make PortalProxy domain-independent (#7)

Co-authored-by: programminghoch10 <16062290+programminghoch10@users.noreply.github.com>

Author: binarynoise

liberator/src/main/kotlin/de/binarynoise/liberator/portals/BinarynoisePortalProxy.kt

@@ -14,7 +14,7 @@ import okhttp3.Response
 @Experimental
 object BinarynoisePortalProxy : PortalLiberator {
     override fun canSolve(response: Response): Boolean {
-        return response.requestUrl.host == "binarynoise.de" && response.requestUrl.port == 8000
+        return response.requestUrl.host == "portal.binarynoise.de" && response.requestUrl.port == 8001
     }
 
     override fun solve(client: OkHttpClient, response: Response, cookies: Set<Cookie>) {

portalProxy/README.md

@@ -0,0 +1,44 @@
+# PortalProxy
+
+A HTTP/HTTPS proxy server with captive portal functionality.
+
+## Overview
+
+PortalProxy provides:
+
+- HTTP/HTTPS proxy server with configurable port
+- Captive portal for network authentication
+- IP-based access control and allowlisting
+- CONNECT tunneling for HTTPS traffic
+- Real-time IP tracking and login/logout functionality
+
+## Environment Variables
+
+### Server Configuration
+
+| Variable      | Default | Description                                 |
+|---------------|---------|---------------------------------------------|
+| `PROXY_PORT`  | `8000`  | Port for the proxy server                   |
+| `PORTAL_PORT` | `8001`  | Port for the captive portal web interface   |
+| `PORTAL_HOST` | `null`  | Friendly hostname for the portal (optional) |
+
+### Access Control
+
+| Variable                 | Default | Description                                                  |
+|--------------------------|---------|--------------------------------------------------------------|
+| `PROXY_ALLOWLIST_DOMAIN` | `null`  | Comma-separated list of allowed domains for CONNECT requests |
+| `PROXY_ALLOWLIST_PORT`   | `null`  | Comma-separated list of allowed ports for CONNECT requests   |
+
+Providing empty values for `PROXY_ALLOWLIST_DOMAIN` or `PROXY_ALLOWLIST_PORT` disables allowlisting.
+
+## Usage
+
+### Basic Setup
+
+```bash
+./gradlew :portalProxy:run
+```
+
+### Portal Interface
+
+Access the captive portal at `http://localhost:8001/` (or your configured `PORTAL_PORT`).

portalProxy/src/main/kotlin/IpUtils.kt

@@ -0,0 +1,69 @@
+package de.binarynoise.captiveportalautologin.portalproxy.portal
+import java.net.Inet4Address
+import java.net.Inet6Address
+import java.net.InetAddress
+import java.net.UnknownHostException
+import io.vertx.core.http.HttpServerRequest
+
+fun HttpServerRequest.getRealRemoteIP(): String {
+    val ip = remoteAddress().host()
+    
+    val headers = headers()
+    if (isLanIp(ip) && "X-Real-IP" in headers) {
+        val realIp = headers["X-Real-IP"]
+        if (realIp != null) return realIp.split(",").first().trim()
+    }
+    return ip
+}
+
+fun isLanIp(ipString: String): Boolean {
+    val addr = parseIp(ipString) ?: return false
+    
+    return when (addr) {
+        is Inet4Address -> isPrivateIPv4(addr)
+        is Inet6Address -> isLocalIPv6(addr)
+        else -> false
+    }
+}
+
+fun parseIp(ipString: String): InetAddress? = try {
+    InetAddress.getByName(ipString.trim())
+} catch (_: UnknownHostException) {
+    null
+} catch (_: SecurityException) {
+    null
+}
+
+
+val loopbackV6 = ByteArray(16) { if (it == 15) 1 else 0 }
+fun isLocalIPv6(addr: Inet6Address): Boolean {
+    val bytes = addr.address
+    val b0 = bytes[0].toInt()
+    val b1 = bytes[1].toInt()
+    
+    // fc00::/7 (1111 110x)
+    val isUniqueLocal = (b0 and 0xFE) == 0xFC
+    // fe80::/10 (1111 1110 10xx xxxx)
+    val isLinkLocal = (b0 == 0xFE) && ((b1 and 0xC0) == 0x80)
+    val isLoopback = bytes.contentEquals(loopbackV6)
+    
+    return isUniqueLocal || isLinkLocal || isLoopback
+}
+
+fun isPrivateIPv4(addr: Inet4Address): Boolean {
+    val bytes = addr.address
+    val b0 = bytes[0].toInt() and 0xFF
+    val b1 = bytes[1].toInt() and 0xFF
+    
+    return when (b0) {
+        // 10.0.0.0/8
+        10 -> true
+        // 127.0.0.1/8
+        127 -> true
+        // 172.16.0.0/12
+        172 if (b1 in 16..31) -> true
+        // 192.168.0.0/16
+        192 if b1 == 168 -> true
+        else -> false
+    }
+}

