上一篇分析了 接入設備 在接入路由器，并發(fā)起首次 HTTP/80 請求到路由器上時，wifidog 是如何將此 HTTP 請求重定向至 auth-server 的流程。

之后接入設備的瀏覽器接收到 wifidog 返回的 302 重定向請求后，會將頁面重定向至 auth-server 的 /login 頁面，并且在此 URL 中會攜帶一些路由器/網(wǎng)關 參數(shù)，以及接入設備的 MAC 地址和客戶端訪問的源URL（如示例中的 baidu.com）。

POST /login/?gw_address=192.168.1.1&gw_port=2060&gw_id=default&mac=44:94:fc:ef:28:40&url=http%3A//www.baidu.com/ HTTP/1.1

auth-server 收到請求后處理，并返回重定向到 wifidog 的響應（注：同時攜帶了為此接入設備的用戶分配了 token），接入設備的瀏覽器重定向至路由器上 wifidog 的 http 服務（端口 2060） /wifidog/auth 上（且攜帶了認證服務器為此接入設備分配的 token），下面介紹下 wifidog 接收到 /wifidog/auth 的訪問后的校驗流程。

在 wifidog 啟動 http 服務前，注冊了一個針對訪問路徑 /wifidog/auth 的回調(diào)，如下：

httpdAddCContent(webserver, "/wifidog", "about", 0, NULL, http_callback_about);

httpdAddCContent(webserver, "/wifidog", "status", 0, NULL, http_callback_status);

// 注冊了針對 /wifidog/auth 的訪問回調(diào) http_callback_auth

httpdAddCContent(webserver, "/wifidog", "auth", 0, NULL, http_callback_auth);

這樣對于 接入設備(or 客戶端) 重定向過來的 /wifidog/auth 就進入了 http_callback_auth 函數(shù)中，如下：

http_callback_auth(httpd *webserver, request *r)

{

t_client? ? *client;

httpVar * token;

char? ? *mac;

// 1, 獲取條件參數(shù)中的 logout 值

httpVar *logout = httpdGetVariableByName(r, "logout");

// 2, 獲取條件參數(shù)中的 token 值

if ((token = httpdGetVariableByName(r, "token"))) {

/* They supplied variable "token" */

// 3, 可以看到, 這里要求必須能夠通過 ARP 協(xié)議獲取到 接入設備 的 MAC 地址

if (!(mac = arp_get(r->clientAddr))) {

/* We could not get their MAC address */

debug(LOG_ERR, "Failed to retrieve MAC address for ip %s", r->clientAddr);

send_http_page(r, "WiFiDog Error", "Failed to retrieve your MAC address");

} else {

/* We have their MAC address */

LOCK_CLIENT_LIST();

// 4, 檢查該客戶端(接入設備)是否已經(jīng)在 wifidog 維護的接入客戶端列表中

if ((client = client_list_find(r->clientAddr, mac)) == NULL) {

debug(LOG_DEBUG, "New client for %s", r->clientAddr);

client_list_append(r->clientAddr, mac, token->value);

} else if (logout) {

// 5, 退出處理

t_authresponse? authresponse;

s_config *config = config_get_config();

unsigned long long incoming = client->counters.incoming;

unsigned long long outgoing = client->counters.outgoing;

char *ip = safe_strdup(client->ip);

char *urlFragment = NULL;

t_auth_serv *auth_server = get_auth_server();

fw_deny(client->ip, client->mac, client->fw_connection_state);

client_list_delete(client);

debug(LOG_DEBUG, "Got logout from %s", client->ip);

/* Advertise the logout if we have an auth server */

if (config->auth_servers != NULL) {

UNLOCK_CLIENT_LIST();

auth_server_request(&authresponse, REQUEST_TYPE_LOGOUT, ip, mac, token->value,

incoming, outgoing);

LOCK_CLIENT_LIST();

/* Re-direct them to auth server */

debug(LOG_INFO, "Got manual logout from client ip %s, mac %s, token %s"

"- redirecting them to logout message", client->ip, client->mac, client->token);

safe_asprintf(&urlFragment, "%smessage=%s",

auth_server->authserv_msg_script_path_fragment,

GATEWAY_MESSAGE_ACCOUNT_LOGGED_OUT

);

http_send_redirect_to_auth(r, urlFragment, "Redirect to logout message");

free(urlFragment);

}

free(ip);

}

else {

// 6, 已經(jīng)登錄校驗通過

debug(LOG_DEBUG, "Client for %s is already in the client list", client->ip);

}

UNLOCK_CLIENT_LIST();

if (!logout) {

// 7, 到 auth server 上進一步校驗 token

authenticate_client(r);

}

free(mac);

}

} else {

/* They did not supply variable "token" */

// 8, 未攜帶 token, 直接拒絕

send_http_page(r, "WiFiDog error", "Invalid token");

