2. Setup script installation - Gguardiola/Sidius-CaptivePortal GitHub Wiki
NOTE: Check the requirements before continue!
REMEMBER TO FOLLOW THIS WIKI AS ROOT USER!
apt-get install python3 python3-pip
Check if you have Git installed
apt-get install git
Clone the repository
git clone https://github.com/Gguardiola/Sidius-CaptivePortal.git
At the captive portal folder, run the setup script
python3 setup.py
The script will check and install the dependences
_______ ___ ______ ___ __ __ _______
| | | | | | | | | | | | | |
| _____| | | | _ | | | | | | | | _____|
| |_____ | | | | | | | | | |_| | | |_____
|_____ | | | | |_| | | | | | |_____ |
_____| | | | | | | | | | _____| |
|_______| |___| |______| |___| |_______| |_______|
SIDIUS PROJECT - JGTEK Captive portal SETUP
Please verify that you comply with the following points before continuing.
· Internet connection
· Two network interfaces
· System updated and upgraded
· Have a valid SSL certificate
Continue?[y/n]: y
==================================================================
======================== SYSTEM CHECK ============================
==================================================================
SETUP RUNNING WITH ROOT -------------------------- OK
MORE THAN 2 NETWORK INTERFACES ------------------- OK
===================================================================
======================== DEPENDENCES SETUP ========================
===================================================================
Installing vnstat...
Installing ifstat...
vnstat ------------------- OK
ifstat ------------------- OK
DEPENDENCES DONE!
If you already have Apache2, MySQL and PHP we recommend you go to Manual installation LAMP section, Putting SSL certificate into Apache2 and Security, logs & permissions.
After installing Apache2, the script will prompt the MySQL secure installation. MySQL will ask you to configure things like the root password, delete anonymous users...
VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?
Press y|Y for Yes, any other key for No: Y
We recommend password strong level 1
There are three levels of password validation policy:
LOW Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary
Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 1
Using existing password for root.
Estimated strength of the password: 100
Change the password for root ? ((Press y|Y for Yes, any other key for No) : y
For the following questions, we recommend to choose Y.
If everything went right, the script will print OK
apache2 ------------------- OK
mysql ------------------- OK
php ------------------- OK
LAMP DONE!
===========================================================
======================== DNS SETUP ========================
===========================================================
Do you want to configure a Domain name?[y/n]: y
Installing BIND9...
bind9 ------------------- OK
Domain name:
Example: elPratAirport.webredirect.org
- jgtektest.webredirect.org
Internal network interface IP Address:
Example: 192.168.1.1
- 192.168.1.1
Internal network interface Subnet Mask:
Example: /24
- /24
The next step will ask if you want a family friendly filter. This forward is like a Proxy. It will deny the access to adult content sites, illegal sites, etc.
Updating BIND9 files...
Do you want to configure a family friendy filter? This will deny the access to adult sites or ilegal sites![y/n]:
If you already have a DNS service, we recommend you go to Manual installation DHCP section and check if your DHCP service meets the captive portal requieriments.
============================================================
======================== DHCP SETUP ========================
============================================================
Do you want to configure the DHCP?[y/n]: y
Installing isc-dhcp-server...
dhcpd ------------------- OK
DHCP SUBNET
Internal network subnet IP address:
Example: 192.168.1.0
- 192.168.1.0
Internal network subnet mask:
Example: 255.255.255.0
- 255.255.255.0
Internal network interface IP address:
Example: 192.168.1.1
- 192.168.1.1
DHCP RANGE
First IP address:
Example: 192.168.1.20
- 192.168.1.20
Last IP address:
Example: 192.168.1.254
- 192.168.1.254
DHCP DONE!
Now the script will modify th Sudoers file and set up the firewall iptables rules. Just in case, we recommend you to have a copy of this file (/etc/sudoers)
WARNING: Please, follow the placeholders format! example: if the current input placeholder is 10.110.0.0/16, then don't forget to write the /16 or the subnet mask that corresponds to your IP address!
================================================================
======================== FIREWALL SETUP ========================
================================================================
Giving Apache2 privileges to run iptables commands...
Setting up iptables rules...
External network interface name:
Example: enp0s3
- enp0s3
Internal network interface name:
Example: enp0s8
- enp0s8
External network subnet IP address (with subnet mask):
Example: 10.110.0.0/16
- 10.110.0.0/16
Internal network interface IP address:
Example: 192.168.1.1
- 192.168.1.1
External network default gateway (with subnet mask):
Example: 10.110.0.1/16
- 10.110.0.1/16
IP address of the single host that can connect via SSH:
IF YOU DON'T WANT ANYONE TO CONNECT VIA SSH, LEAVE THE FIELD EMPTY
Example: 10.110.0.10
- 10.110.0.10
THE DEFAULT PAYMENT GATEWAY IS REDSYS, IF YOU WANT TO CHANGE THIS, PLEASE CHECK DE DOCUMENTATION IN https://github.com/Gguardiola/Sidius-CaptivePortal/wiki/3.-Manual-installation#handling-of-the-payment-gateway
FIREWALL DONE!
Now let the script do the magic. At the end it will ask if you want to run the firewall. We recommend you choose yes.
============================================================
======================== LOGS SETUP ========================
============================================================
Making the captiveportal.log...
