From aeacbe60caae6e65bd64994a4ca2eb2668cade7f Mon Sep 17 00:00:00 2001 From: Jerry Vonau Date: Tue, 3 Jul 2018 09:00:45 -0500 Subject: [PATCH 01/23] tweaking iptables for captive portal --- .../templates/gateway/iiab-gen-iptables | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/roles/network/templates/gateway/iiab-gen-iptables b/roles/network/templates/gateway/iiab-gen-iptables index 7ec8f3bf0..3b9e8959a 100755 --- a/roles/network/templates/gateway/iiab-gen-iptables +++ b/roles/network/templates/gateway/iiab-gen-iptables @@ -105,8 +105,9 @@ if [ "$gw_block_https" == "True" ]; then fi # Allow outgoing connections from the LAN side. -$IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT - +if ! [ "$captive_portal_enabled" == "True" ];then + $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT +fi # Don't forward from the outside to the inside. $IPTABLES -A FORWARD -i $wan -o $lan -j DROP $IPTABLES -A INPUT -i $wan -j DROP @@ -116,14 +117,17 @@ if [ "$block_DNS" == "True" ];then $IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53 fi +#if [ "$captive_portal_enabled" == "True" ];then +# $IPTABLES -t mangle -N internet +# $IPTABLES -t mangle -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m tcp --dport 80 -j internet +# $IPTABLES -t mangle -A internet -j MARK --set-mark 99 +# $IPTABLES -t nat -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m mark --mark 99 -m tcp --dport 80 -j DNAT --to-destination {{ lan_ip }}: + if [ "$captive_portal_enabled" == "True" ];then - $IPTABLES -t mangle -N internet - $IPTABLES -t mangle -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m tcp --dport 80 -j internet - $IPTABLES -t mangle -A internet -j MARK --set-mark 99 - $IPTABLES -t nat -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m mark --mark 99 -m tcp --dport 80 -j DNAT --to-destination {{ lan_ip }} + $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:9090 elif [ "$HTTPCACHE_ON" == "True" ]; then - $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d 172.18.96.1 -j DNAT --to 172.18.96.1:3128 + $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128 fi # Enable routing. From 74fb19864f001892f2378bd12090cc7274f6316b Mon Sep 17 00:00:00 2001 From: Anish Mangal Date: Wed, 4 Jul 2018 12:42:10 +0000 Subject: [PATCH 02/23] Initial working copy of the captive portal --- roles/network/defaults/main.yml | 7 ++ roles/network/tasks/captive_portal.yml | 37 +++++++ roles/network/tasks/main.yml | 8 ++ .../captive_portal/captive_portal.py.j2 | 97 +++++++++++++++++++ .../captive_portal/captive_portal.service.j2 | 15 +++ 5 files changed, 164 insertions(+) create mode 100644 roles/network/tasks/captive_portal.yml create mode 100755 roles/network/templates/captive_portal/captive_portal.py.j2 create mode 100644 roles/network/templates/captive_portal/captive_portal.service.j2 diff --git a/roles/network/defaults/main.yml b/roles/network/defaults/main.yml index 4524918df..2fb7bc256 100644 --- a/roles/network/defaults/main.yml +++ b/roles/network/defaults/main.yml @@ -71,3 +71,10 @@ named_enabled: True dnsmasq_enabled: False dnsmasq_install: False captive_portal_enabled: False + +# for simple python captive portal +py_captive_portal_install: True +py_captive_portal_enabled: True +captive_portal_port: "9090" +captive_portal_username: "Admin" +captive_portal_password: "g0adm1n" diff --git a/roles/network/tasks/captive_portal.yml b/roles/network/tasks/captive_portal.yml new file mode 100644 index 000000000..73176709c --- /dev/null +++ b/roles/network/tasks/captive_portal.yml @@ -0,0 +1,37 @@ +- name: Create directory for captive portal script + file: path=/opt/iiab/captive-portal state=directory + when: py_captive_portal_install + +- name: Copy captive portal script + template: + src: roles/network/templates/captive_portal/captive_portal.py.j2 + dest: /opt/iiab/captive-portal/captive_portal.py + owner: iiab-admin + group: iiab-admin + mode: 0740 + when: py_captive_portal_install + +- name: Copy captive portal service file + template: + src: roles/network/templates/captive_portal/captive_portal.service.j2 + dest: /etc/systemd/system/captive_portal.service + owner: iiab-admin + group: iiab-admin + mode: 0644 + when: py_captive_portal_install + +- name: Enable captive_portal after copying files + service: name=captive_portal.service enabled=yes + when: py_captive_portal_install and py_captive_portal_enabled + +- name: Start captive_portal after copying files + service: name=captive_portal.service state=started + when: py_captive_portal_install and py_captive_portal_enabled + +- name: Disable captive_portal after copying files + service: name=captive_portal.service enabled=no + when: py_captive_portal_install and py_captive_portal_enabled + +- name: Stop captive_portal after copying files + service: name=captive_portal.service state=started + when: py_captive_portal_install and py_captive_portal_enabled diff --git a/roles/network/tasks/main.yml b/roles/network/tasks/main.yml index 6e73f7d4c..959c0b368 100644 --- a/roles/network/tasks/main.yml +++ b/roles/network/tasks/main.yml @@ -74,6 +74,14 @@ include_tasks: squid.yml when: FQDN_changed and squid_install and iiab_stage|int == 9 +#- name: FOREFULLY ENABLE CAPTIVE PORTAL +# set_fact: +# py_captive_portal_install: True + +- name: (Re)Installing captive portal + include_tasks: captive_portal.yml + when: py_captive_portal_install + #### start services - include_tasks: avahi.yml tags: diff --git a/roles/network/templates/captive_portal/captive_portal.py.j2 b/roles/network/templates/captive_portal/captive_portal.py.j2 new file mode 100755 index 000000000..c6021d87c --- /dev/null +++ b/roles/network/templates/captive_portal/captive_portal.py.j2 @@ -0,0 +1,97 @@ +#!/usr/bin/python + +# Captive portal script adapted from https://github.com/nikosft/captive-portal + +import subprocess +import BaseHTTPServer +import cgi + +# These variables are used as settings +PORT = int("{{ captive_portal_port }}") # the port in which the captive portal web server listens +IFACE = "{{ iiab_lan_iface }}" # the interface that captive portal protects +IP_ADDRESS = "172.18.96.1" # the ip address of the captive portal (it can be the IP of IFACE) + +''' +This it the http server used by the the captive portal +''' +class CaptivePortal(BaseHTTPServer.BaseHTTPRequestHandler): + #this is the index of the captive portal + #it simply redirects the user to the to login page + html_redirect = """ + + + + + + Redirecting to login page + + + """%(IP_ADDRESS, PORT) + #the login page + html_login = """ + + + Login Form +
+ Username:
+ Password:
+ +
+ + + """ + + ''' + if the user requests the login page show it, else + use the redirect page + ''' + def do_GET(self): + path = self.path + self.send_response(200) + self.send_header("Content-type", "text/html") + self.end_headers() + if path == "/login": + self.wfile.write(self.html_login) + else: + self.wfile.write(self.html_redirect) + ''' + this is called when the user submits the login form + ''' + def do_POST(self): + self.send_response(200) + self.send_header("Content-type", "text/html") + self.end_headers() + form = cgi.FieldStorage( + fp=self.rfile, + headers=self.headers, + environ={'REQUEST_METHOD':'POST', + 'CONTENT_TYPE':self.headers['Content-Type'], + }) + username = form.getvalue("username") + password = form.getvalue("password") + #dummy security check + if username == '{{ captive_portal_username }}' and password == '{{ captive_portal_password }}': + #authorized user + remote_IP = self.client_address[0] + print 'New authorization from '+ remote_IP + print 'Updating IP tables' + subprocess.call(["iptables","-t", "nat", "-I", "PREROUTING","1", "-s", remote_IP, "-j" ,"ACCEPT"]) + subprocess.call(["iptables", "-I", "FORWARD", "-s", remote_IP, "-j" ,"ACCEPT"]) + self.wfile.write("You are now authorized. Navigate to any URL") + else: + #show the login form + self.wfile.write(self.html_login) + + #the following function makes server produce no output + #comment it out if you want to print diagnostic messages + #def log_message(self, format, *args): + # return + +print "Starting captive portal web server" +httpd = BaseHTTPServer.HTTPServer(('', PORT), CaptivePortal) + +try: + httpd.serve_forever() +except KeyboardInterrupt: + pass +httpd.server_close() diff --git a/roles/network/templates/captive_portal/captive_portal.service.j2 b/roles/network/templates/captive_portal/captive_portal.service.j2 new file mode 100644 index 000000000..77a055cb4 --- /dev/null +++ b/roles/network/templates/captive_portal/captive_portal.service.j2 @@ -0,0 +1,15 @@ +[Unit] +Description=Captive portal +After=syslog.target + +[Service] +Type=simple +User=iiab-admin +Group=iiab-admin +WorkingDirectory=/opt/iiab/captive-portal +ExecStart=/opt/iiab/captive-portal/captive_portal.py +StandardOutput=syslog +StandardError=syslog + +[Install] +WantedBy=multi-user.target From 5674675ef9fbc5dad99f7a4abc1354015203acf6 Mon Sep 17 00:00:00 2001 From: Anish Mangal Date: Wed, 4 Jul 2018 12:56:16 +0000 Subject: [PATCH 03/23] captive_portal service must run as root --- roles/network/tasks/captive_portal.yml | 8 ++++---- .../templates/captive_portal/captive_portal.service.j2 | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/network/tasks/captive_portal.yml b/roles/network/tasks/captive_portal.yml index 73176709c..8dad37fa7 100644 --- a/roles/network/tasks/captive_portal.yml +++ b/roles/network/tasks/captive_portal.yml @@ -6,8 +6,8 @@ template: src: roles/network/templates/captive_portal/captive_portal.py.j2 dest: /opt/iiab/captive-portal/captive_portal.py - owner: iiab-admin - group: iiab-admin + owner: root + group: root mode: 0740 when: py_captive_portal_install @@ -15,8 +15,8 @@ template: src: roles/network/templates/captive_portal/captive_portal.service.j2 dest: /etc/systemd/system/captive_portal.service - owner: iiab-admin - group: iiab-admin + owner: root + group: root mode: 0644 when: py_captive_portal_install diff --git a/roles/network/templates/captive_portal/captive_portal.service.j2 b/roles/network/templates/captive_portal/captive_portal.service.j2 index 77a055cb4..03f3c33d5 100644 --- a/roles/network/templates/captive_portal/captive_portal.service.j2 +++ b/roles/network/templates/captive_portal/captive_portal.service.j2 @@ -4,8 +4,8 @@ After=syslog.target [Service] Type=simple -User=iiab-admin -Group=iiab-admin +User=root +Group=root WorkingDirectory=/opt/iiab/captive-portal ExecStart=/opt/iiab/captive-portal/captive_portal.py StandardOutput=syslog From 418d941833df8629335bbe79e6de1a985174f087 Mon Sep 17 00:00:00 2001 From: Jerry Vonau Date: Wed, 4 Jul 2018 08:30:53 -0500 Subject: [PATCH 04/23] whitespace --- roles/network/tasks/main.yml | 2 +- .../templates/captive_portal/captive_portal.py.j2 | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/network/tasks/main.yml b/roles/network/tasks/main.yml index 959c0b368..3d2e7ec42 100644 --- a/roles/network/tasks/main.yml +++ b/roles/network/tasks/main.yml @@ -74,7 +74,7 @@ include_tasks: squid.yml when: FQDN_changed and squid_install and iiab_stage|int == 9 -#- name: FOREFULLY ENABLE CAPTIVE PORTAL +#- name: FOREFULLY ENABLE CAPTIVE PORTAL # set_fact: # py_captive_portal_install: True diff --git a/roles/network/templates/captive_portal/captive_portal.py.j2 b/roles/network/templates/captive_portal/captive_portal.py.j2 index c6021d87c..e873f28de 100755 --- a/roles/network/templates/captive_portal/captive_portal.py.j2 +++ b/roles/network/templates/captive_portal/captive_portal.py.j2 @@ -7,9 +7,9 @@ import BaseHTTPServer import cgi # These variables are used as settings -PORT = int("{{ captive_portal_port }}") # the port in which the captive portal web server listens +PORT = int("{{ captive_portal_port }}") # the port in which the captive portal web server listens IFACE = "{{ iiab_lan_iface }}" # the interface that captive portal protects -IP_ADDRESS = "172.18.96.1" # the ip address of the captive portal (it can be the IP of IFACE) +IP_ADDRESS = "172.18.96.1" # the ip address of the captive portal (it can be the IP of IFACE) ''' This it the http server used by the the captive portal @@ -40,7 +40,7 @@ class CaptivePortal(BaseHTTPServer.BaseHTTPRequestHandler): """ - + ''' if the user requests the login page show it, else use the redirect page @@ -62,7 +62,7 @@ class