2019-09-07 - Re: Non HTTPS sites are not working

Header Data

From: SK NZ <sa***m@gmail.com>
Message Hash: 6a78da4c40a59c6699105169966e1634ac447ec0bd8d8480fa4e11c88931e806
Message ID: <f4230472-46ce-4c5e-8458-daa4fdb21395@grasehotspot.org>
Reply To: <c54e8c4e-b206-4ba3-8774-d8919f1b161a@grasehotspot.org>
UTC Datetime: 2019-09-07 22:16:58 UTC
Raw Date: Sat, 07 Sep 2019 22:16:58 -0700

Raw message 

Hello,
Yes, they could. I've run *apt-get upgrade*, no luck!

Tim have done wonderful job so far. He really deserves that boost up from 
us. I'm going to rewrite some part of UAM captive portal, as in I need to 
make it work with my OTP server. Is there anyone implemented it for grase 
yet?

Now HTTP and HTTPS sites are working perfectly, and HTTP traffic logging is 
also working. Though nowadays almost every site implemented HTTPS in their 
end, so this logging is a bit useless. Maybe it will log 5% of total 
traffic. So I was wondering if we can log HTTPS traffic without 
intercepting, so that client won't need to install a certificate and found 
this wonderful 
article: http://blog.manty.net/2014/12/squid-proxy-being-transparent-also-for.html

I believe I'm gonna give a try to implement this for grase, what do you 
think? I may need some help with IPTABLE. :(







On Sunday, September 8, 2019 at 10:58:36 AM UTC+6, christopher wrote:
>
> Hello,
>
> I just had a thought.  Perhaps they have managed to fix the service file 
> in later updates to jessie.  Try doing:
>
> sudo apt-get update
> sudo apt-get upgrade
>
> That should pull in everything from the security channel as well as from 
> the repositories.
>
> There won't be any changes to the current version of grase, as Tim is in 
> the process of re-writting the code so that it works on the latest versions 
> of Ubuntu and Debian.  That is coming out sometime in the first half of 
> next year.  He is doing it in his spare time.  A group of us have decided 
> to donate money to the project so that it was not terminated.
>
> Regards,
>
> Christopher.
>
> On Sunday, 8 September 2019 06:30:56 UTC+12, SK NZ wrote:
>>
>> Hello,
>> I guess *grase-conf-squid3-3.3* needs to update to work with 
>> *squid3 3.4.8-6+deb8u8*. For now, I've edited *squid.conf.grase *file.
>>
>> http_port 3128 intercept 
>>
>> *   to*
>>
>>> http_port 3128 accel vhost allow-direct                                
>>>                                               
>>
>>
>> Now I can browse *both* HTTP and HTTPS sites, and the admin panel is 
>> also logging HTTP traffic. I'm facing another issue. I need to restart 
>> *dnsmasq* after every boot, otherwise, captive portal is not working. Is 
>> there any way to fix it? I tried to add *rc.local*, no luck!
>>
>>
>>
>> On Saturday, September 7, 2019 at 9:55:28 PM UTC+6, SK NZ wrote:
>>>
>>>
>>> Thanks the help, really appreciating.  Here is iptables -vL
>>>
>>> [image: test.PNG]
>>>
>>>
>>>
>>> On Saturday, September 7, 2019 at 9:40:01 PM UTC+6, christopher wrote:
>>>>
>>>> Hello,
>>>>
>>>> Please provide the output of iptables -vL
>>>>
>>>> This shows the full chains.  I still think it is a problem with the 
>>>> rules.  However with that output, at least Tim or someone else may see 
>>>> something I have missed.  I need sleep, but will check your results later, 
>>>> if someone does not beat me to it.
>>>>
>>>> Regards,
>>>>
>>>> Christopher.
>>>>
>>>> On Sunday, 8 September 2019 02:45:13 UTC+12, SK NZ wrote:
>>>>>
>>>>> Hello,
>>>>> I replaced *AP* with *Computer* for testing. So now Grase Hotspot 
>>>>> Server is directly wired to a Laptop. I tried to browse HTTP/HTTPS sites in 
>>>>> the Windows 8 Laptop, HTTPS sites are loading fine, even I can browse 
>>>>> IP:5500 site!  I cannot visit any HTTP site. This is clearly ruled out AP 
>>>>> issue.  One the other hand, I can browse HTTP/HTTPS using LYNX in the Grase 
>>>>> Hotspot Server.
>>>>>
>>>>> This could be a SQUID issue?
>>>>>
>>>>> I've two NIC, *eth0* configured for WAN(to router LAN port) and *eth1* 
>>>>> configured for Grase Hotspot LAN(AP). 
>>>>>
>>>>> -P INPUT ACCEPT
>>>>>> -P FORWARD ACCEPT
>>>>>> -P OUTPUT ACCEPT
>>>>>> -A INPUT -i eth1 -j DROP
>>>>>> -A INPUT -d 10.1.0.1/32 -i tun0 -p icmp -j ACCEPT
>>>>>> -A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 53 -j ACCEPT
>>>>>> -A INPUT -d 10.1.0.1/32 -i tun0 -p udp -m udp --dport 67:68 -j ACCEPT
>>>>>> -A INPUT -d 255.255.255.255/32 -i tun0 -p udp -m udp --dport 67:68 
>>>>>> -j ACCEPT
>>>>>> -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3128 -j ACCEPT
>>>>>> -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT
>>>>>> -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 53 -j ACCEPT
>>>>>> -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 2812 -j ACCEPT
>>>>>> -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 22 -j ACCEPT
>>>>>> -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 443 -j ACCEPT
>>>>>> -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 80 -j ACCEPT
>>>>>> -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 4990 -j ACCEPT
>>>>>> -A INPUT -d 10.1.0.1/32 -i tun0 -p tcp -m tcp --dport 3990 -j ACCEPT
>>>>>> -A INPUT -d 10.1.0.1/32 -i tun0 -j DROP
>>>>>> -A FORWARD -i tun0 -o eth0 -j ACCEPT
>>>>>> -A FORWARD -i tun0 ! -o eth0 -j DROP
>>>>>> -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS 
>>>>>> --clamp-mss-to-pmtu
>>>>>> -A FORWARD -o tun0 -j ACCEPT
>>>>>> -A FORWARD -i tun0 -j ACCEPT
>>>>>> -A FORWARD -o eth1 -j DROP
>>>>>> -A FORWARD -i eth1 -j DROP
>>>>>
>>>>>
>>>>> and ifconfig
>>>>>
>>>>> eth0      Link encap:Ethernet  HWaddr d8:cb:8a:53:b5:ff
>>>>>>           inet addr:192.168.0.100  Bcast:192.168.0.255  
>>>>>> Mask:255.255.255.0
>>>>>>           inet6 addr: fe80::dacb:8aff:fe53:b5ff/64 Scope:Link
>>>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>>>>           RX packets:36385 errors:0 dropped:0 overruns:0 frame:0
>>>>>>           TX packets:21295 errors:0 dropped:0 overruns:0 carrier:0
>>>>>>           collisions:0 txqueuelen:1000
>>>>>>           RX bytes:20320392 (19.3 MiB)  TX bytes:3860264 (3.6 MiB)
>>>>>> eth1      Link encap:Ethernet  HWaddr 00:e0:4c:53:44:58
>>>>>>           inet6 addr: fe80::2e0:4cff:fe53:4458/64 Scope:Link
>>>>>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>>>>>           RX packets:31776 errors:58 dropped:16 overruns:17 frame:87
>>>>>>           TX packets:31316 errors:0 dropped:0 overruns:0 carrier:0
>>>>>>           collisions:0 txqueuelen:1000
>>>>>>           RX bytes:4663037 (4.4 MiB)  TX bytes:20131262 (19.1 MiB)
>>>>>> lo        Link encap:Local Loopback
>>>>>>           inet addr:127.0.0.1  Mask:255.0.0.0
>>>>>>           inet6 addr: ::1/128 Scope:Host
>>>>>>           UP LOOPBACK RUNNING  MTU:65536  Metric:1
>>>>>>           RX packets:759 errors:0 dropped:0 overruns:0 frame:0
>>>>>>           TX packets:759 errors:0 dropped:0 overruns:0 carrier:0
>>>>>>           collisions:0 txqueuelen:0
>>>>>>           RX bytes:154270 (150.6 KiB)  TX bytes:154270 (150.6 KiB)
>>>>>> tun0      Link encap:UNSPEC  HWaddr 
>>>>>> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>>>>>>           inet addr:10.1.0.1  P-t-P:10.1.0.1  Mask:255.255.255.0
>>>>>>           UP POINTOPOINT RUNNING  MTU:1500  Metric:1
>>>>>>           RX packets:23123 errors:0 dropped:0 overruns:0 frame:0
>>>>>>           TX packets:29580 errors:0 dropped:0 overruns:0 carrier:0
>>>>>>           collisions:0 txqueuelen:100
>>>>>>           RX bytes:3592912 (3.4 MiB)  TX bytes:19552030 (18.6 MiB)
>>>>>
>>>>>
>>>>>
>>>>> Support Data : https://paste.grasehotspot.org/view/e56ddd33
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Saturday, September 7, 2019 at 6:23:49 PM UTC+6, christopher wrote:
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> Ack, I am running out of ideas here.  
>>>>>>
>>>>>> Go back to the iptable rules and make sure that the ethernet devices 
>>>>>> match for the http and https.
>>>>>>
>>>>>> Also check in the admin panel of grase as administrator that the 
>>>>>> cards are correct.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Christopher.
>>>>>>
>>>>>> On Saturday, 7 September 2019 22:21:38 UTC+12, SK NZ wrote:
>>>>>>>
>>>>>>> In a freshly installed Grase Hotspot server, I can connect to an AP. 
>>>>>>> I can browse *https sites*... But *non-https sites* are not loading 
>>>>>>> at all. I tried from different devices and different browsers. Any 
>>>>>>> suggestions? 
>>>>>>>
>>>>>>> Support data : https://paste.grasehotspot.org/view/e56ddd33
>>>>>>>
>>>>>>

Thread