如何构建自己的网页认证PORTAL服务器

1、FreeBSD7.0+opengate+ipfwCaptive Portal(网页认证)介绍2安装 FREEBSD2配置内核2编译内核4安装BIND94安装 iscdhcp35安装 apache226rc.conf文件的基本配置7安装 opengate8设宣ipfw防火墙9设置syslog记录日志10测试102008-8-24 LoveKDE (qq仃4375)介绍如果用过mOnOwall这个东西的朋友应该知道里而仃个Captive Portal功能。就是通过 网页认证的方式來接入internet.®近无聊，准备选一个open source在linux卜或者BSD卜 自己做一个。本来

2、准备移tftmOn0的，但是嫌麻烦。仃兴趣的丿朋友町以在这里看一下：httD：/wiki.pe 这里仃很多开源的和商业化的。最后我选到了 Opengate原因足因为我很多都试过了。感 觉支持不是很好opengate是口木saga人学维护这个项目。唯一的缺陷是只能在BSD匸 呵呵。好。我來大概说一卜安装调式的步骤。首先川明本人仅仅只是対opengate的安装过程拿官方的文挡做了简单的翻译和口己实现了 次的过程，在实现过程中很多都足最简化的配在这里并不讨论稳定性和安全性一安装 FREEBSD首先安装FREEBSD7.0我采用的是最小化安装，装上sys ports和cvsup童來更新 ports树（

3、我采用的是vmware6.0虚拟两张网卡.一张物理连接一张连接到vmnet8最后 测试的时像我采用windows上的VMware Network Adapter VMnet8进彳f测试本地连接上 随便配置一个IP就可以了.）makeoptions DEBUG二勺 options SCHED_4BSD配置内核我的内核配麗是这样的:cpu cpu cpu identI486_CPUI586_CPUI686_CPUMYKERNEL# Build kernel with gdb(1) debug symbols# 4BSD scheduleroptions PREEMPTIONoptions INET

4、options INET6options SCTP# Enable kernel thread preemption# InterNETworking# IPv6 communications protocols# Stream Control Transmission Protocoloptions FFS# Berkeley Fast Filesystemoptions SOFTUPDATES options UFS_ACL options IJFS_DIRHASH options UFS_GJOURNAL options MD_ROOT# Enable FFS soft updates

5、support# Support for access control lists# Improve performancft on big directories# Enable gjournal-based UFS journaling# MD is a potential root deviceoptions CD9660options PROCFSoptions PSEUDOFS# ISO 9660 Filesystem# Process filesystem (requires PSEUDOFS)# Pseudo-filesystem frameworkoptions GEOM_PA

6、RT_GPT options GEOM_LABEL options COMPAT_43TTY# GUID Partition Tables.# Provides labelization# BSD 4.3 TTY compat KEEP THIS!options COMPAT_FREEBSD4 options COMPAT_FREEBSD5 options COMPAT_FREEBSD6options SCSI_DELAY=5000# Compatible with FreeBSD4# Compatible with FreeBSD5# Compatible with FreeBSD6# De

7、lay (in ms) before probing SCSIoptions KTRACE# ktrace(1) supportoptions SYSVSHM options SYSVMSG options SYSVSEM# SYSV-style shared memory# SYSV-style message queues# SYSV-style semaphoresoptions _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensionsoptions KBD_INSTALL_CDEV# install a CDEV

8、 entry in /dev options ADAPTIVE_GIANT# Giant mutex is adaptive,options STOP_NMI # Stop CPUS using NMI instead of IPI options AUDIT# Security event auditing options IPDIVERT options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSEoptions IPFIREWALL_VERBOSE_LIMIT=100 #options IPFIREWAL

9、L_DEFAULT_TO_ACCEPT options IPSECdevice cryptodevice apic# I/O APICdevicecpufreqdevicepci# ATA and ATAPI devicesdevice atadevice atadisk # ATA disk drives# atkbdcO controls both the keyboard and the PS/2 mousedevicedevicedevicedevicedevicedeviceatkbdc atkbdpsm kbdmuxvga splash# AT keyboard controlle

