On 2012-08-06 4:01 AM, Nguyễn Hồng Quân wrote: > Hello, > I'm working on a captive portal based on WifiDog (under OpenWrt). My > goal is to allow to login to captive portal using Google, Facebook > acount, via OAuth. > > Using OAuth requires to logging in to Google, Facebook. I want users to > have access to login form only, not the overall of Facebook, Google. > > As a captive portal, the traffic is controlled via iptables rules. > However, the iptables control on IP address. If I open the IP address of > GG, FB login form, users can access to the other part which share IP > address with login form. > > I tried the method: using iptables to redirect traffic to a proxy and do > filtering on proxy (Tinyproxy). But I was not successful because the > OAuth login form uses HTTPS, where the URL is encrypted and proxy failed > to parse. > > Do you have any solution? There really is no good way to filter HTTPS traffic. It requires intercepting the SSL connection and doing a man-in-the-middle-attack on it, which requires a certificate (otherwise it'll trigger nasty warnings on the client side). You could have automatic whitelisting for IPs based on DNS requests, but that's complex and probably unreliable.
- Felix _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
