OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: gjherbiet on February 08, 2017, 04:12:54 pm

Title: [SOLVED] Captive portal shall return HTTP 302, not HTTP 301
Post by: gjherbiet on February 08, 2017, 04:12:54 pm
Hello,

I'm fairly new to OPNsense (actually I'm just test-driving it for the moment) and I'm facing an issue with captive portal setup.

To perform redirection to the captive portal, the underlying lighttpd server replies with and HTTP 301 "Moved permanently" status (see curl output below).

Code: [Select]
$ curl -I http://www.opnsense.org
HTTP/1.1 301 Moved Permanently
Location: http://192.168.1.1:8000/index.html?redirurl=www.opnsense.org/
Date: Wed, 08 Feb 2017 14:48:41 GMT
Server: lighttpd

$ curl -I http://www.opnsense.org
HTTP/1.1 301 Moved Permanently
Location: http://portal.test.tld:8000/index.html?redirurl=www.opnsense.org/
Date: Wed, 08 Feb 2017 14:49:03 GMT
Server: lighttpd

However this has the downside effect that browsers will remember this redirection. Once the user has activated its Internet access, or even if you switch network, and type the same url that triggered the captive portal, the browser will perform the redirection by himself.

I noticed that by switching a client between a test network (behind a OPNsense RFW with captive portal enabled) and my regular network.

This was experienced with a MacBookPro7,1 running macOS Sierra 10.12.3 and impacted bot Safari 10.0.3 (12602.4.8) and Google Chrome 56.0.2924.87

The OPNsense version is as follows:
OPNsense 17.1-amd64
FreeBSD 11.0-RELEASE-p7
OpenSSL 1.0.2k 26 Jan 2017

I have already worked with captive portal setups and in all examples I have in mind redirection was performed using HTTP 302 "Found" status code to redirect to the captive portal page.

To comply with RFC 6585, the captive portal page should reply an HTTP 511 "Network Authentication Required" status (although I think it breaks Apple iOS captive portal detection and might be reserved to "regular" browsers only).

I would be happy to be directed to the relevant lighttpd code and issue a pull request, or to have it fixed in next release.

Regrards,
Title: Re: Captive portal shall return HTTP 302, not HTTP 301
Post by: franco on February 08, 2017, 04:38:01 pm
Hi there,

Can you try this patch? https://github.com/opnsense/core/commit/714bd18c

Applies from the shell:

# opnsense-patch 714bd18c


Cheers,
Franco
Title: Re: Captive portal shall return HTTP 302, not HTTP 301
Post by: gjherbiet on February 09, 2017, 10:16:24 am
Works as intended. Thanks.
Title: Re: Captive portal shall return HTTP 302, not HTTP 301
Post by: franco on February 09, 2017, 10:59:08 am
Will be part of 17.1.2, many thanks! :)


Cheers,
Franco