portalProxy/src/main/kotlin/Main.kt

@@ -1,11 +1,12 @@
 package de.binarynoise.captiveportalautologin.portalproxy
 
-import kotlin.coroutines.EmptyCoroutineContext
+import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.launch
-import de.binarynoise.captiveportalautologin.portalproxy.portal.portalHost
+import de.binarynoise.captiveportalautologin.portalproxy.portal.portalPort
 import de.binarynoise.captiveportalautologin.portalproxy.portal.portalRouter
 import de.binarynoise.captiveportalautologin.portalproxy.proxy.forward
 import de.binarynoise.captiveportalautologin.portalproxy.proxy.forwardConnect
+import de.binarynoise.captiveportalautologin.portalproxy.proxy.proxyPort
 import de.binarynoise.logger.Logger
 import de.binarynoise.logger.Logger.log
 import io.vertx.core.Vertx
@@ -14,26 +15,31 @@ import io.vertx.core.http.HttpServerRequest
 import io.vertx.ext.web.Router
 import io.vertx.kotlin.coroutines.CoroutineVerticle
 import io.vertx.kotlin.coroutines.coAwait
-import io.vertx.kotlin.coroutines.dispatcher
 
 class MainVerticle : CoroutineVerticle() {
     override suspend fun start() {
-        val router = Router.router(vertx)
 
         // Portal routes
-        router.route().virtualHost(portalHost).handler { ctx ->
+        val portalRouter = Router.router(vertx)
+        portalRouter.route().handler { ctx ->
             log("route portal")
             ctx.next()
         }.subRouter(portalRouter(vertx))
 
         // Proxy routes
-        router.route().handler { ctx ->
+        val proxyRouter = Router.router(vertx)
+        proxyRouter.route().handler { ctx ->
             log("route /http")
-            forward(ctx.request())
+            val request = ctx.request()
+            if (request.authority().port() == portalPort) {
+                portalRouter.handle(request)
+            } else {
+                forward(request)
+            }
         }
 
-        val requestHandler: (HttpServerRequest) -> Unit = { request ->
-            launch(vertx.dispatcher() + EmptyCoroutineContext) {
+        val proxyRequestHandler: (HttpServerRequest) -> Unit = { request ->
+            launch(Dispatchers.IO) {
                 log(buildString {
                     append("< ")
                     append(request.method())
@@ -42,9 +48,9 @@ class MainVerticle : CoroutineVerticle() {
                     append(" -> ")
                     append(request.scheme())
                     append(" ")
-                    append(request.authority().host())
+                    append(request.authority()?.host())
                     append(" : ")
-                    append(request.authority().port())
+                    append(request.authority()?.port())
                     append(" ")
                     append(request.path())
                     append(" from ")
@@ -56,7 +62,7 @@ class MainVerticle : CoroutineVerticle() {
                 if (request.method() == HttpMethod.CONNECT) {
                     forwardConnect(request, vertx)
                 } else {
-                    router.handle(request)
+                    proxyRouter.handle(request)
                 }
 
                 log(buildString {
@@ -71,26 +77,36 @@ class MainVerticle : CoroutineVerticle() {
             }
         }
 
+        val portalRequestHandler: (HttpServerRequest) -> Unit = { request ->
+            portalRouter.handle(request)
+        }
+        
         val exceptionHandler = { t: Throwable ->
             log("Unhandled exception during connection", t)
         }
-        val invalidRequestHandler = { r: HttpServerRequest ->
-            log("Invalid request: $r")
-        }
 
-        val server = vertx.createHttpServer()
-            .requestHandler(requestHandler)
+        val proxyServer = vertx.createHttpServer()
+            .requestHandler(proxyRequestHandler)
             .exceptionHandler(exceptionHandler)
-            .invalidRequestHandler(invalidRequestHandler)
-            .listen(8000, "::")
+            .listen(proxyPort, "0.0.0.0")
             .coAwait()
-        log("Started server on port " + server.actualPort())
+        log("Started proxy server on port " + proxyServer.actualPort())
+        
+        val portalServer = vertx.createHttpServer()
+            .requestHandler(portalRequestHandler)
+            .exceptionHandler(exceptionHandler)
+            .listen(portalPort, "0.0.0.0")
+            .coAwait()
+        log("Started portal server on port " + portalServer.actualPort())
     }
 }
 
 fun main() {
     Logger.Config.debugDump = true
 
+    // disable ipv6 so entries in the portal database are deterministic for dual stack clients
+    System.setProperty("java.net.preferIPv4Stack", "true")
+    
     val vertx = Vertx.builder()/*.withTracer { o -> DebugTracer() }*/.build()
     vertx.exceptionHandler { e ->
         log("Unhandled exception", e)

portalProxy/src/main/kotlin/Portal.kt

@@ -1,6 +1,6 @@
 package de.binarynoise.captiveportalautologin.portalproxy.portal
 
-import java.util.concurrent.ConcurrentHashMap
+import java.util.concurrent.*
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.html.*
 import kotlinx.html.stream.*
@@ -10,8 +10,8 @@ import io.vertx.core.http.HttpServerRequest
 import io.vertx.ext.web.Router
 import io.vertx.kotlin.coroutines.coroutineRouter
 
