153 lines
6.2 KiB
Plaintext
153 lines
6.2 KiB
Plaintext
|
|
# The options available here are an adaptation of the settings used in nodogsplash.conf.
|
|
# See https://github.com/nodogsplash/nodogsplash/blob/master/resources/nodogsplash.conf
|
|
|
|
config nodogsplash
|
|
# Set to 0 to disable nodogsplash
|
|
option enabled 1
|
|
|
|
# Set to 0 to disable hook that makes nodogsplash restart when the firewall restarts.
|
|
# This hook is needed as a restart of Firewall overwrites nodogsplash iptables entries.
|
|
option fwhook_enabled '1'
|
|
|
|
# WebRoot
|
|
# Default: /etc/nodogsplash/htdocs
|
|
#
|
|
# The local path where the splash page content resides.
|
|
# ie. Serve the file splash.html from this directory
|
|
#option webroot '/etc/nodogsplash/htdocs'
|
|
|
|
# Use plain configuration file
|
|
#option config '/etc/nodogsplash/nodogsplash.conf'
|
|
|
|
# Use this option to set the device nodogsplash will bind to.
|
|
# The value may be an interface section in /etc/config/network or a device name such as br-lan.
|
|
option gatewayinterface 'br-lan'
|
|
|
|
# GatewayPort
|
|
# Default: 2050
|
|
#
|
|
# Nodogsplash's own http server uses gateway address as its IP address.
|
|
# The port it listens to at that IP can be set here; default is 2050.
|
|
#
|
|
#option gatewayport '2050'
|
|
|
|
|
|
option gatewayname 'OpenWrt Nodogsplash'
|
|
option maxclients '250'
|
|
|
|
# Enables debug output (0-3)
|
|
#option debuglevel '1'
|
|
|
|
# Client timeouts in minutes
|
|
option preauthidletimeout '30'
|
|
option authidletimeout '120'
|
|
# Session Timeout is the interval after which clients are forced out (a value of 0 means never)
|
|
option sessiontimeout '1200'
|
|
|
|
# The interval in seconds at which nodogsplash checks client timeout status
|
|
option checkinterval '600'
|
|
|
|
# Enable BinAuth Support.
|
|
# If set, a program is called with several parameters on authentication (request) and deauthentication.
|
|
# Request for authentication:
|
|
# $<BinAuth> auth_client <client_mac> '<username>' '<password>'
|
|
#
|
|
# The username and password values may be empty strings and are URL encoded.
|
|
# The program is expected to output the number of seconds the client
|
|
# is to be authenticated. Zero or negative seconds will cause the authentification request
|
|
# to be rejected. The same goes for an exit code that is not 0.
|
|
# The output may contain a user specific download and upload limit in KBit/s:
|
|
# <seconds> <upload> <download>
|
|
#
|
|
# Called on authentication or deauthentication:
|
|
# $<BinAuth> <*auth|*deauth> <incoming_bytes> <outgoing_bytes> <session_start> <session_end>
|
|
#
|
|
# "client_auth": Client authenticated via this script.
|
|
# "client_deauth": Client deauthenticated by the client via splash page.
|
|
# "idle_deauth": Client was deauthenticated because of inactivity.
|
|
# "timeout_deauth": Client was deauthenticated because the session timed out.
|
|
# "ndsctl_auth": Client was authenticated manually by the ndsctl tool.
|
|
# "ndsctl_deauth": Client was deauthenticated by the ndsctl tool.
|
|
# "shutdown_deauth": Client was deauthenticated by Nodogsplash terminating.
|
|
#
|
|
# Values session_start and session_start are in seconds since 1970 or 0 for unknown/unlimited.
|
|
#
|
|
#option binauth '/bin/myauth.sh'
|
|
# Enable PreAuth Support.
|
|
#
|
|
# A simple login script is provided in the package.
|
|
# This generates a login page asking for usename and email address.
|
|
# User logins are recorded in the log file /tmp/ndslog.log
|
|
# Details of how the script works are contained in comments in the script itself.
|
|
#
|
|
# The Preauth program will output html code that will be served to the client by NDS
|
|
# Using html GET the Preauth program may call:
|
|
# /nodogsplash_preauth/ to ask the client for more information
|
|
# or
|
|
# /nodogsplash_auth/ to authenticate the client
|
|
#
|
|
# The Preauth program should append at least the client ip to the query string
|
|
# (using html input type hidden) for all calls to /nodogsplash_preauth/
|
|
# It must also obtain the client token using ndsctl (or the original query string if fas_secure_enabled=0)
|
|
# for NDS authentication when calling /nodogsplash_auth/
|
|
#
|
|
#option preauth '/usr/lib/nodogsplash/login.sh'
|
|
|
|
# Your router may have several interfaces, and you
|
|
# probably want to keep them private from the gatewayinterface.
|
|
# If so, you should block the entire subnets on those interfaces, e.g.:
|
|
#list authenticated_users 'block to 192.168.0.0/16'
|
|
#list authenticated_users 'block to 10.0.0.0/8'
|
|
|
|
# Typical ports you will probably want to open up.
|
|
#list authenticated_users 'allow tcp port 22'
|
|
#list authenticated_users 'allow tcp port 53'
|
|
#list authenticated_users 'allow udp port 53'
|
|
#list authenticated_users 'allow tcp port 80'
|
|
#list authenticated_users 'allow tcp port 443'
|
|
# Or for happy customers allow all
|
|
list authenticated_users 'allow all'
|
|
|
|
# For preauthenticated users to resolve IP addresses in their
|
|
# initial request not using the router itself as a DNS server,
|
|
# Leave commented to help prevent DNS tunnelling
|
|
#list preauthenticated_users 'allow tcp port 53'
|
|
#list preauthenticated_users 'allow udp port 53'
|
|
|
|
# Allow ports for SSH/Telnet/DNS/DHCP/HTTP/HTTPS
|
|
list users_to_router 'allow tcp port 22'
|
|
list users_to_router 'allow tcp port 23'
|
|
list users_to_router 'allow tcp port 53'
|
|
list users_to_router 'allow udp port 53'
|
|
list users_to_router 'allow udp port 67'
|
|
list users_to_router 'allow tcp port 80'
|
|
|
|
# MAC addresses that are / are not allowed to access the splash page
|
|
# Value is either 'allow' or 'block'. The allowedmac or blockedmac list is used.
|
|
#option macmechanism 'allow'
|
|
#list allowedmac '00:00:C0:01:D0:0D'
|
|
#list allowedmac '00:00:C0:01:D0:1D'
|
|
#list blockedmac '00:00:C0:01:D0:2D'
|
|
|
|
# MAC addresses that do not need to authenticate
|
|
#list trustedmac '00:00:C0:01:D0:1D'
|
|
|
|
# Nodogsplash uses specific HEXADECIMAL values to mark packets used by iptables as a bitwise mask.
|
|
# This mask can conflict with the requirements of other packages such as mwan3, sqm etc
|
|
# Any values set here are interpreted as in hex format.
|
|
#
|
|
# List: fw_mark_authenticated
|
|
# Default: 30000 (0011|0000|0000|0000|0000 binary)
|
|
#
|
|
# List: fw_mark_trusted
|
|
# Default: 20000 (0010|0000|0000|0000|0000 binary)
|
|
#
|
|
# List: fw_mark_blocked
|
|
# Default: 10000 (0001|0000|0000|0000|0000 binary)
|
|
#
|
|
#option fw_mark_authenticated '30000'
|
|
#option fw_mark_trusted '20000'
|
|
#option fw_mark_blocked '10000'
|
|
|