}

}

在該函數(shù)中主要處理了 客戶端退出，非法校驗，以及 客戶端校驗等流程，下面分別描述注釋中的各個步驟：

1，對于客戶端退出，則會攜帶 logout 參數(shù)信息，并走到第 5 步（當然，如果連 token 參數(shù)都沒有的話，會直接走到第 8 步，也就是拒絕）；

2，按照正常的認證流程，會攜帶由認證服務器分配的 token 參數(shù)；

3，正如注釋說明的，這里要求必須能夠通過 ARP 協(xié)議獲取到 接入設備 的 MAC 地址；（其實通過查看 arg_get 的實現(xiàn)，可以看到是直接解析 /proc/net/arp 文件 -- ARP cache -- 來獲取對應客戶端 IP 地址的 MAC 信息的），類似如下：

[asd@ubuntu ~]#more /proc/net/arp

IP address? ? ? HW type? ? Flags? ? ? HW address? ? ? ? ? ? Mask? ? Device

192.168.1.203? ? 0x1? ? ? ? 0x2? ? ? ? 18:03:73:d5:1b:a2? ? *? ? ? ? eth0

192.168.1.1? ? ? 0x1? ? ? ? 0x2? ? ? ? 00:21:27:63:c0:ce? ? *? ? ? ? eth0

4，在能夠獲取到該客戶端的 MAC 地址后，根據(jù)客戶端的 IP 和 MAC 地址檢查該客戶端是否已經(jīng)在 wifidog 維護的接入設備（or客戶端）列表中，如果不在，則追加到此列表中（關于此列表的數(shù)據(jù)結(jié)構(gòu)在后面再詳細描述);

5，如果該客戶端已經(jīng)存在，且本次訪問是要求 logout 退出的，則進入此退出處理的流程，該流程主要包括幾個步驟：關閉該客戶端 ip/mac 的出口（outgoing）規(guī)則 --> 從客戶端列表中刪除該客戶端記錄 --> 通知認證服務器該客戶端退出（且攜帶該客戶端的token， 上下行流量等信息） --> 返回重定向至 認證服務器 的 #define DEFAULT_AUTHSERVMSGPATHFRAGMENT "gw_message.php?" 訪問路徑（攜帶一個已退出的 message）;

6，如果該客戶端已經(jīng)登錄校驗過，且本次訪問非 logout 退出，則直接跳轉(zhuǎn)到第 7 步;

7，這一步就是 token 校驗的過程，具體實現(xiàn)在 authenticate_client 函數(shù)中：

/** Authenticates a single client against the central server and returns when done

* Alters the firewall rules depending on what the auth server says

@param r httpd request struct

*/

void

authenticate_client(request *r)

{

t_client *client;

t_authresponse auth_response;

char *mac,

*token;

char *urlFragment = NULL;

s_config *config = NULL;

t_auth_serv *auth_server = NULL;

LOCK_CLIENT_LIST();

client = client_list_find_by_ip(r->clientAddr);

if (client == NULL) {

debug(LOG_ERR, "Could not find client for %s", r->clientAddr);

UNLOCK_CLIENT_LIST();

return;

}

mac = safe_strdup(client->mac);

token = safe_strdup(client->token);

UNLOCK_CLIENT_LIST();

/*

* At this point we've released the lock while we do an HTTP request since it could

* take multiple seconds to do and the gateway would effectively be frozen if we

* kept the lock.

*/

auth_server_request(&auth_response, REQUEST_TYPE_LOGIN, r->clientAddr, mac, token, 0, 0);

LOCK_CLIENT_LIST();

/* can't trust the client to still exist after n seconds have passed */

client = client_list_find(r->clientAddr, mac);

if (client == NULL) {

debug(LOG_ERR, "Could not find client node for %s (%s)", r->clientAddr, mac);

UNLOCK_CLIENT_LIST();

free(token);

free(mac);

return;

}

free(token);

free(mac);

/* Prepare some variables we'll need below */

config = config_get_config();

auth_server = get_auth_server();

switch(auth_response.authcode) {

case AUTH_ERROR:

/* Error talking to central server */

debug(LOG_ERR, "Got %d from central server authenticating token %s from %s at %s", auth_response, client->token, client->ip, client->mac);

send_http_page(r, "Error!", "Error: We did not get a valid answer from the central server");

break;

case AUTH_DENIED:

/* Central server said invalid token */

debug(LOG_INFO, "Got DENIED from central server authenticating token %s from %s at %s - redirecting them to denied message", client->token, client->ip, client->mac);

safe_asprintf(&urlFragment, "%smessage=%s",

auth_server->authserv_msg_script_path_fragment,

GATEWAY_MESSAGE_DENIED

);

http_send_redirect_to_auth(r, urlFragment, "Redirect to denied message");

free(urlFragment);

break;

case AUTH_VALIDATION:

/* They just got validated for X minutes to check their email */

debug(LOG_INFO, "Got VALIDATION from central server authenticating token %s from %s at %s"

