Squid Proxy Splash Page
Hi All! So after my last article regarding securing a guest network web access with Squid and SquidGuard, I wanted to share how I came about creating a Splash Page for Guest users of my Free WiFi hotspot. My goal was to present new Guests with a splash page identifying certain Terms of Usage, etc. Basically we will need a HTML or PHP Splash Page, an ACL identifying the Guests by IP, an external ACL program (squid_session), and a Deny with Information (deny_info).
Some prelimary info:
Some prelimary info:
- Squid 3.1.19
- Ubuntu 12.04.2 64-bit Server Edition
- Apache2 w/PHP5 Installed
- Guest’s Subnet 192.168.1.0/24
Confirm you have the External ACL Helper Installed
Search for a program called squid_session, mine was located in /usr/lib/squid3/squid_session. If you do not have this installed, you will need to uninstall squid, and reinstall it from source with squid_session. (outside the scope of this post.)Create Session Database file
NOTICE: You have to give whatever user runs the squid process access to this file.Configure Squid
Add the following to the conf file:- external_acl_type — denotes that an external ACL helper will be used to determine validity
- acl guest_sessions external sessions — creates a new ACL called guest_sessions that will use the external ACL from above
- deny_info – location of page to be presented when user is denied. %s is a dynamic variable that contains the original URL the user tried to go to.
- http_access deny – in this statement we deny every client in the gNetwork range of 192.168.1.0/24 unless, they are part of the guest_sessions ACL.
Create Splash Page
A splash page should contain any content that you want to present to your users. In my case I create one with basic Terms of Usage, such as no illegal activity, or downloading of large files, etc. Now remember our last deny_info statment? the splash.php?url=%s This is important as this is how we will remember what URL our user tried to go to before forcing them to the splash page.HTML/PHP:01020304050607080910111213141516<html>...omitted HTML head and title...<body>...omitted Content...<!--Accept Form --><h4>By clicking accept you accept the terms of usage explained below of WiFi Usage:</h4><?phpecho'<form action="'. htmlspecialchars($_GET["url"]) . '"target="_blank"><inputtype="submit"value="Accept"></form>'?><body></html>NOTICE: I use PHP here to capture the url=value and place it in the HTML form. When a user clicks the form the action is the URL they originally tried to visit, so they will be navigated there.Restart squid3
Restart squid3 to ensure that the child process squid_session starts..Verify squid_session process:
Other Thoughts
The above example is not entirely secure in presenting the page properly to each user at a set interval. See the squid3 documentation below in the source section. For example, if a user on the gNetwork tries to navigate to a web site, they are presented with the Splash page, once the Splash page has been sent to them they are now stored in the squid_session helper, before they click accept. The concern here is liability, if you are setting this up for a massive Free WiFi network and have legitimate legal concerns, etc. You should look into the active squid_session method. From my understanding, this method allows you to set more than just a client’s IP as a valid check, you could have them enter their email address or something else identifiable. I was unable to figure out how to incorporate Squid Sessions with Active Method, but if someone has please comment! I would like to see what you did to make it work.
Sources:
