have portal troubles, please know that this one exists : https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting

    Can you tell me (and yourself) what this command gives back :

    ipfw -x 2 show | grep 'fwd'
    

    "x 2" because the command "ipfw zone list" said me to do so.



  • 8000 it's an error (it's old port) sorry it's 8003 in my config

    so captive portal work perfectly with redirect-url before authentication in 2.2

    i upgrade in 2.3 and problem appear

    the command said fwd on port 8002 tcp 80 but i have juste one zone on port 8003

    i think to delete portal and go to config from scratch

    what do you think about?



  • so i'm test config from scratch (i delete the old portal and recreate it)

    Now loop stop but stay on blank page

    https://domain.com:8003/index.php = blank page
    and
    https://domain.com:8003/index.php?zone=zone_name = blank page



  • Hi All,

    Me too facing a similar issue.

    I need to show a video before authenticating. The video shows correctly before authentication but it doesn't redirect to the CP.
    I placed a link on the video page http://10.10.10.1:8002/?zone=local and also http://10.10.10.1:8002/index.php but both return a blank page when the link is clicked.
    Me too running 2.3 version.

    Please help.

    Regards,
    Vikram



  • @aurel:

    https://domain.com:8003/index.php = blank page
    and
    https://domain.com:8003/index.php?zone=zone_name = blank page

    Basic - normal 'http' works ? If so, its a https (SSL == certificate issue ?)
    If not, it could be a DNS "domain.com" issue (pfSense needs to knwo who "domain.com" so it can inform the client, because browser can not work with "domain.com", they use "IP/index.php like 192.168.2.1/index.php. If the translation "domain.com" to "192.168.2.1" (done by pfSense) doesn't work, then do not use "domain.com" (which has to be used if you activated "https" login - certoficates works with domaine names, nt IP's), or do not use https.

    Btw : go here and read the very first subject https://forum.pfsense.org/index.php?board=2.0 not all is important for you, but it shwon what need to be done so https login works.
    Actually, it explain how to set up a https web server (the one used by pfSense which presents a login page to the visitor) - it can be pretty daunting if it is your first time …..



  • Hey
    With ip address it is the same problem
    Https work find whitout pre-auth redirect URL, it is really in this case when you want tout go back from the page to CP index



  • Hey,

    The problem is solved. Using different method although.
    Reference post https://forum.pfsense.org/index.php?topic=4937.msg61808#msg61808

    Regards,
    Vikram



  • No it is a different method but this problem is not solved. ;)



  • I agree, I do not understand  what the difference is between:
    "Pre-authentication redirect URL" (html : preauthurl)
    and
    "After authentication Redirection URL" (html : redirurl)

    If "After authentication Redirection URL" is set (and only that one) with an URL, I get redirected to that page after login.
    If "Pre-authentication redirect URL" is set (and only that one), I get redirected to that page after login.

    Now, check out the code in /etc/inc/captiveportal.inc - line 1952.
    The codes explains what happening ….. but now, what is the meaning of "Pre-authentication redirect URL" if both "Pre-authentication redirect URL" and "After authentication Redirection URL" are present (the second overwrites the first when both set)

    Do you need the "Pre-authentication redirect URL"  page ? (which means to me : before the login page, visitor are redirected else where )



  • "Pre-authentication redirect URL" (html : preauthurl)
    and
    "After authentication Redirection URL" (html : redirurl)

    In fact if you want "force" user to see something else for exemple contract agreement, advertising etc.. you use pre-authentication redirect URL.

    After user logon the captive portal he is redirect to a website (for exemple a famous search engine ;) ) but he can go where he want ….before not



  • @aurel:

    In fact if you want "force" user to see something else for exemple contract agreement, advertising etc.. you use pre-authentication redirect URL.

    After user logon the captive portal he is redirect to a website (for exemple a famous search engine ;) ) but he can go where he want ….before not

    Yep, that's what I make of it ….

    But, if you can 'read' some PHP :
    @Gertjan:

    Now, check out the code in /etc/inc/captiveportal.inc - line 1952.

    which I find surprising.



  • @aurel:

    The problem is not of url but of this code

    it doesn't works in 2.3 version can you help me

    Usar el sgte codigo

    o en todo caso agregar la linea , a su portal que ya tengan.

    Saludos

    
    require("globals.inc");
    $request_uri = urldecode(str_replace("/index.php?redirurl=", "",  $_SERVER["REQUEST_URI"]));
    $portal_redirurl = urldecode("$PORTAL_REDIRURL$");
    if(!stristr(urldecode("$PORTAL_REDIRURL$"), $request_uri)) {
    	Header("Location: $PORTAL_REDIRURL$");
    	exit;
    }
    ?>
    
    


  • For me was happening the same problem. I have a custom page to make the user login, but after the update did not occur redirection. I checked my .html file and noticed a slight difference. The code below was missing.

    P.S. At the configuration page of the captive portal has this information.

    Example code for the form:
    
    

    I put this entry and voila !!! It worked!!! In 2.2.6 version I didn't have this line and was working normal.

    Some explanation?



  • @empbilly:

    For me was happening the same problem. I have a custom page to make the user login, but after the update did not occur redirection. I checked my .html file and noticed a slight difference. The code below was missing.

    P.S. At the configuration page of the captive portal has this information.

    Example code for the form:
    
    

    I put this entry and voila !!! It worked!!! In 2.2.6 version I didn't have this line and was working normal.

    Some explanation?

    Nice to know CP works in 2.3

    I'll try it later i hope it is the same for pfsense 2.3 clean installation using the same procedure.



  • yes in 2.3 you must change index page and add the zone field

    for me it's when i use the pre-redirurl before authentication

    i can't return on the captive portal to connect me

    the url

    https://hotspot.domain.com:8005/index.php?zone=zone_name

    loop on pré-redirurl page

    i think that code below is a part of my problem

    
    $request_uri = urldecode(str_replace("/index.php?redirurl=", "",  $_SERVER["REQUEST_URI"]));
    $portal_redirurl = urldecode("$PORTAL_REDIRURL$");
    if(!stristr(urldecode("$PORTAL_REDIRURL$"), $request_uri)) {
    	Header("Location: $PORTAL_REDIRURL$");
    	exit;
    }
    
    


  • @aurel:

    the url
    https://hotspot.domain.com:8005/index.php?zone=zone_name
    loop on pré-redirurl page

    Maybe.
    But who is gonna use an URL like that ?

    My setup permits me to :
    People visit a http site (let's say : http://www.google.com)
    They are intercepted, and redirected to my captive portal page : (which is : https://portal.my-pfsense-domain.tld/….. but who cares)
    They identify themselves.
    When accepted, they are redirect to the initial URL they were requesting, in this case http://www.google.com



  • for me

    https://doc.pfsense.org/index.php/Captive_Portal_Pre-authentication_Redirect

    not working on 2.3

    can i open a bug in pfsense redmine project ?



  • same issue here on 2.3



  • Got the trick.

    To Pre-authentication redirect URL works, just remove this line:

    require("globals.inc");

    From the official help: https://doc.pfsense.org/index.php/Captive_Portal_Pre-authentication_Redirect

    Then, the code will look like this:

    
    $request_uri = urldecode(str_replace("/index.php?redirurl=", "",  $_SERVER["REQUEST_URI"]));
    $portal_redirurl = urldecode("$PORTAL_REDIRURL$");
    if(!stristr(urldecode("$PORTAL_REDIRURL$"), $request_uri)) {
            Header("Location: $PORTAL_REDIRURL$");
            exit;
    }
    ?>
    

    Upload to Portal page contents and be happy

    Works fine to me.

    Cya



  • yes i remove this line but how can you return on captive portal page to logon ?

    this url not working :

    The user will be redirected to that URL, and then when the user clicks back to pfSense using a link to the firewall IP address/port, such as http://x.x.x.x:8002/index.php, the referring URL will match the original landing page and the redirect will not happen that time

    This still not working on 2.3.1



  • I have same problem with the preauthen page cant redirect to the portal page by method action"IPpfsense:8002/index.php" It show the blank page. Please help me solve this problem



  • @tamduong:

    I have same problem with the preauthen page cant redirect to the portal page by method action"IPpfsense:8002/index.php" It show the blank page. Please help me solve this problem

    You have a custom redirect page? If Yes, post here.



  • Yes, this is the preauthen page. Purpose: The customer will show the terms and condition first

    
    <title>Wireless System</title>
    
    <center>
    
    | 
                    ![](../captiveportal-logo.jpg)
                 | 
    
    # Wireless System
    
                 |
    
    You only have TWO sessions and each session is ONE hour access the Internet service then you MUST register at  Club Desk or waiting for 24 hours later 
    
            **Terms of Use**
    
            Welcome to the Palazzo  Internet access service (the "Service"). The Service is being provided for all customer of the Club at  Hotel, and Owners (collectively, the "Club" or "We"). As a condition of accessing this Service, you must agree to the following terms and conditions of use ("Terms of Use"). If you do not agree to the Terms of Use you may not access or use another Internet Service. Your use of the Palazzo Wireless Service indicates your acceptance of these Terms of Use.
    
            **No Editorial Control** 
    
            The Club do not review or exercise any editorial control over the content or materials made available over the Internet by third parties, including without limitation any electronic mail transmissions, newsgroups, or the like. However,We may remove, block, filter, or restrict by any other means any materials that, in the CLUB sole discretion, may be illegal, may subject the Club to liability, or may violate these Terms of Use. The Club may cooperate with legal authorities and/or third parties in the investigation of any suspected or alleged crime or civil wrong. Violation of these Terms of Use may result in the suspension or termination of access to the Service.
    
            **Security** 
    
            You expressly acknowledge and agree that there are significant security, privacy and confidentiality risks inherent in accessing or transmitting information through the Internet, whether the connection to the Internet is facilitated through wired or wireless technology. These security issues range from interception of transmissions, loss of data, or the introduction of viruses or other programs that can damage your computer or network.
            ACCORDINGLY, YOU AGREE THAT THE CLUB SHALL NOT BE LIABLE FOR ANY INTERCEPTION OF TRANSMISSIONS, LOSS OF DATA, FILE CORRUPTION, HACKING OR DAMAGE TO YOUR COMPUTER OR NETWORK THAT RESULTS FROM THE TRANSMISSION OR DOWNLOAD OF INFORMATION OR MATERIALS THROUGH THE SERVICE.
            Restrictions on Use
            You agree to not use the Service to:
    
                (a) transmit any material that is unlawful, threatening, abusive, harassing, tortious, defamatory, obscene, libelous, invasive of another?s privacy, racially, ethnically or otherwise objectionable;
    
                (b) harm, or attempt to harm, minors in any way;
    
                (c) impersonate any person or entity or falsely state or otherwise misrepresent your affiliation with a person or entity; forge headers or otherwise manipulate identifiers in order to disguise the origin of any material transmitted through the Service;
    
                (d) transmit any material that you do not have a right to make available under any law;
    
                (e) transmit any material that infringes any patent, trademark, trade secret, copyright or other proprietary rights of any party;
    
                (f) transmit any unsolicited or unauthorized advertising, promotional materials, "junk mail," "spam," "chain letters," "pyramid schemes" or any other form of solicitation;
    
                (g) transmit any material that contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer software or hardware or telecommunications equipment;
    
                (h) use the Services for excessively high volume data transfers.
    
            **How to register your device**
    
            Please ask the Reception Desk at Club collect your device mac address and provide your name. You do nothing else
    
    <form name="form1" onsubmit="return validate()" action="http://172.29.151.111:8002/index.php">
    
     I have read and agree to the Terms of Use
    
        </form>
    
    </center>
    
    

    and this is portal page:

    require_once("globals.inc");
    $request_uri = urldecode(str_replace("/index.php?redirurl=", "",  $_SERVER["REQUEST_URI"]));
    $portal_redirurl = urldecode("$PORTAL_REDIRURL$");
    if(!stristr(urldecode("$PORTAL_REDIRURL$"), $request_uri)) {
        Header("Location: $PORTAL_REDIRURL$");
        exit;
    }
    ?>
    
    <center>
        <title>Wireless System</title>
    
    | 
                    ![](../captiveportal-logo.jpg)
                 | 
    
    # Wireless System
    
                 |
    
     **You only have TWO session and ONE hour in each session please wait 24 hours later to have new session, or contact the Receptionist to [get unlimited time](http://172.29.151.111:8002/captiveportal-getmac.php)**
    
    </center>
    
    


  • Help me plz!!!



  • but how to force captive portal redirect to login page



  • @daibenjohn:

    but how to force captive portal redirect to login page

    This will work without you (the captive portal user) doing something special.
    If you have some knowledge about what a firewall is :
    https://doc.pfsense.org/index.php/Captive_Portal_Troubleshooting
    Find out what your 'zone' is :

    ipfw zone list
    

    Then, use the obtained number to check the rules :
    ipfw -x zone1 show
    You see rule number 65532:

    65532   22940    2336966 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in
    
    

    This rule says :
    "Any connection tcp from anywhere going to anywhere" will be redirected to"127.0.0.1,8002".
    And guess what : on 127.0.0.1,8002 is listeing a web server that servers you the default index.html page, your captive logon page.

    When your login is validated, check out table 1 and 2 : your IP and MAC will be in these tables, so any further communication will not be send to the captive portal login page, bur simply passes through.

    When the captive portal forces a logout, it simply removes your IP and MAC from theses two tables.



  • Gertjan, could you please post the full output of the "ipfw -x show" command? I'm trying to fix a problem similar to the OPs CP problem, and I'd be very interested in seeing the output from a working CP system.

    EDIT: sorry, mixed up the threads



  • Hi everyone,

    I've the same issue. When i'm not log in :
        I can't have access on http/https site
        When I go on http://mydomain:8002/index.php I've blanc page
        When I go on http://mydomain:8002/index.php?zone=cp_guest I've log in page (which works)

    I used default Portal page contents and Pre-authentication redirect URL is set to http://mydomain:8002/index.php?zone=cp_guest

    I've also the same rule : 65532  22940    2336966 fwd 127.0.0.1,8002 tcp from any to any dst-port 80 in

    I've read topic, but it didn't work for me. I've you solved it ?

    Thank you



  • Has anyone found a solution to this ?

    In my setup, I get redirected to the Pre Auth URL page, but cannot from that page jump to login portal page.



  • It would be great if somebody could post a working solution for version 2.3 onwards(portal page and external landing page) to a pre-auth external landing page which contains the form.

    The CP controller does not appear to be able to pass the actual values of $PORTAL_ACTION$, $PORTAL_ZONE$, $PORTAL_REDIRURL$, $PORTAL_MESSAGES$ to the external landing page using PHP header function.



  • Ahh, so that's what's happening in my setup. I get looped all the time to the redirect url.



  • So, anyone found a solution ?



  • Any solution please?



  • @Thorgal:

    I've the same issue. When i'm not log in :
        I can't have access on http/https site
        When I go on http://mydomain:8002/index.php I've blanc page

    This is ok and by design.
    Calling this page (index.php) without the very needed variable 'zone', there will be an error - see error log (see the captive log file).
    See here : https://github.com/pfsense/pfsense/blob/master/src/usr/local/captiveportal/index.php#L39 (and next 8 lines) => NO variable 'zone" means : dead.

    See also this (these) file(s) :
    /var/etc/nginx-CPZONE-CaptivePortal.conf
    /var/etc/nginx-CPZONE-CaptivePortal-SSL.conf (if you use https login)
    This is what make things work:

    		......
    		if ($http_host ~* 192.168.2.1) {
    			set $cp_redirect no;
    		}
    		if ($http_host ~* portal.brit-hotel-fumel.net) {
    			set $cp_redirect no;
    		}
    
    		if ($cp_redirect = '') {
    			rewrite	^ /index.php?zone=cpzone1&redirurl=$request_uri break;
    		......
    
    

    Your IP and portal URL are different of course.
    Check that the URL does resolve to the IP present !!

    @Thorgal:

    When I go on http://mydomain:8002/index.php?zone=cp_guest I've log in page (which works)

    As explained above : ok and normal.

    For all : pre-auth might be broken - or not.
    The doc might be not 100 % - some made it work - others don't.

    The big problem is : communication. To make it work, all settings need to be known and ok. Special broken setups WILL break everything.
    The pre auth page could be stored on pfSense (as an uploaded file) - or not - and could even be some where on the net.

    I have have not tried pre auth myself - I don't need it.

    Just an advise for those who try to make it work : check that all variables are passed to the pages involved in the process (some PHP knowledge will be needed).



  • I've been looking in to how to resolve this issue. Here's what I did:

    1. Set the portal page to anything you like, but make sure it includes:

    require_once("globals.inc");
    $request_uri = urldecode(str_replace("/index.php?redirurl=", "",  $_SERVER["REQUEST_URI"]));
    $portal_redirurl = urldecode("$PORTAL_REDIRURL$");
    if(!stristr(urldecode("$PORTAL_REDIRURL$"), $request_uri)) {
    Header("Location: $PORTAL_REDIRURL$");
    exit;
    }

    1. Set your pre-auth url to point to your external web server

    2. Web server loads its page (for me a data capture page), and posts to a database and echo's header location to authenticate.php

    3. Authenticate.php is essentially the default captive portal code, but I modified $PORTAL_??$ variables to be hard coded. This is then posted directly to the firewall (192.168.1.1:8002/index.php?zone=[zonename]), and the user is then forwarded to the $PORTAL_REDIRURL$

    4. The user is authenticated and able to browse

    I hope this helps!


Log in to reply