Level 0 Setup with Webserver - Max Fang's Notes

# Level 0 Setup with Webserver Links: [[Forwarding Authentication Service]] Solution: [[#Final Setup No FAS Level 0 Setup with Rust Backend]] ## Baseline: Reachable [[PHP]] server ### Notes - `php7-mod-openssl` package confirmed unnecessary - `php7-mod-hash` package confirmed unnecessary - Starting the PHP webserver requires hostname = `0.0.0.0` - Neither `localhost` nor `127.0.0.1` work - Confirmed webserver is not reachable unless `fasport` is set ### Steps ```bash # Install server prerequisites opkg update opkg install php7-cli php7-cgi # Create php web root and enter it cd /root mkdir -p php cd php # Create basic file vim scp://[email protected]//root/php/index.html cat index.html <html> <head></head> <body> <h3>PHP webserver is working</h3> </body> </html> # Configure uci set opennds.@opennds[0].fasport='2080' uci commit opennds service opennds restart # Start the PHP webserver at port 2080 php-cli -S 0.0.0.0:2080 # Neither 127... nor localhost work # Is now accessible at 192.168.2.1:2080 ``` ### Undo ```bash # Undo everything uci delete opennds.@opennds[0].fasport uci commit opennds service opennds restart # Retain original directory structure rm -rf /root/php # Uninstall packages opkg remove php7-cli php7-cgi ``` ## Attempt 1: Level 0 FAS with [[Rust]] Backend ### Notes - Using [[Lightning Router Daemon]] - Like the [[PHP]] webserver, [[warp]] needs to be served at `0.0.0.0` - `127.0.0.1` confirmed doesn't work - Confirmed webserver is not reachable unless `fasport` is set ### Steps ```bash # Deploy code to router ./scripts/deploy.sh # Configure uci set opennds.@opennds[0].fasport='2080' uci commit opennds service opennds restart # Run the Rust daemon ./daemon # Is now accessible at 192.168.2.1:2080 ``` ### Undo ```bash # Undo everything uci delete opennds.@opennds[0].fasport uci commit opennds service opennds restart # Remove files rm -rf /root/frontend/build rm /root/daemon ``` ## Level 0 FAS Auth Debug Notes Github issue I opened: https://github.com/openNDS/openNDS/issues/210 ### (Authentication broken; missing tok) - Possible workaround: make call to `ndsctl status` - https://github.com/openNDS/openNDS/issues/210 ### Splash page needs to be served by daemon - Since FAS is enabled, the splash page is no longer served from the [[OpenNDS]] web root. [[Lightning Router Daemon]] needs to serve it now - [ ] Make [[OpenNDS]] redirect to the splash page - Can use `faspath` to specific a splash page endpoint ### FAS level 0 doesn't include `$tok` in the query string Docs which directly contradict this: https://opennds.readthedocs.io/en/stable/fas.html#example-fas-query-strings [[cURL]] of FAS Level 0 ```bash curl 'http://192.168.2.1:2080/?clientip=192.168.2.150&gatewayname=OpenWrt%20openNDS&redir=http%3a%2f%2f192.168.2.1%2f' \ -H 'Connection: keep-alive' \ -H 'Upgrade-Insecure-Requests: 1' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \ -H 'Sec-GPC: 1' \ -H 'Accept-Language: en-US,en;q=0.9' \ --compressed \ --insecure ``` Query params - clientip: 192.168.2.150 - gatewayname: OpenWrt openNDS - redir: http://192.168.2.1/ ### [[cURL]] of auth request when FAS is disabled i.e. the default behavior: `fasport` is not set, [[OpenNDS]] serves splash page from [[OpenNDS]] web root. This request is the one generated when the user hits "Continue" Notes: - GET `/opennds_auth` - Just includes `tok` and `redir` [[cURL]] ```bash curl 'http://192.168.2.1:2050/opennds_auth/?tok=3a62017e&redir=http%3A%2F%2F192.168.2.1%3A2050%2Findex.html' \ -H 'Connection: keep-alive' \ -H 'Upgrade-Insecure-Requests: 1' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \ -H 'Sec-GPC: 1' \ -H 'Referer: http://192.168.2.1:2050/splash.html?redir=http%3a%2f%2f192.168.2.1%2f' \ -H 'Accept-Language: en-US,en;q=0.9' \ --compressed \ --insecure ``` Query params - tok: 3a62017e - redir: http://192.168.2.1:2050/index.html ### Test: Auth via [[cURL]] with FAS Level 0 Enabled (Success) - `$tok` is grabbed from [[ndsctl]] status - Let's just see if it works ```bash ndsctl deauth '38:f9:d3:84:f7:a5' ndsctl status # Note token (09dce6c3) curl 'http://192.168.2.1:2050/opennds_auth/?tok=09dce6c3&redir=http%3A%2F%2F192.168.2.1%3A2050%2Findex.html' \ -H 'Connection: keep-alive' \ -H 'Upgrade-Insecure-Requests: 1' \ -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36' \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \ -H 'Sec-GPC: 1' \ -H 'Referer: http://192.168.2.1:2050/splash.html?redir=http%3a%2f%2f192.168.2.1%2f' \ -H 'Accept-Language: en-US,en;q=0.9' \ --compressed \ --insecure # Successfully authenticated ``` ### Fix attempt: Set `login_option_enabled='1'` - `login_option_enabled='0'` by default - Mode 1 always serves their default click to continue page - Mode 0 behavior redirects to the FAS if FAS is enabled. Otherwise, it defaults to the behavior of Mode 1 (default click to continue) Attempt ```bash uci set opennds.@opennds[0].login_option_enabled='1' uci commit opennds service opennds restart ``` Undo ```bash uci set opennds.@opennds[0].login_option_enabled='0' uci commit opennds service opennds restart ``` Result: Their `splash.html` served over MY webroot ![[Screen Shot 2021-08-31 at 7.19.57 AM.png]] If I change the webroot back to the default, the css is accessible again: ```bash uci set opennds.@opennds[0].webroot='/etc/opennds/htdocs' uci commit opennds service opennds restart ``` Looks like this 'fix' doesn't allow me to put up my own HTML when the user is authenticated for the first time. ## FAS Disabled: Debug Notes ### Fix attempt: `users_to_router=... 'tcp port 2080'` (Success!) Attempt ```bash uci delete opennds.@opennds[0].fasport uci add_list opennds.@opennds[0].users_to_router='allow tcp port 2080' uci commit opennds service opennds restart ``` Undo ```bash uci set opennds.@opennds[0].fasport='2080' uci del_list opennds.@opennds[0].users_to_router='allow tcp port 2080' uci commit opennds service opennds restart ``` ## Final Setup: No FAS Level 0 Setup with [[Rust]] Backend ### ==Update: this applies only to [[OpenNDS]] Version 5.2.x See [[OpenNDS Version 9 Config]] for updated config instructions.== ### Notes - Uses [[Lightning Router Daemon]] as webserver / backend - Like the [[PHP]] webserver, [[warp]] needs to be served at `0.0.0.0` - `127.0.0.1` confirmed doesn't work ### Flow - During Preauthentication, user is directed to `192.168.2.1:2050` (note the **2050** rather than 2080), where the `splash.html` is served from the [[OpenNDS]] web root - Since this is served at port 2050 by [[OpenNDS]], the `$authaction` and `$tok` fields are populated in `splash.html`; thus, the user is able to authenticate by sending a GET to `/opennds_auth` with `tok` in the query params ### Steps ```bash # Deploy code to router ./scripts/deploy.sh # Configure uci add_list opennds.@opennds[0].users_to_router='allow tcp port 2080' uci commit opennds service opennds restart # Run the Rust daemon ./daemon # Is now accessible at 192.168.2.1:2080 ``` ### Undo ```bash # Undo everything uci del_list opennds.@opennds[0].users_to_router='allow tcp port 2080' uci commit opennds service opennds restart # Remove files rm -rf /root/frontend/build rm /root/daemon ```