OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • [SOLVED] Captive portal shall return HTTP 302, not HTTP 301
« previous next »
  • Print
Pages: [1]

Author Topic: [SOLVED] Captive portal shall return HTTP 302, not HTTP 301  (Read 8465 times)

gjherbiet

  • Newbie
  • *
  • Posts: 5
  • Karma: 1
    • View Profile
[SOLVED] Captive portal shall return HTTP 302, not HTTP 301
« on: February 08, 2017, 04:12:54 pm »
Hello,

I'm fairly new to OPNsense (actually I'm just test-driving it for the moment) and I'm facing an issue with captive portal setup.

To perform redirection to the captive portal, the underlying lighttpd server replies with and HTTP 301 "Moved permanently" status (see curl output below).

Code: [Select]
$ curl -I http://www.opnsense.org
HTTP/1.1 301 Moved Permanently
Location: http://192.168.1.1:8000/index.html?redirurl=www.opnsense.org/
Date: Wed, 08 Feb 2017 14:48:41 GMT
Server: lighttpd

$ curl -I http://www.opnsense.org
HTTP/1.1 301 Moved Permanently
Location: http://portal.test.tld:8000/index.html?redirurl=www.opnsense.org/
Date: Wed, 08 Feb 2017 14:49:03 GMT
Server: lighttpd

However this has the downside effect that browsers will remember this redirection. Once the user has activated its Internet access, or even if you switch network, and type the same url that triggered the captive portal, the browser will perform the redirection by himself.

I noticed that by switching a client between a test network (behind a OPNsense RFW with captive portal enabled) and my regular network.

This was experienced with a MacBookPro7,1 running macOS Sierra 10.12.3 and impacted bot Safari 10.0.3 (12602.4.8) and Google Chrome 56.0.2924.87

The OPNsense version is as follows:
OPNsense 17.1-amd64
FreeBSD 11.0-RELEASE-p7
OpenSSL 1.0.2k 26 Jan 2017

I have already worked with captive portal setups and in all examples I have in mind redirection was performed using HTTP 302 "Found" status code to redirect to the captive portal page.

To comply with RFC 6585, the captive portal page should reply an HTTP 511 "Network Authentication Required" status (although I think it breaks Apple iOS captive portal detection and might be reserved to "regular" browsers only).

I would be happy to be directed to the relevant lighttpd code and issue a pull request, or to have it fixed in next release.

Regrards,
« Last Edit: February 09, 2017, 10:59:16 am by franco »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13902
  • Karma: 1206
    • View Profile
Re: Captive portal shall return HTTP 302, not HTTP 301
« Reply #1 on: February 08, 2017, 04:38:01 pm »
Hi there,

Can you try this patch? https://github.com/opnsense/core/commit/714bd18c

Applies from the shell:

# opnsense-patch 714bd18c


Cheers,
Franco
Logged

gjherbiet

  • Newbie
  • *
  • Posts: 5
  • Karma: 1
    • View Profile
Re: Captive portal shall return HTTP 302, not HTTP 301
« Reply #2 on: February 09, 2017, 10:16:24 am »
Works as intended. Thanks.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13902
  • Karma: 1206
    • View Profile
Re: Captive portal shall return HTTP 302, not HTTP 301
« Reply #3 on: February 09, 2017, 10:59:08 am »
Will be part of 17.1.2, many thanks! :)


Cheers,
Franco
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • [SOLVED] Captive portal shall return HTTP 302, not HTTP 301
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2