10、r# AT keyboard# PS/2 mouse# keyboard multiplexer# VGA video card driver# Splash screen and screen saver support# sysc ons is the default 8n sole driver, resembling an SCO con soledevicescdeviceagp# support several AGP chipsets# Add suspend/esume support for the i8254.devicedevicedevicedevicepmtimer

11、le miibus bge#AMDAm7900 LANCE and Am79C9xx PCnet# Mil bus support# Pseudo devices.devicedevicedevicedevicedevicedevicedevicedevicedevicedevicedeviceloop random ether siPPP tun pty md gif faith# Network loopback# Entropy device# Ethernet support# Kernel SLIP# Kernel PPP# Packet tunnel.# Pseudo-ttys (

12、telnet etc)# Memory "disks"# IPv6 and IPv4 tunneling# IPv6-to-IPv4 relaying (translation)firmware # firmware assist module# Broadcom BCM570xx Gigabit Ethernet# The bpf device enables the Berkeley Packet Filter.# Be aware of the administrative consequences of enabling this!# Note that '

13、bpf is required for DHCP.device bpf # Berkeley packet filter编译内核#config MYKERNEL#cd ./compile/MYKERNEL#make cleandepend && make depend# make#make 泊stall安装BIND9#cd /usr/ports/dns/bind9/# make install clean ; rehash我的最简单的DNS的配置文件:启动会报错mdc有问题没关系.# cat /etc/namedb/named.confoptions directory 7et

14、c/namedbH; pid-file Vvar/run/named/pidH;dump-file,7var/dump/named_dump.dbn;statistics-file Vvar/stats/named.stats'1;allow-query 192.168.15/24;allow-transfer 192.168.15/24;；zone type hint;file "named.roof;zone MH type master;file "H; ;# cat /etc/namedb/opengate.c n$TTL3600INSOA.( 200505

15、1702 ;36001200241920086400 )INNSn s.opengate.c n.nsINAgatewayINAR实这样就对以川动DNS如果你做为安金的关系的做真他设置我这也只做测试.安装 isc-dhcp3# cd /usr/ports/net/isc-dhcp3-server# make install clean ; rehashDhcpd.conf配宣文件的故简单的写法：# cat /usr/local/etc/dhcpd.confddns-update-style none;log-facility Iocal7;sub

16、net netmask range 0;option domain-name-servers ;option domairvname MH;option routers ;option broadcast-address 55;default-lease-time 6000;max-lease-time 72000;安装 apache22# cd /usr/ports/www/apache22# make install

17、 clean ; rehash做一个SSL的private key,因为后面耍用的SSL来验证.# cd /usr/local/etc/apache22# mkdir ssl.key ssl.crt# chmod 700 ssl.key ssl.crt# /usr/bin/openssl genrsa -out /usr/local/etc/apache22/server.key 1024做一个证书：# /usr/bin/openssl req -new x509 days 365 key /usr/local/etc/apache22/server.key-out /usr/local/et

18、c/apache22/server.crt后面就自己看提示输入东酋了 呵呵.只要把证书生成就可以了.设豐 apache 的 SSL:在/usr/local/etc/apache22/extra/httpd-ssl.conf文件最后添加类似这样来设置SSL的虚拟主 机：<VirtualHost _default_:443>DocumentRoot Vusr/local/www/apache22/dataMServerName 443ServerAdmin wawnqlinErrorLog H|/usr/bin/logge-p I”CustomLog w|/usr/

19、bin/logger -p I” combinedSSLEngine onSSLCipherSuiteALL1ADHJE XPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+E XP+eNULLSSLCertificateFile /usr/local/etc/apache22/server.crtSSLCertificateKeyFile /usr/local/etc/apache22/server.key</VirtualHost>修改/usr/local/etc/apache22/httpd.conf 文件: ：找到：#E

20、rrorDocument 404 /missing.html修改为：ErrorDocument 404 / ：找到：<Directory 7usr/local/www/apache22/cgi-binw>AllowOverride NoneOptions NoneOrder allow,denyAllow from all</Directory>修改为：<Directory Vusr/local/www/apache22/cgi-binH>AllowOverride NoneOptions NoneOptions ExecCGIOrder allow,den

