quinta-feira, 5 de janeiro de 2017

Mikrotik - Redirect HTTPS Hotspot Login Page Self-Signed Certificate

Video muito bom sobre como usar hotspot com certificado digital

fonte: http://agratitudesign.blogspot.com/2015/04/redirect-https-hotspot-login-page.html

Redirect HTTPS Hotspot Login Page Mikrotik Self-Signed Certificate

Redirect HTTPS Hotspot Login Page Mikrotik Self-Signed Certificate
In order to provide the best service for your client, and for those of you who just start a new business or just want to share the internet connection using mikrotik hotspot servers, you need to know the aspects of the accessing https hotspot login page. Before we go further to create the web login template/interface to the hotspot login, I think it is require to improve the understanding of the access https hotspot login page, so that can be resolve the problems that may be found in the future, this is the one of the important things that we must know in building hotspot server systems.

HTTPS is a secure HTTP connection that using SSL (Secure Socket Layer) protocol to encrypt transmissions to provide protection from eavesdroppers attacks that use port 443. In other word, HTTPS is using for the secure connection over the clients that will increase the confidence of the client to use the website page connection. Using HTTPS connections associated with SSL Certificates that contains the data files of the organization's.

To use HTTPS connections that allow the clients access Hotspot login page, we need to install SSL certificate that will initiate secure sessions to the browsers. Keep in mind Hotspot login page will act as the web server to our hotspot client that the files is located in the router. Actually when the clients want to access the login page the internet connection is already up to the clients but to use the internet they have to login through the hotspot server rules.  So the clients request to use firewall rules into hotspot login page using the account member.

Look at the picture above! This is the previous configuration of the hotspot server profile that only use HTTP CHAP. This is the standard method access the hotspot login page, HTTP CHAP is unencrypted connection for the security consideration it is not recommended, so that the client can access the login page Using HTTP Connection.
The client will be redirecting to the login page when typing such agratitudesign.blogspot.com, wiswaweb.com that only use HTTP connection, and google.com, youtube.com that uses both connection, HTTP and HTTPS.

But when the client using such a facebook.com, github.com, this is very strict just only use HTTPS connections as their trusted identity. or inadvertently entered through the complete url like this https://www.youtube.com/. Our clients will not redirecting to the login page.

What do you think if the clients meet like this, oh error, trouble, bad service. Actually the internet connection is already but where is the login page? they should use the HTTP connection to login or just typing such or hotspot dns name such hotspot.wiswaweb.com. But not any advice, the something like a boom and they have stuck and this is likely not a good service for them.

As I said before, to use redirect HTTPS hotspot login page connections, we must use SSL Certificate. For widespread use for the professional website server, the SSL certificates should be excluded from the authorities, actually we must pay for this to be signed by trusted authority. When we have decided to buy SSL certificate make sure you must have domain name to be certified. Or when you have public IP you can create a free domain for the hotspot login page.

Ok no matter whether buy or get for free of the SSL certificate, I will show Self-Signed Certificate to prove how the process redirect https login page works using openSSL. You can download openssl-0.9.8k_WIN32 and openssl-0.9.8k_WIN64 depending on your system. Extract the zip file, and just put the folder/directory OpenSSL on the desktop and rename the folder as “openssl”. On the folder openssl, go to bin folder and click on openssl.exe to run openssl command prompt.

1. Creating self –signed our own CA (Certificate Authority)

First we generate the RSA Private Key in order Create CA (Certificate Authority). Certificate is containing our identity and organization details. For more faster just paste it on openssl command prompt one by one (look at the number of this command lines!).
genrsa -des3 -out ca.key 4096
req -config C:\Users\agus\Desktop\openssl\openssl.cnf -new -x509 -days 3650 -key ca.key -out ca.crt
The final goal in this step is creating “ca.key and ca.crt”. “C:\Users\agus\Desktop\openssl\openssl.cnf” is the path where the openssl.cnf  file is located. “Common Name : hotspot.wiswaweb.com” is a dns name of the hotspot server profile that used.

2. Creating self-signed hotspot server certificate

We generate the RSA Private Key, Certificate Signing Request (CSR) and finally self-signed hotspot server certificate itself.
genrsa -des3 -out server.key 4096
req -config C:\Users\agus\Desktop\openssl\openssl.cnf -new -key server.key -out server.csr
x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

After this we can close openSSL command prompt, and now we have three hotspot server certificate files, that is server.key, server.csr, and server.crt.

3. Upload  and Import the self-signed certifate hotspot server files

Copy that tree server files and place into 1 folder, just named as key. Now we are going to upload the three files in folder key, we can also use winSCP, fireFTP, etc,  to make easier to upload and put the certificate files against another files on the router.

After upload the files we are going to import them to the router as the self-signed sertificate on the router system. Using winbox click System>Certificates. On the tab certificates, press import and and we look for the files that have been uploaded, as shown like the right picture above.  First we have to import server.crt, then server.key. In this case we just require server certificate the file that has extension .crt and the key files. We can see the information identity details of the self-signed certificate.

4. Change the configuration of the hotspot server mikrotik

After import the certificate, now we have certificate on the router system with the name cert_1. Go to the hotspot server profiles and activate HTTPS option Login by and use SSL certificate cert_1.  Don’t to activate SSL service port on the IP Service List that now using cert_1 certificate. Look at the pictures below!

Now we can see how the Self-Signed Certificate redirect https login page works on the hotspot clients. When I use 2 options login by “HTTP and HTTPS” with SSL Certificate “cert_1
The clients type : google.com, youtube.com, bloger.com, all the kind web server that use 2 type connections (HTTPS and HTTP) or the web server that just only have HTTP access, such wiswaweb.com. It’s no problem, the client could be redirected to login page https://hotspot.wiswaweb.com/login?...
The clients using the complete url : https://www.google.com/,  https:// youtube.com /,  https:// bloger.com. that means the clients use https access for the kind web server. In this case the clients will meet the security warning with add exception choice,  before could be redirected to login page https://hotspot.wiswaweb.com/login?...
The clients type : facebook.com, github.com and other web server that very strict just only use HTTPS connections. In this case the clients will meet the security warning with the notification only valid for  https://hotspot.wiswaweb.com/login?... 
But the security warning will be different on another browser, in this case I have use Mozilla Firefox. Self-signed certificate is the internal application that just signed by me or yourself, this is for our local system, but when using the internet connection, it won't recognize as trusted unless you buy the external certificate authority to remove the security warning.  But at least self-signed certificate as the prove how the process redirecting HTTPS works,  and the clients got the security warning that can add the exception and notification to access the hotspot login page.

Somebody said that this security warning can be resolve using the squid proxy on the internal network, but I still can not prove it. So the best choice to remove the security warning is the external certificate authority for your hotspot login page. Using a certificate free version still can not recognize your hotspot login page as trusted.

If you still consider that it is important and you have decided to buy an external certificate authority, you will get the certificate file and the key, and just need to  import the files as I show above on your router. But you must prepare your domain name. This is the best way for those of you who already have the website domain, and the hotspot login page is using a sub domain, such a hotspot.wiswaweb.com. There are much websites that provide SSL certificate authority services like startssl.com.
So that's all I can inform you about redirecting HTTPS hotspot login page, have a try and good luck!

outra fonte: