Captive Portal Not Working

[franco]

But lighttpd is supposed to create these sockets ;)

I'm rearranging directory handling a bit to avoid permission clobbering:

https://github.com/opnsense/core/commit/066514a7ac

And then try to reproduce. BRB.


Cheers,
Franco

[franco]

Wondering whether this is a tmpfs thing?

# df -h | grep tmpfs


Cheers,
Franco

[franco]

Cannot reproduce this either way, but I'll ship the improvements in 25.7.2 (tomorrow) and would ask for you to test again based on that version.


Cheers,
Franco

[ikkeT]

Unfortunately it doesn't work any better in the OPNsense 25.7.2-amd64. Same logs, and the directory looks like this:

Code Select Expand

root@OPNsense:~ # tail -10 /var/log/lighttpd/lighttpd_20250825.log
<29>1 2025-08-25T10:23:24+03:00 OPNsense.ikenet lighttpd 82174 - [meta sequenceId="1"] (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.81/src/server.c.1971) server started (lighttpd/1.4.81)
<27>1 2025-08-25T10:23:24+03:00 OPNsense.ikenet lighttpd 82174 - [meta sequenceId="2"] (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.81/src/gw_backend.c.533) connect() /var/lib/php/tmp/php-fastcgi-cp.socket-0: Permission denied
<27>1 2025-08-25T10:23:24+03:00 OPNsense.ikenet lighttpd 82174 - [meta sequenceId="3"] (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.81/src/gw_backend.c.568) bind() unix:/var/lib/php/tmp/php-fastcgi-cp.socket-0: Permission denied
<27>1 2025-08-25T10:23:24+03:00 OPNsense.ikenet lighttpd 82174 - [meta sequenceId="4"] (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.81/src/gw_backend.c.1712) [ERROR]: spawning gw failed.
<27>1 2025-08-25T10:23:24+03:00 OPNsense.ikenet lighttpd 82174 - [meta sequenceId="5"] (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.81/src/server.c.1975) Configuration of plugins failed. Going down.
root@OPNsense:~ # tail -10 /var/log/lighttpd/lighttpd_20250825.log
root@OPNsense:~ # ls -la /var/lib/php/tmp/
total 281
drwxrwxrwt  2 wwwonly wheel    960 Aug 25 10:16 .
drwxr-x---  5 root    wheel    512 Jul  6 23:35 ..
-rw-r-----  1 wwwonly wheel  34639 Aug 24 21:45 configdmodelfield.data
-rw-rw----  1 wwwonly wheel    913 Aug 24 21:45 mdl_cache_OPNsense_Cron_Cron.json
-rw-rw----  1 wwwonly wheel  12345 Aug 25 10:16 mdl_cache_OPNsense_Firewall_Alias.json
-rw-rw----  1 wwwonly wheel    229 Aug 24 21:45 mdl_cache_OPNsense_Firewall_Category.json
-rw-rw----  1 wwwonly wheel 152535 Aug 24 21:45 mdl_cache_OPNsense_HAProxy_HAProxy.json
-rw-rw----  1 wwwonly wheel   2028 Aug 24 21:45 mdl_cache_OPNsense_IPsec_IPsec.json
-rw-rw----  1 wwwonly wheel   1947 Aug 24 21:46 mdl_cache_OPNsense_TrafficShaper_TrafficShaper.json
-rw-rw----  1 wwwonly wheel   2485 Aug 24 21:45 mdl_cache_OPNsense_Wireguard_Client.json
-rw-rw----  1 wwwonly wheel    982 Aug 24 21:45 mdl_cache_OPNsense_Wireguard_Server.json
-rw-rw----  1 wwwonly wheel  22790 Aug 25 09:47 opnsense_acl_cache.json
-rw-rw----  1 wwwonly wheel  23893 Aug 25 10:23 opnsense_menu_cache.xml
srwxr-xr-x  1 root    wheel      0 Aug 24 21:46 php-fastcgi.socket-0
srwxr-xr-x  1 root    wheel      0 Aug 24 21:46 php-fastcgi.socket-1
srwxr-xr-x  1 root    wheel      0 Aug 24 21:46 php-fastcgi.socket-2
srwxr-xr-x  1 root    wheel      0 Aug 24 21:46 php-fastcgi.socket-3


[mklinkigt]

Hi,

wanted to join this thread. I have the some problems. First I thought I messed up with the firewall rules, but seems something "special". Happy I found this thread and others mentioning the same issues.
Not sure I can contribute much to it. If is is not directly related the the functionality of the portal itself, it seems to run for some users, it might be related to some config or side effects from other plugins. If this would make sense, what would be the best way to share the list of installed plugins?