21、yAllow from all</Directory> ：取消:AddHandler cgi-script cgiAddHandler type-map前的注释. ：找到：<lfModule dir_module>Directoryindex index.html</lfModule>修改为：<lfModule dir_module>Directoryindex index.html.var index.html</lfModule> ：设置ServerName这行为你门己的主机X,其实不设置也可以. 我的设置为：ServerName

22、 ：在httpd.conf最后添加一行:Include etc/apache22/extra/httpd-ssl.conf ：最后还要做一个软连接：#ln -s /usr/local/www/apache22/cgi-bin /usr/local/wvzw/cgi-binrc.conf文件的基本配置前期工作做完心开始设宣所仃服务丿J动我的/etc/rc.conf是这样的:ns# cat /etc/rc.conf defaultrouter=M192.168.0 Tfont8x14=MNO"font8x16=MNO"font8x8 二” NO"gateway_ena

23、ble=wYESMhostname=Mifconfige0 二"inet 00 netmask "ifconfige1=”inet netmask M ipv6_enable="NONE"keymap 二"us. iso”moused_enable=wYESM sshd_enable 二"YES" sendmail_enable=,NONEM firewall_enable=,YES" firewall_script

24、=Vetc/opengate/rc.firewair, 这行这里暫时你町能看不懂，后面安装好了就知道了. firewall_type=wopenw natd_enable=MYESM natdjn terface=wleO" named_enable=MYESw named_program=7usr/sbin/namedR named_flags=f,-c /etc/namedb/named.c onf' dhcpd_enable=HYESM dhcpdfaces 二 dhcpd_conf=Vusr/local/etc/dhcpd.c onf" apache22_e

25、nable=RYES,f apache22ssl_enable=MYESM安装 opengatehttp/www cc saqa-u ac jp/openqate/download/openqate4 36 taqz F找软件包#tar zxvf ope ngate4.36.tar.gz#cd opengate1.4.36#ee opengatesrv/Makefile把前面儿行如果不是这样的话就改成这样.WWWTOP 二 /usr/local/www/apache22DOCDIR =/dataCGIDIR = /cgi-binOPENGATEDIR = /opengateCONFIGPATH

26、 = /etc/opengateLOCKFILE = /tmp/opengate.lock#make clean#make install#cd /etc/opengate/#cp opengatesrv.conf.sample opengatesrv.conf#ee opengatesrv.conf前面找找绘前面儿行自己改一卜认证的协议我用的pam就是苴接可以用系统帐户.后面有 很多用其他协议认证的方式自己可以参考例子如radius Idap等等一<Ope ngateServeName>gateway.ope ngate.c n</OpengateServerName>

27、;<AuthServer><Protocol>pam</Protocol><Address> </Address><Timeout> 10</Timeout></AuthServer>设置ipfw防火墙这里他是冇例子的但是你门己要稍微修改一卜 ipfw英实我也不足很熟，只是觉得他的流届 整形有点痢道.# cd /etc/opengate# cp rc.firewall.sample rc.firewall# cat rc.virewall# set these to you

28、r outside in terface network and netmask and ipoif="leOMonet=wMomask 二""oip="00"# set these to your inside in terface network and n etmask and ipiif二"Ie1"inet=""imask=MMiip="192.168.15.rfwcm

29、d=7sbin/ipfw"# divert packet to NATD$fwcmd add 1 divert natd ip4 from any to any via $oif# Stop spoofing$fwcmd add deny all from $inet:$imask to any in via $oif$fwcmd add deny all from $onet:$omask to any in via $iif# Allow from / to myself$fwcmd add pass all from $iip to any via $iif$fwcmd add

30、 pass all from $oip to any via $oif$fwcmd add pass all from any to $iip via $iif$fwcmd add pass all from any to $oip via $oif# Allow DNS queries out in the world# (if DNS is on localhost, delete passDNS)$fwcmd add pass udp from any 53 to any$fwcmd add pass udp from any to any 53$fwcmd add pass tcp f

31、rom any to any 53$fwcmd add pass tcp from any 53 to any# Allow RA RS NS NA Redirect.$fwcmd add pass ipv6-icmp from any to any# Allow IP fragments to pass through$fwcmd add pass all from any to any frag# Allow RIPng# Forward! ng IPv4 http conn ection from un auth client$fwcmd add 60000 fwd localhost