CaptivePortal(BaseHTTPServer.BaseHTTPRequestHandler): self.send_header("Content-type", "text/html") self.end_headers() form = cgi.FieldStorage( - fp=self.rfile, + fp=self.rfile, headers=self.headers, environ={'REQUEST_METHOD':'POST', 'CONTENT_TYPE':self.headers['Content-Type'], @@ -81,7 +81,7 @@ class CaptivePortal(BaseHTTPServer.BaseHTTPRequestHandler): else: #show the login form self.wfile.write(self.html_login) - + #the following function makes server produce no output #comment it out if you want to print diagnostic messages #def log_message(self, format, *args): From ef58b913aaf7be4bd17c51987294e80b14e92b94 Mon Sep 17 00:00:00 2001 From: Jerry Vonau Date: Wed, 4 Jul 2018 08:32:07 -0500 Subject: [PATCH 05/23] use lan_ip in place of hardcoding --- roles/network/templates/captive_portal/captive_portal.py.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/network/templates/captive_portal/captive_portal.py.j2 b/roles/network/templates/captive_portal/captive_portal.py.j2 index e873f28de..8e0736b07 100755 --- a/roles/network/templates/captive_portal/captive_portal.py.j2 +++ b/roles/network/templates/captive_portal/captive_portal.py.j2 @@ -9,7 +9,7 @@ import cgi # These variables are used as settings PORT = int("{{ captive_portal_port }}") # the port in which the captive portal web server listens IFACE = "{{ iiab_lan_iface }}" # the interface that captive portal protects -IP_ADDRESS = "172.18.96.1" # the ip address of the captive portal (it can be the IP of IFACE) +IP_ADDRESS = "{{ lan_ip }}" # the ip address of the captive portal (it can be the IP of IFACE) ''' This it the http server used by the the captive portal From cc09adb6778717f0409322f6c642c1ab159ed019 Mon Sep 17 00:00:00 2001 From: Jerry Vonau Date: Wed, 4 Jul 2018 09:29:05 -0500 Subject: [PATCH 06/23] replace named-iiab.conf to pickup changes in dns_jail_enabled --- roles/network/tasks/enable_services.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/network/tasks/enable_services.yml b/roles/network/tasks/enable_services.yml index 4628874af..5660691c7 100644 --- a/roles/network/tasks/enable_services.yml +++ b/roles/network/tasks/enable_services.yml @@ -27,6 +27,7 @@ group=root mode={{ item.mode }} with_items: + - { src: 'named/named-iiab.conf.j2' , dest: '/etc/named-iiab.conf' , mode: '0644' } - { src: 'named/school.local.zone.db' , dest: '/var/named-iiab/' , mode: '0644' } - { src: 'named/school.internal.zone.db' , dest: '/var/named-iiab/' , mode: '0644' } From 43b67fbc6087df405c17152e4825ba0b26eee465 Mon Sep 17 00:00:00 2001 From: Jerry Vonau Date: Wed, 4 Jul 2018 12:56:48 -0500 Subject: [PATCH 07/23] install dnsmasq by default --- vars/default_vars.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/vars/default_vars.yml b/vars/default_vars.yml index ebe72e509..d9f4753d3 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -103,9 +103,12 @@ dhcpd_enabled: False named_install: True named_enabled: True block_DNS: False +# Captive Portal highly experimental as of July 2018: https://github.com/iiab/iiab/pull/870 +py_captive_portal_install: True +py_captive_portal_enabled: False # dnsmasq -dnsmasq_install: False +dnsmasq_install: True dnsmasq_enabled: False # Captive Portal highly experimental as of June 2018: https://github.com/iiab/iiab/issues/608 From 516daefb275e763160aac1a5d4091f1c03e830ba Mon Sep 17 00:00:00 2001 From: Jerry Vonau Date: Wed, 4 Jul 2018 13:11:49 -0500 Subject: [PATCH 08/23] use dns_jail_enabled for dnsmasq blackhole --- roles/network/templates/network/dnsmasq.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/network/templates/network/dnsmasq.conf.j2 b/roles/network/templates/network/dnsmasq.conf.j2 index 282c0b222..afd148c89 100644 --- a/roles/network/templates/network/dnsmasq.conf.j2 +++ b/roles/network/templates/network/dnsmasq.conf.j2 @@ -4,7 +4,7 @@ bogus-priv #server=/{{ iiab_domain }}/{{ iiab_hostname }} # Add local-only domains here, queries in these domains are answered from /etc/hosts or DHCP only. local=/{{ iiab_domain }}/ -{% if captive_portal_enabled == "True" %} +{% if dns_jail_enabled %} # Make all host names resolve to the Raspberry Pi's IP address address=/#/{{ lan_ip }} {% endif %} From 2f47e84696a4a5de2fdcd18e18d5a90042e25f40 Mon Sep 17 00:00:00 2001 From: Jerry Vonau Date: Thu, 5 Jul 2018 10:14:47 -0500 Subject: [PATCH 09/23] use py_captive_portal_enabled and restore captive_portal_enabled --- roles/network/templates/gateway/iiab-gen-iptables | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/roles/network/templates/gateway/iiab-gen-iptables b/roles/network/templates/gateway/iiab-gen-iptables index 3b9e8959a..f88cdae1b 100755 --- a/roles/network/templates/gateway/iiab-gen-iptables +++ b/roles/network/templates/gateway/iiab-gen-iptables @@ -60,6 +60,7 @@ kalite_server_port={{ kalite_server_port }} sugarizer_port={{ sugarizer_port }} block_DNS={{ block_DNS }} captive_portal_enabled={{ captive_portal_enabled }} +py_captive_portal_enabled={{ py_captive_portal_enabled }} echo "Lan is $lan and WAN is $wan" # @@ -105,7 +106,7 @@ if [ "$gw_block_https" == "True" ]; then fi # Allow outgoing connections from the LAN side. -if ! [ "$captive_portal_enabled" == "True" ];then +if ! [ "$py_captive_portal_enabled" == "True" ];then $IPTABLES -A FORWARD -i $lan -o $wan -j ACCEPT fi # Don't forward from the outside to the inside. @@ -117,13 +118,13 @@ if [ "$block_DNS" == "True" ];then $IPTABLES -t nat -A PREROUTING -i $lan -p udp --dport 53 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:53 fi -#if [ "$captive_portal_enabled" == "True" ];then -# $IPTABLES -t mangle -N internet -# $IPTABLES -t mangle -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m tcp --dport 80 -j internet -# $IPTABLES -t mangle -A internet -j MARK --set-mark 99 -# $IPTABLES -t nat -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m mark --mark 99 -m tcp --dport 80 -j DNAT --to-destination {{ lan_ip }}: - if [ "$captive_portal_enabled" == "True" ];then + $IPTABLES -t mangle -N internet + $IPTABLES -t mangle -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m tcp --dport 80 -j internet + $IPTABLES -t mangle -A internet -j MARK --set-mark 99 + $IPTABLES -t nat -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m mark --mark 99 -m tcp --dport 80 -j DNAT --to-destination {{ lan_ip }} + +elif [ "py_$captive_portal_enabled" == "True" ];then $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:9090 elif [ "$HTTPCACHE_ON" == "True" ]; then From ca7c291ba5aef57dc4c1a996601147413d40612c Mon Sep 17 00:00:00 2001 From: Jerry Vonau Date: Thu, 5 Jul 2018 12:24:20 -0500 Subject: [PATCH 10/23] use py_ for new captive_portal variables --- roles/network/defaults/main.yml | 6 +++--- roles/network/templates/captive_portal/captive_portal.py.j2 | 4 ++-- roles/network/templates/gateway/iiab-gen-iptables | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/roles/network/defaults/main.yml b/roles/network/defaults/main.yml index 2fb7bc256..55c2ffff1 100644 --- a/roles/network/defaults/main.yml +++ b/roles/network/defaults/main.yml @@ -75,6 +75,6 @@ captive_portal_enabled: False # for simple python captive portal py_captive_portal_install: True py_captive_portal_enabled: True -captive_portal_port: "9090" -captive_portal_username: "Admin" -captive_portal_password: "g0adm1n" +py_captive_portal_port: "9090" +py_captive_portal_username: "Admin" +py_captive_portal_password: "changeme" diff --git a/roles/network/templates/captive_portal/captive_portal.py.j2 b/roles/network/templates/captive_portal/captive_portal.py.j2 index 8e0736b07..22ad1f009 100755 --- a/roles/network/templates/captive_portal/captive_portal.py.j2 +++ b/roles/network/templates/captive_portal/captive_portal.py.j2 @@ -7,7 +7,7 @@ import BaseHTTPServer import cgi # These variables are used as settings -PORT = int("{{ captive_portal_port }}") # the port in which the captive portal web server listens +PORT = int("{{ py_captive_portal_port }}") # the port in which the captive portal web server listens IFACE = "{{ iiab_lan_iface }}" # the interface that captive portal protects IP_ADDRESS = "{{ lan_ip }}" # the ip address of the captive portal (it can be the IP of IFACE) @@ -70,7 +70,7 @@ class CaptivePortal(BaseHTTPServer.BaseHTTPRequestHandler): username = form.getvalue("username") password = form.getvalue("password") #dummy security check - if username == '{{ captive_portal_username }}' and password == '{{ captive_portal_password }}': + if username == '{{ py_captive_portal_username }}' and password == '{{ py_captive_portal_password }}': #authorized user remote_IP = self.client_address[0] print 'New authorization from '+ remote_IP diff --git a/roles/network/templates/gateway/iiab-gen-iptables b/roles/network/templates/gateway/iiab-gen-iptables index f88cdae1b..0e456dab1 100755 --- a/roles/network/templates/gateway/iiab-gen-iptables +++ b/roles/network/templates/gateway/iiab-gen-iptables @@ -102,7 +102,7 @@ $IPTABLES -A FORWARD -i $wan -o $lan -m state --state ESTABLISHED,RELATED -j ACC #Block https traffic except if directed at server if [ "$gw_block_https" == "True" ]; then - $IPTABLES -A FORWARD -p tcp ! -d 172.18.96.1 --dport 443 -j DROP + $IPTABLES -A FORWARD -p tcp ! -d {{ lan_ip }} --dport 443 -j DROP fi # Allow outgoing connections from the LAN side. @@ -125,7 +125,7 @@ if [ "$captive_portal_enabled" == "True" ];then $IPTABLES -t nat -A PREROUTING -i {{ iiab_lan_iface }} -p tcp -m mark --mark 99 -m tcp --dport 80 -j DNAT --to-destination {{ lan_ip }} elif [ "py_$captive_portal_enabled" == "True" ];then - $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:9090 + $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:{{ py_captive_portal_port }} elif [ "$HTTPCACHE_ON" == "True" ]; then $IPTABLES -t nat -A PREROUTING -i $lan -p tcp --dport 80 ! -d {{ lan_ip }} -j DNAT --to {{ lan_ip }}:3128 From 5b5a57613c1af48a17454a799ef8de09961b6cdd Mon Sep 17 00:00:00 2001 From: A Holt Date: Thu, 12 Jul 2018 01:36:24 -0400 Subject: [PATCH 11/23] Update main.yml --- roles/kalite/defaults/main.yml | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/roles/kalite/defaults/main.yml b/roles/kalite/defaults/main.yml index 086f6839e..234ecd25f 100644 --- a/roles/kalite/defaults/main.yml +++ b/roles/kalite/defaults/main.yml @@ -1,21 +1,28 @@ ---- # The values here are defaults. -# To override them edit the main var definitions in iiab/vars -kalite_version: "0.17.4" +# To override them edit the main var definitions in /opt/iiab/iiab/vars/local_vars.yml +kalite_install: True +kalite_enabled: False + +kalite_server_port: 8008 +kalite_admin_user: Admin +kalite_admin_password: changeme + +kalite_version: "0.17.5" kalite_repo_url: "https://github.com/learningequality/ka-lite.git" +kalite_requirements: "https://raw.githubusercontent.com/learningequality/ka-lite/master/requirements.txt" + kalite_venv: "/usr/local/kalite/venv" kalite_program: "{{ kalite_venv }}/bin/kalite" -kalite_requirements: "https://raw.githubusercontent.com/learningequality/ka-lite/master/requirements.txt" kalite_root: "/library/ka-lite" + +# Unused in 2018; but remain as placeholder for Fedora 18 legacy (XO laptops) +kalite_cron_enabled: False kalite_user: kalite # obtain a password hash with - python -c 'import crypt; print crypt.crypt("", "$6$<salt>")' kalite_password_hash: $6$<salt>$KHET0XRRsgAY.wOWyTOI3W7dyDh0ESOr48uI5vtk2xdzsU7aw0TF4ZkNuM34RmHBGMJ1fTCmOyVobo0LOhBlJ/ kalite_password: kalite -kalite_admin_user: Admin -kalite_admin_password: changeme -kalite_server_name: kalite -kalite_server_port: 8008 -kalite_enabled: False -kalite_cron_enabled: False -khan_assessment_install: True -khan_assessment_url: "http://pantry.learningequality.org/downloads/ka-lite/0.16/content/khan_assessment.zip" + +# Unused in 2018 +# kalite_server_name: kalite +# khan_assessment_install: True +# khan_assessment_url: "http://pantry.learningequality.org/downloads/ka-lite/0.16/content/khan_assessment.zip" From ee985be92919a346b4fd70699cd11eb7ca34560d Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 12 Jul 2018 01:36:38 -0400 Subject: [PATCH 12/23] Update default_vars.yml --- vars/default_vars.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/vars/default_vars.yml b/vars/default_vars.yml index ebe72e509..d372948aa 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -295,14 +295,16 @@ wordpress_enabled: False # KA Lite kalite_install: True +kalite_enabled: False +kalite_server_port: 8008 kalite_root: "/library/ka-lite" +# Unused in 2018; but remain as placeholder for Fedora 18 legacy (XO laptops) +kalite_cron_enabled: False kalite_user: kalite kalite_password_hash: $6$<salt>$KHET0XRRsgAY.wOWyTOI3W7dyDh0ESOr48uI5vtk2xdzsU7aw0TF4ZkNuM34RmHBGMJ1fTCmOyVobo0LOhBlJ/ kalite_password: kalite -kalite_server_name: kalite -kalite_server_port: 8008 -kalite_enabled: False -kalite_cron_enabled: False +# Unused in 2018 +# kalite_server_name: kalite # Kiwix kiwix_install: True From 4c8e7e3f3707c549de5444a419c2ccfaed989b8d Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 12 Jul 2018 01:37:26 -0400 Subject: [PATCH 13/23] Update main.yml --- roles/kalite/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/kalite/defaults/main.yml b/roles/kalite/defaults/main.yml index 234ecd25f..287f35f0d 100644 --- a/roles/kalite/defaults/main.yml +++ b/roles/kalite/defaults/main.yml @@ -15,7 +15,7 @@ kalite_venv: "/usr/local/kalite/venv" kalite_program: "{{ kalite_venv }}/bin/kalite" kalite_root: "/library/ka-lite" -# Unused in 2018; but remain as placeholder for Fedora 18 legacy (XO laptops) +# Unused in 2018; but remain as placeholders for Fedora 18 legacy (XO laptops) kalite_cron_enabled: False kalite_user: kalite # obtain a password hash with - python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")' From 0a704f9e1444af762f373158e22a6ed5cd1210f6 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 12 Jul 2018 01:37:55 -0400 Subject: [PATCH 14/23] Update default_vars.yml --- vars/default_vars.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/default_vars.yml b/vars/default_vars.yml index d372948aa..b2b5452a5 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -298,7 +298,7 @@ kalite_install: True kalite_enabled: False kalite_server_port: 8008 kalite_root: "/library/ka-lite" -# Unused in 2018; but remain as placeholder for Fedora 18 legacy (XO laptops) +# Unused in 2018; but remain as placeholders for Fedora 18 legacy (XO laptops) kalite_cron_enabled: False kalite_user: kalite kalite_password_hash: $6$<salt>$KHET0XRRsgAY.wOWyTOI3W7dyDh0ESOr48uI5vtk2xdzsU7aw0TF4ZkNuM34RmHBGMJ1fTCmOyVobo0LOhBlJ/ From 78fae2d16650ba2cebdd163bcae987ca29735c46 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 12 Jul 2018 01:38:23 -0400 Subject: [PATCH 15/23] Update local_vars_medium.yml --- vars/local_vars_medium.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index 8e3b2cb0f..21f7556f5 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -159,6 +159,7 @@ wordpress_enabled: True kalite_install: True kalite_enabled: True +# Unused in 2018; but remains as placeholder for Fedora 18 legacy (XO laptops) kalite_cron_enabled: True kiwix_install: True From a502c67d2c3d8ce0322219c2273c5a27cdba48b4 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 12 Jul 2018 01:39:04 -0400 Subject: [PATCH 16/23] Update local_vars_medium_vpn.yml --- vars/local_vars_medium_vpn.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/vars/local_vars_medium_vpn.yml b/vars/local_vars_medium_vpn.yml index bb5cfed17..70ec6105e 100644 --- a/vars/local_vars_medium_vpn.yml +++ b/vars/local_vars_medium_vpn.yml @@ -159,6 +159,7 @@ wordpress_enabled: True kalite_install: True kalite_enabled: True +# Unused in 2018; but remains as placeholder for Fedora 18 legacy (XO laptops) kalite_cron_enabled: True kiwix_install: True From 02c21cbf9d990453136c1a4368656a08382b41c6 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 12 Jul 2018 01:39:35 -0400 Subject: [PATCH 17/23] Update local_vars_min.yml --- vars/local_vars_min.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index a29a150db..f41915947 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -159,6 +159,7 @@ wordpress_enabled: False kalite_install: True kalite_enabled: True +# Unused in 2018; but remains as placeholder for Fedora 18 legacy (XO laptops) kalite_cron_enabled: True kiwix_install: True From 9a6c4c08144a231261e8b65cb7746f4386606bc5 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 12 Jul 2018 01:39:55 -0400 Subject: [PATCH 18/23] Update local_vars_min_vpn.yml --- vars/local_vars_min_vpn.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/vars/local_vars_min_vpn.yml b/vars/local_vars_min_vpn.yml index 351e01b4a..f427a1888 100644 --- a/vars/local_vars_min_vpn.yml +++ b/vars/local_vars_min_vpn.yml @@ -159,6 +159,7 @@ wordpress_enabled: False kalite_install: True kalite_enabled: True +# Unused in 2018; but remains as placeholder for Fedora 18 legacy (XO laptops) kalite_cron_enabled: True kiwix_install: True From bc83745b98635216a4d6514df5b16929768596d3 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 12 Jul 2018 01:40:15 -0400 Subject: [PATCH 19/23] Update local_vars_big.yml --- vars/local_vars_big.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index d89b264d5..db86484b7 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -159,6 +159,7 @@ wordpress_enabled: True kalite_install: True kalite_enabled: True +# Unused in 2018; but remains as placeholder for Fedora 18 legacy (XO laptops) kalite_cron_enabled: True kiwix_install: True From 9cc202587b8d0abc461a18cb407934e456d91aee Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 12 Jul 2018 01:40:35 -0400 Subject: [PATCH 20/23] Update local_vars_big_vpn.yml --- vars/local_vars_big_vpn.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/vars/local_vars_big_vpn.yml b/vars/local_vars_big_vpn.yml index 699ebc145..78399b980 100644 --- a/vars/local_vars_big_vpn.yml +++ b/vars/local_vars_big_vpn.yml @@ -159,6 +159,7 @@ wordpress_enabled: True kalite_install: True kalite_enabled: True +# Unused in 2018; but remains as placeholder for Fedora 18 legacy (XO laptops) kalite_cron_enabled: True kiwix_install: True From 34ce168ab08fc4b22da978d3c8b39ba01e03794e Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 12 Jul 2018 01:45:46 -0400 Subject: [PATCH 21/23] Update main.yml --- roles/kalite/defaults/main.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/roles/kalite/defaults/main.yml b/roles/kalite/defaults/main.yml index 287f35f0d..e2c992e1e 100644 --- a/roles/kalite/defaults/main.yml +++ b/roles/kalite/defaults/main.yml @@ -1,12 +1,9 @@ # The values here are defaults. # To override them edit the main var definitions in /opt/iiab/iiab/vars/local_vars.yml + kalite_install: True kalite_enabled: False -kalite_server_port: 8008 -kalite_admin_user: Admin -kalite_admin_password: changeme - kalite_version: "0.17.5" kalite_repo_url: "https://github.com/learningequality/ka-lite.git" kalite_requirements: "https://raw.githubusercontent.com/learningequality/ka-lite/master/requirements.txt" @@ -15,6 +12,10 @@ kalite_venv: "/usr/local/kalite/venv" kalite_program: "{{ kalite_venv }}/bin/kalite" kalite_root: "/library/ka-lite" +kalite_server_port: 8008 +kalite_admin_user: Admin +kalite_admin_password: changeme + # Unused in 2018; but remain as placeholders for Fedora 18 legacy (XO laptops) kalite_cron_enabled: False kalite_user: kalite From 564c2164450620c5c414b39e6078db13dffd16b9 Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 12 Jul 2018 02:39:20 -0400 Subject: [PATCH 22/23] Update main.yml --- roles/kalite/tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/kalite/tasks/main.yml b/roles/kalite/tasks/main.yml index 35f1932f7..b69de706b 100644 --- a/roles/kalite/tasks/main.yml +++ b/roles/kalite/tasks/main.yml @@ -47,8 +47,6 @@ value: '"KA Lite is a server to present Khan Academy videos offline and to download them."' - option: path value: "{{ kalite_root }}" - - option: server_name - value: "{{ kalite_server_name }}" - option: port value: "{{ kalite_server_port }}" - option: enabled From 3a42e7e2db2030ddb9ff6cc2bed7e694e33ff09a Mon Sep 17 00:00:00 2001 From: A Holt <holta@users.noreply.github.com> Date: Thu, 12 Jul 2018 02:42:56 -0400 Subject: [PATCH 23/23] Update main.yml --- roles/kalite/tasks/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/kalite/tasks/main.yml b/roles/kalite/tasks/main.yml index b69de706b..84c508fe1 100644 --- a/roles/kalite/tasks/main.yml +++ b/roles/kalite/tasks/main.yml @@ -53,5 +53,3 @@ value: "{{ kalite_enabled }}" - option: cron_enabled value: "{{ kalite_cron_enabled }}" - - option: khan_assessment_install - value: "{{ khan_assessment_install }}"