-const val portalHost = "binarynoise.de"
-const val portalPort = 8000
+val portalPort = System.getenv("PORTAL_PORT")?.toInt() ?: 8001
+val friendlyHost: String? = System.getenv("PORTAL_HOST")
 
 private val database = ConcurrentHashMap<String, Boolean>()
 
@@ -26,15 +26,17 @@ fun CoroutineScope.portalRouter(vertx: Vertx): Router {
 
         // Login route
         router.route("/login").handler { ctx ->
-            val ip = ctx.request().remoteAddress().host()
+            val ip = ctx.request().getRealRemoteIP()
+            
             database[ip] = false
             log("logged in $ip")
             ctx.response().putHeader("Location", "/").setStatusCode(302).end()
         }
 
         // Logout route
         router.route("/logout").handler { ctx ->
-            val ip = ctx.request().remoteAddress().host()
+            val ip = ctx.request().getRealRemoteIP()
+            
             database[ip] = true
             log("logged out $ip")
             redirect(ctx.request())
@@ -49,12 +51,17 @@ fun CoroutineScope.portalRouter(vertx: Vertx): Router {
     return router
 }
 
+fun getPortalHost(request: HttpServerRequest): String {
+    return friendlyHost ?: request.getHeader("Host")!!.substringBefore(":")
+}
+
 fun redirect(request: HttpServerRequest) {
-    request.response().putHeader("Location", "http://$portalHost:$portalPort/").setStatusCode(303).end()
+    val host = getPortalHost(request)
+    request.response().putHeader("Location", "http://$host:$portalPort/").setStatusCode(303).end()
 }
 
 fun checkCaptured(request: HttpServerRequest): Boolean {
-    val ip = request.remoteAddress().host()
+    val ip = request.getRealRemoteIP()
     return database[ip] ?: true
 }
 
@@ -89,6 +96,10 @@ private fun servePortalPage(request: HttpServerRequest) {
         body {
             h1 { +"Captive Portal" }
             p { +"You are currently ${if (captured) "captured" else "not captured"}" }
+            p {
+                +"Your IP is "
+                code { +request.getRealRemoteIP() }
+            }
 
             form("/login") {
                 p {
@@ -105,7 +116,7 @@ private fun servePortalPage(request: HttpServerRequest) {
             p {
                 +"This page can be opened again at"
                 br()
-                val href = "http://$portalHost:$portalPort/"
+                val href = "http://${getPortalHost(request)}:$portalPort/"
                 a(href = href) { +href }
             }
         }

portalProxy/src/main/kotlin/Proxy.kt

@@ -6,6 +6,7 @@ import kotlin.concurrent.atomics.AtomicBoolean
 import kotlin.concurrent.atomics.ExperimentalAtomicApi
 import kotlinx.coroutines.CancellationException
 import de.binarynoise.captiveportalautologin.portalproxy.portal.checkCaptured
+import de.binarynoise.captiveportalautologin.portalproxy.portal.friendlyHost
 import de.binarynoise.captiveportalautologin.portalproxy.portal.redirect
 import de.binarynoise.logger.Logger.log
 import io.netty.handler.codec.http.HttpResponseStatus
@@ -15,11 +16,12 @@ import io.vertx.core.http.HttpServerRequest
 import io.vertx.core.net.NetSocket
 import io.vertx.kotlin.coroutines.coAwait
 
-private val allowlistDomain = listOf("am-i-captured.binarynoise.de", "www.google.com")
-private val allowlistPort = listOf("80", "443")
+private val allowlistDomain = System.getenv("PROXY_ALLOWLIST_DOMAIN")?.split(",")?.map { it.trim() }
+private val allowlistPort = System.getenv("PROXY_ALLOWLIST_PORT")?.split(",")?.map { it.trim() }
+val proxyPort = System.getenv("PROXY_PORT")?.toInt() ?: 8000
 
 fun forward(request: HttpServerRequest) {
-    if (checkCaptured(request)) {
+    if ((friendlyHost != null && request.authority()?.host() == friendlyHost) || checkCaptured(request)) {
         redirect(request)
         return
     }
@@ -52,7 +54,7 @@ suspend fun forwardConnect(request: HttpServerRequest, vertx: Vertx) {
 
         val (host, port) = hostPort
 
-        if (host !in allowlistDomain || port !in allowlistPort) {
+        if ((allowlistDomain != null && host !in allowlistDomain) || (allowlistPort != null && port !in allowlistPort)) {
             request.response()
                 .setStatusCode(HttpResponseStatus.FORBIDDEN.code())
                 .end("Access to $host:$port is not allowed")

systemd/portal-proxy.service

@@ -8,6 +8,9 @@ User=root
 StateDirectory=captive-portal-proxy
 WorkingDirectory=/var/lib/captive-portal-proxy
 ExecStart=/usr/bin/java -jar /opt/CaptivePortalAutoLogin/portalProxy/build/libs/portalProxy-shadow.jar
+Environment=PROXY_ALLOWLIST_DOMAIN=am-i-captured.binarynoise.de,www.google.com
+Environment=PROXY_ALLOWLIST_PORT=80,443
+Environment=PORTAL_HOST=portal.binarynoise.de
 Restart=on-failure
 RestartSec=10