32、tcp from $inet:$imask to any 80$fwcmd add 60000 fwd localhost tcp from $inet:$imask to any 443# Allow http reply for forwarded request# (it is sent out from localhost but has original source address)$fwcmd add 60100 pass tcp from any 80 to any out$fwcmd add 60100 pass tcp from any 443 to any out# TC

33、P reset notice message for IPv6 http connection$fwcmd add 60200 reset tcp from any to any 80$fwcmd add 60300 reset tcp from any to any 443设置syslog记录日志修改/etc/sy slog, conf 添加local 1 / /var/log/opengate.log然后自己创建文件：# touch /var/log/ope ngateog测试WINDOWS自动获得IP。然后随便在浏览器里输入地址。用BSD卜的系统帐户，色陆。（默 认的页面是英文的，你想怎

34、么改都行。）11NgM QgenmB皿 HeBTOtk Authetuu2tu“lk£xx SSL)Sags UowifyO|Knf«t«St «vt laci n f0 Xnt «fffMK Ixplavar图 12-1Netx%ork l/ser Authenticntion¥<mi aie acquetcd to be aitfiicutxntcd before xu町Ymi wJ be *irtliai(K«tc«l Mtii yw ihci ID ainl ptiwotd If ><xi

35、 do ih>i know yxiiFte»e yoir 則軒 ID anda 血 t->x t*bu. E灿I SE3 ,if 192. IM. IS. I - MTTtoot:i*xOiOi>QU£u£-ajaixt 9'exjjeKi/xooti<!*>:iltliCvnsr ef oeny r«tE !<:«/iwr/vin/ oetrAtor 1 1 a 1S18y®<er» ci/ i/usr/a&in/aologia biai tliYiBiaariM

36、Coamo < Ooutmt/t/Mr/*inZnoiooift t(7： r:4;<55J3:Ti, SmiAox:/:/ttar/«t>sa/aolavmw,i61KBetr 8afribOMi/i/usr/9t>in/noloyi g«»: r |7： | sGaiw* wda-uwr i/Mvr/v«iwnews：*：o：D:»-w8 5ifcs/3t«n:/訂uac/afeio/Dologin rtMi >9i9i llmtr Rm >*eei/Mor/rr*rt/Mrii/u«

37、r7sl>iin«lO9)n x»hd: *:：2:22:Saour« Stell t*Msen: /var/aopty:/avr/afcin/noXotw0Tri2SU$iGer»Mil 59ioe U9er ? .rer/ ?»ol/cllen:epf llrlli i26 ehdMil xroult Uer i/vor/9>ol/i»4ueuei7u9：ind:*:99：5：Biod Sanc±x3x:/:/usr/«toia/nolavin coxy*eiUittiPecKc Filcec p&

38、#171;eu<»>-uferifno«eiitcemi/uor/ab ptlcQl:61:6:ptloQd pr 1 vjep user: vat/e«c)ty:/usr/3fiin» D31. 0"： 心心ifttaep >ro9r«*!/var/«n*iyi/vWgno】o.n >op 丨】661 66 UUCPuse"/Var/st»ooi7w，:pp2MoMustr/】oc; *:60:6:Fqsc ortic CvMr:/aanaBSac<b*n«lD9

39、8nwwi *190|©0> world ide Web Owneri/DOMXisceat i/ujc/stoitiZfiOlo ebori *11M&341 Vmi* kvtuser :/aom i/wr/M>li«i71ia: *: 1001:0：nKC CwaQlui:/booe/vw01ui:/bia/sb ibepa 110W11001 MIO b9afti/noMNi0tefiti/u9r/0&in<aologlaQSt*Q - lies oxvt t Int stfurt Lxpl»t«rTimxIx*«z)ia) 理»(&> xacl> mjq qo ® 1e-. /IS&- 4j»»<» <W9 a*“ ludLy tofor AfenroH /IciYAirdCE by OpcgjoH g cmor moTe to tie r>e swsfmj:如.cfcl the fo