"- adding to firewall and redirecting them to activate message", client->token,

client->ip, client->mac);

client->fw_connection_state = FW_MARK_PROBATION;

fw_allow(client->ip, client->mac, FW_MARK_PROBATION);

safe_asprintf(&urlFragment, "%smessage=%s",

auth_server->authserv_msg_script_path_fragment,

GATEWAY_MESSAGE_ACTIVATE_ACCOUNT

);

http_send_redirect_to_auth(r, urlFragment, "Redirect to activate message");

free(urlFragment);

break;

case AUTH_ALLOWED:

/* Logged in successfully as a regular account */

debug(LOG_INFO, "Got ALLOWED from central server authenticating token %s from %s at %s - "

"adding to firewall and redirecting them to portal", client->token, client->ip, client->mac);

client->fw_connection_state = FW_MARK_KNOWN;

fw_allow(client->ip, client->mac, FW_MARK_KNOWN);

served_this_session++;

safe_asprintf(&urlFragment, "%sgw_id=%s",

auth_server->authserv_portal_script_path_fragment,

config->gw_id

);

http_send_redirect_to_auth(r, urlFragment, "Redirect to portal");

free(urlFragment);

break;

case AUTH_VALIDATION_FAILED:

/* Client had X minutes to validate account by email and didn't = too late */

debug(LOG_INFO, "Got VALIDATION_FAILED from central server authenticating token %s from %s at %s "

"- redirecting them to failed_validation message", client->token, client->ip, client->mac);

safe_asprintf(&urlFragment, "%smessage=%s",

auth_server->authserv_msg_script_path_fragment,

GATEWAY_MESSAGE_ACCOUNT_VALIDATION_FAILED

);

http_send_redirect_to_auth(r, urlFragment, "Redirect to failed validation message");

free(urlFragment);

break;

default:

debug(LOG_WARNING, "I don't know what the validation code %d means for token %s from %s at %s - sending error message", auth_response.authcode, client->token, client->ip, client->mac);

send_http_page(r, "Internal Error", "We can not validate your request at this time");

break;

}

UNLOCK_CLIENT_LIST();

return;

}

這里主要是兩大步驟：

1，通過調(diào)用 auth_server_request(&auth_response, REQUEST_TYPE_LOGIN, r->clientAddr, mac, token, 0, 0); 讓 認證服務器 對該客戶端的 token 進行校驗；

2，根據(jù)認證服務器返回的 token 校驗結(jié)果進行不同的處理（主要是對該客戶端的防火墻過濾規(guī)則進行不同的設置），這里主要以 AUTH_ALLOWED 校驗結(jié)果進行分析，這里主要是兩個動作：

2.1，通過 fw_allow 函數(shù)調(diào)用對此客戶端"放行"；

2.2，返回重定向至認證服務器的 portal 路徑訪問的響應；

這里就簡要分析一下 fw_allow 函數(shù)的實現(xiàn)，查看fw_allow的實現(xiàn)可以看到真正設置allow客戶端通過防火墻的動作是在iptables_fw_access中實現(xiàn)的，如下：

/* Set if a specific client has access through the firewall */

int iptables_fw_access(fw_access_t type, const char *ip, const char *mac, int tag)

{

int rc;

fw_quiet = 0;

switch(type) {

case FW_ACCESS_ALLOW:

iptables_do_command("-t mangle -A " TABLE_WIFIDOG_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-mark %d", ip, mac, tag);

rc = iptables_do_command("-t mangle -A " TABLE_WIFIDOG_INCOMING " -d %s -j ACCEPT", ip);

break;

case FW_ACCESS_DENY:

iptables_do_command("-t mangle -D " TABLE_WIFIDOG_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-mark %d", ip, mac, tag);

rc = iptables_do_command("-t mangle -D " TABLE_WIFIDOG_INCOMING " -d %s -j ACCEPT", ip);

break;

default:

rc = -1;

break;

}

return rc;

}

同樣的，我們這里主要分析一下ALLOW時的iptables的防火墻設置規(guī)則，對執(zhí)行的兩個iptables命令展開來就是下面兩個步驟：

1) 在mangle表中追加WiFiDog_$ID$_Outgoing外出過濾鏈，該鏈的規(guī)則如下幾條：

a) IP 地址為該客戶端的IP地址；

b) MAC地址為該客戶端的MAC地址；

c) 設置MARK為FW_MARK_KNOWN；

iptables –t mangle –AWiFiDog_$ID$_Outgoing? -s 客戶端IP地址 -m mac --mac-source 客戶端MAC地址 -j MARK --set-markFW_MARK_KNOWN

2）在mangle表中追加一條[接受所有目的地址為此客戶端IP地址的] WifiDog_$ID$_Incoming輸入過濾鏈；

iptables -t mangle -AWiFiDog_$ID$_Incoming -d 客戶端IP地址 -j ACCEPT

最后，Auth server重定向客戶端瀏覽器到www.baidu.com

本文由http://www.wifidog.pro/2014/12/08/wifidog-%E6%BA%90%E7%A0%81%E5%88%86%E6%9E%90.html整理編輯，轉(zhuǎn)載請注明出處