Best
Martin

[samp]

I'm still having the same issue on 25.7.3. After booting, it looks like lighttpd is not creating these sockets:

Code Select Expand

root@opnsense:~ # sockstat | grep /var/lib/php/tmp/php-fastcgi.socket-
root     php-cgi    96915 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     php-cgi    96461 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     php-cgi    95886 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     php-cgi    95568 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     php-cgi    95045 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     php-cgi    92984 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     php-cgi    66399 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
root     php-cgi    65970 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
root     php-cgi    65465 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
root     php-cgi    64972 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
root     php-cgi    64305 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
root     php-cgi    63720 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
root     php-cgi    52184 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     php-cgi    51868 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     php-cgi    51428 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     php-cgi    51386 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     php-cgi    51195 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     php-cgi    50723 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     php-cgi    10796 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     php-cgi    10502 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     php-cgi    10336 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     php-cgi     9756 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     php-cgi     9508 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     php-cgi     8480 0   stream /var/lib/php/tmp/php-fastcgi.socket-4


[ikkeT]

Yes, it hasn't started working for me either.

[StefanF.]

It looks like as we have the exact same issue on Version 25.7.3_7.

We satrted with the Captive portal years ago and never changed the configuration.
I did grab the latest config template when I found out that there was a problem with the captive portal.
No change regarding the problem with an unaltered default config.

Anything we can help you with?

[franco]

Let's try this again from the top:

1. These sockets with the wrong permissions are only created by the web GUI, not the captive portal. So kill all lighttpd to be able to free the sockets:

# killall lighttpd
# rm /var/lib/php/tmp/php-fastcgi.*

2. Bring back the GUI and check if the sockets have the right permission (wwwonly/wheel)

# configctl webgui restart
# ls -lah /var/lib/php/tmp/

If the permissions match do you maybe have some web GUI include file or rc.conf setup that would start this away from our code breaking the correct startup and permission sequence?


Cheers,
Franco

[ikkeT]

Hi, I did the commands above. No help. The directory looks like this:

Code Select Expand

root@OPNsense:~ # ls -lah /var/lib/php/tmp/
total 273
drwxrwxrwt  2 wwwonly wheel  960B Sep 30 11:55 .
drwxr-x---  5 root    wheel  512B Jul  6 23:35 ..
-rw-r-----  1 wwwonly wheel   34K Sep 12 17:04 configdmodelfield.data
-rw-rw----  1 wwwonly wheel  913B Sep 12 17:04 mdl_cache_OPNsense_Cron_Cron.json
-rw-rw----  1 wwwonly wheel   11K Sep 30 11:46 mdl_cache_OPNsense_Firewall_Alias.json
-rw-rw----  1 wwwonly wheel  229B Sep 12 17:04 mdl_cache_OPNsense_Firewall_Category.json
-rw-rw----  1 wwwonly wheel  147K Sep 12 17:04 mdl_cache_OPNsense_HAProxy_HAProxy.json
-rw-rw----  1 wwwonly wheel  2.0K Sep 12 17:04 mdl_cache_OPNsense_IPsec_IPsec.json
-rw-rw----  1 wwwonly wheel  1.8K Sep 12 17:04 mdl_cache_OPNsense_TrafficShaper_TrafficShaper.json
-rw-rw----  1 wwwonly wheel  2.4K Sep 12 17:04 mdl_cache_OPNsense_Wireguard_Client.json
-rw-rw----  1 wwwonly wheel  957B Sep 12 17:04 mdl_cache_OPNsense_Wireguard_Server.json
-rw-rw----  1 wwwonly wheel   22K Sep 30 11:41 opnsense_acl_cache.json
-rw-rw----  1 wwwonly wheel   23K Sep 30 11:48 opnsense_menu_cache.xml
srwxr-x---  1 root    wheel    0B Sep 30 11:55 php-fastcgi.socket-0
srwxr-x---  1 root    wheel    0B Sep 30 11:55 php-fastcgi.socket-1
srwxr-x---  1 root    wheel    0B Sep 30 11:55 php-fastcgi.socket-2
srwxr-x---  1 root    wheel    0B Sep 30 11:55 php-fastcgi.socket-3
and here is all my rc.conf, I have not manually edit it:

Code Select Expand

root@OPNsense:~ # grep . /etc/rc.conf.d/*
/etc/rc.conf.d/acme_http_challenge:acme_http_challenge_enable=YES
/etc/rc.conf.d/acme_http_challenge:acme_http_challenge_conf="/var/etc/lighttpd-acme-challenge.conf"
/etc/rc.conf.d/acme_http_challenge:acme_http_challenge_pidfile="/var/run/lighttpd-acme-challenge.pid"
/etc/rc.conf.d/acme_http_challenge:acme_http_challenge_setup="/usr/local/opnsense/scripts/OPNsense/AcmeClient/setup.sh"
/etc/rc.conf.d/captiveportal:captiveportal_defer="YES"
/etc/rc.conf.d/captiveportal:captiveportal_enable="YES"
/etc/rc.conf.d/ddclient:ddclient_enable="NO"
/etc/rc.conf.d/ddclient_opn:ddclient_opn_enable="YES"
/etc/rc.conf.d/ddclient_opn:ddclient_opn_setup="/usr/local/opnsense/scripts/ddclient/setup.sh"
/etc/rc.conf.d/dnctl:dummynet_enable="YES"
/etc/rc.conf.d/dnctl:dnctl_enable="YES"
/etc/rc.conf.d/dnctl:dnctl_rules="/usr/local/etc/dnctl.conf"
/etc/rc.conf.d/dnctl:dnctl_setup="/usr/local/opnsense/scripts/shaper/setup.sh"
/etc/rc.conf.d/dnctl:dnctl_skip="YES"
/etc/rc.conf.d/dnsmasq:dnsmasq_enable="NO"
/etc/rc.conf.d/flowd:#
/etc/rc.conf.d/flowd:# Automatic generated configuration for netflow.
/etc/rc.conf.d/flowd:# Do not edit this file manually.
/etc/rc.conf.d/flowd:#
/etc/rc.conf.d/flowd:flowd_enable="NO"
/etc/rc.conf.d/flowd_aggregate:#
/etc/rc.conf.d/flowd_aggregate:# Automatic generated configuration for netflow.
/etc/rc.conf.d/flowd_aggregate:# Do not edit this file manually.
/etc/rc.conf.d/flowd_aggregate:#
/etc/rc.conf.d/flowd_aggregate:flowd_aggregate_enable="NO"
/etc/rc.conf.d/haproxy:haproxy_enable=YES
/etc/rc.conf.d/haproxy:haproxy_setup="/usr/local/opnsense/scripts/OPNsense/HAProxy/setup.sh"
/etc/rc.conf.d/haproxy:haproxy_pidfile="/var/run/haproxy.pid"
/etc/rc.conf.d/haproxy:haproxy_config="/usr/local/etc/haproxy.conf"
/etc/rc.conf.d/haproxy:haproxy_hardstop=YES
/etc/rc.conf.d/haproxy:haproxy_softreload=NO
/etc/rc.conf.d/ipfw:firewall_enable="YES"
/etc/rc.conf.d/ipfw:firewall_script="/usr/local/etc/rc.ipfw"
/etc/rc.conf.d/ipfw:ipfw_skip="YES"
/etc/rc.conf.d/kea:kea_enable="YES"
/etc/rc.conf.d/kea:kea_setup="/usr/local/sbin/pluginctl -c kea_sync"
/etc/rc.conf.d/monit:# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
/etc/rc.conf.d/monit:monit_enable="NO"
/etc/rc.conf.d/netflow:#
/etc/rc.conf.d/netflow:# Automatic generated configuration for netflow.
/etc/rc.conf.d/netflow:# Do not edit this file manually.
/etc/rc.conf.d/netflow:#
/etc/rc.conf.d/netflow:netflow_enable="NO"
/etc/rc.conf.d/radiusd:radiusd_enable="NO"
/etc/rc.conf.d/suricata:suricata_enable="NO"
/etc/rc.conf.d/syslog_ng:syslog_ng_enable="YES"
/etc/rc.conf.d/syslog_ng:syslog_ng_oomprotect="ALL"
/etc/rc.conf.d/syslog_ng:syslog_ng_pidfile="/var/run/syslog-ng.pid"
/etc/rc.conf.d/syslog_ng:syslog_ng_skip="YES"
/etc/rc.conf.d/telegraf:telegraf_setup="/usr/local/opnsense/scripts/OPNsense/Telegraf/setup.sh"
/etc/rc.conf.d/telegraf:telegraf_enable="YES"
/etc/rc.conf.d/telegraf:telegraf_confdir="/usr/local/etc/telegraf.d"
/etc/rc.conf.d/wireguard:# disable the wireguard rc scripts when installed, bootup handled via rc.syshook
/etc/rc.conf.d/wireguard:wireguard_enable="NO"
root@OPNsense:~ # grep . /etc/rc.conf
# -- BEGIN BSD Installer automatically generated configuration  -- #
# -- Written on Wed Sep 6 16:42:32 UTC 2017-- #
keymap='fi'
# -- END of BSD Installer automatically generated configuration -- #


[franco]

Just at a glance acme-client plugin could be interfering here with the lighttpd challenge -- if someone else with the problem could confirm they are using it too that would be useful.

I'll try to check later today after releasing 25.7.4.


Cheers,
Franco

[ikkeT]

acme works, so it doesn't get blocked due it. Not to say it woulnd't interfere.

[samp]

Yes, we are using acme-challenge.

[StefanF.]

We can confirm NOT using acme-client plugin and have the same captive portal problem.