DONE!
Making the iptablesRules.log...
DONE!
===================================================================
======================== PERMISSIONS SETUP ========================
===================================================================
Removing Apache2 directory index from the browser...
DONE!
Giving to apache2 permissions to write on the captive portal folder...
DONE!
Giving to apache2 permissions to write on captiveportal.log...
DONE!
Giving to apache2 permissions to write on iptablesRules.log...
DONE!
Restarting the services...
Do you want to run now the firewall?[y/n]:
The script finished the hard work! It's time to polish some little things and then jump to the first run page.
Configure the payment gateway
Iptables have the problem that the rules aren't persistent when you reboot your computer. We also can't use iptables-persistent because it starts before Bind9 (DNS server). This causes that iptables doesn't resolve the domains of the rules and finally blows up.
Solution:
Make a systemd service that starts after network service
Create the service file
nano /etc/systemd/system/sidiusfirewall.service
[Unit]
Description=SIDIUS captive portal iptables rules trigger
After=network.target
[Service]
Type=oneshot
ExecStart=/var/www/html/captiveportal/cpanel/firewall.sh
[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable sidiusfirewall.service
Check if it works
Reboot your computer. After startup, execute iptables -L and if something like the following comes out it means it has worked.
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere #conn src/32 > 10 reject-with tcp-reset
REJECT tcp -- anywhere anywhere #conn src/32 > 10 reject-with tcp-reset
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- 10.110.0.10 anywhere tcp dpt:ssh
ACCEPT udp -- dns.google anywhere udp spt:domain
ACCEPT udp -- dns.google anywhere udp spt:domain
ACCEPT tcp -- dns.google anywhere tcp spt:domain
ACCEPT tcp -- dns.google anywhere tcp spt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:http
DROP all -- anywhere anywhere state INVALID
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT tcp -- anywhere 195.76.9.247
ACCEPT tcp -- anywhere mad07s09-in-f3.1e100.net
ACCEPT tcp -- anywhere mad07s10-in-f19.1e100.net
ACCEPT tcp -- anywhere vip0x00f.map2.ssl.hwcdn.net
ACCEPT tcp -- anywhere vip0x018.map2.ssl.hwcdn.net
ACCEPT tcp -- anywhere 104.16.86.20
ACCEPT tcp -- anywhere 104.16.89.20
ACCEPT tcp -- anywhere 104.16.87.20
ACCEPT tcp -- anywhere 104.16.85.20
ACCEPT tcp -- anywhere 104.16.88.20
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:ntp
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere 10.110.0.10 tcp spt:ssh
ACCEPT udp -- anywhere dns.google udp dpt:domain
ACCEPT udp -- anywhere dns.google udp dpt:domain
ACCEPT tcp -- anywhere dns.google tcp dpt:domain
ACCEPT tcp -- anywhere dns.google tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp spt:domain
ACCEPT udp -- anywhere anywhere udp spt:bootps
ACCEPT udp -- anywhere anywhere udp spt:bootpc
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
DROP all -- anywhere anywhere state INVALID
Assuming that you have the .pem SSL keys, we need to do the following stuff:
a2enmod ssl
a2enmod rewrite
cd /etc/apache2/sites-enabled
a2dissite 000-default.conf
cd /etc/apache2/sites-available
nano default-ssl.conf
Declare the SSL keys location and redirect the HTTP trafic to the HTTPS page
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName jgtektest.webredirect.org
DocumentRoot /var/www/html/captiveportal
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/jgtektest.webredirect.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/jgtektest.webredirect.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /var/www/html/captiveportal
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{HTTP_HOST} !jgtektest.webredirect.org [NC]
RewriteRule ^(.*)$ https://jgtektest.webredirect.org [L,R=301]
</VirtualHost>
</IfModule>
On SSLCertificateFile and SSLCertificateKeyFile you need to put the SSL keys location.
Now promote this file to be the web server main page
a2ensite default-ssl.conf
Restart the Apache2 service
systemctl restart apache2
mysql -u root -p
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password by 'password';
\q
Move the folder to the Apache2 web folder
mv Sidius-CaptivePortal /var/www/html/captiveportal
Congratulations! you are coming to the end!
Through a computer with graphical environment (it can be the server) go to your captive portal website and add /first_run.php at the end (example.org/first_run.php)
NOTE: if you have chosen the family friendly DNS, the last two options of the picture above will not show.
Finally you have a full operating captive portal!
For security reasons, you need to delete first_run.php
cd /var/www/html/captiveportal
rm first_run.php
If in the future you want to reconfigure the captive portal, come back to this repository and download it.
If the user tries to register with STANDARD or PRO plan and for some reason doesn't completes the payment, when he/she tries to log in, the captive portal will warn that needs to complete it through "Account settings" button.
But, we need to make the MySQL event to make this possible!
mysql -u root -p
CREATE EVENT DeleteUNPAID on schedule every 10 minute do DELETE FROM login WHERE creation_date > now() - INTERVAL 7 day AND payment_status = "UNPAID";
NOTE: Where login you need to set your auth table name (if you have the same leave it like this)
You can log in as admin and enter the CPANEL clicking the button after logging in.
Here you can manage the system status, change the concession time of the plans, remove concessions, check the logs and the database users!
