2015年2月

WiFidog编译成库

1.在package/ utils下创建wifidog_lib目录。在wifidog_lib目录下创建一个文件夹src和一个Makefile文件。Makefile文件编写内容如下:

include $(TOPDIR)/rules.mk

PKG_NAME:=wifidog_lib
PKG_VERSION:=20130917

PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)

include $(INCLUDE_DIR)/package.mk

define Package/wifidog_lib
  SECTION:=utils
  CATEGORY:=Utilities
  DEPENDS:=+iptables-mod-extra +iptables-mod-ipopt +iptables-mod-nat-extra +libpthread
  TITLE:=A wireless captive portal solution
endef

define Package/wifidog_lib/description
      The Wifidog project is a complete and embeddable captive
      portal solution for wireless community groups or individuals
      who wish to open a free Hotspot while still preventing abuse
      of their Internet connection.
endef

define Build/Prepare
      mkdir -p $(PKG_BUILD_DIR)
      $(CP) ./src/* $(PKG_BUILD_DIR)/
endef

define Build/Configure
endef

define Build/Compile
      $(MAKE) -C $(PKG_BUILD_DIR) \
           CC="$(TARGET_CC)" \
           CFLAGS="$(TARGET_CFLAGS) -Wall" \
           LDFLAGS="$(TARGET_LDFLAGS)"
endef

define Package/wifidog_lib/conffiles
/etc/wifidog.conf
endef

define Package/wifidog_lib/install
      $(INSTALL_DIR) $(1)/usr/bin
      $(INSTALL_BIN) $(PKG_BUILD_DIR)/test_wifidog $(1)/usr/bin/
      $(INSTALL_DIR) $(1)/usr/lib
      $(CP) $(PKG_BUILD_DIR)/libwifidog.so* $(1)/usr/lib/
      $(INSTALL_DIR) $(1)/etc
      $(INSTALL_DATA) $(PKG_BUILD_DIR)/wifidog.conf $(1)/etc/
endef

$(eval $(call BuildPackage,wifidog_lib))

2.解压wifidog包进入src目录

Tar xzvf wifidog-20130917-440445db60b0c3aff528ea703a828b0567293387.tar.gz –C src

3.在src下创建Makefile文件,内容如下:

LIB_VERMAJOR = 0
LIB_VERMINOR = 1
LIB_FILENAME = libhttpd.so

LIBWIFIDOG_FILENAME = libwifidog.so

OBJEXT = o

CFLAGS += -Os -pipe -mno-branch-likely -mips32r2 -mtune=34kc -fno-caller-saves -fhonour-copts -Wno-error=unused-but-set-variable -msoft-float

LIB_CFLAGS  = $(CFLAGS) -shared -fPIC -DPIC
LIB_LDFLAGS = $(LDFLAGS) -Wl,-soname,$(LIB_FILENAME).$(LIB_VERMAJOR).$(LIB_VERMINOR)
LIBWIFIDOG_LDFLAGS = $(LDFLAGS) -Wl,-soname,$(LIBWIFIDOG_FILENAME).$(LIB_VERMAJOR).$(LIB_VERMINOR)

wifidog_OBJECTS = src/conf.$(OBJEXT) src/commandline.$(OBJEXT)\
      src/debug.$(OBJEXT) src/fw_iptables.$(OBJEXT) src/firewall.$(OBJEXT) \
      src/gateway.$(OBJEXT) src/centralserver.$(OBJEXT) src/http.$(OBJEXT) \
      src/auth.$(OBJEXT) src/client_list.$(OBJEXT) src/util.$(OBJEXT) \
      src/wdctl_thread.$(OBJEXT) src/ping_thread.$(OBJEXT) src/safe.$(OBJEXT) \
      src/httpd_thread.$(OBJEXT) src/wifidogapi.$(OBJEXT)

wdctl_OBJECTS = src/wdctl.$(OBJEXT)

LIB_OBJ = libhttpd/protocol.o libhttpd/api.o libhttpd/version.o libhttpd/ip_acl.o

DEFS = -DHAVE_CONFIG_H
DEFAULT_INCLUDES = -I.-I..
sysconfdir = /etc
AM_CPPFLAGS += \
      -I./libhttpd/ \
      -DSYSCONFDIR='"$(sysconfdir)"'

COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
      $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
      --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
      $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
CCLD = $(CC)
LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
      $(LDFLAGS) -o $@

wifidog_LDADD = libhttpd/$(LIB_FILENAME).$(LIB_VERMAJOR).$(LIB_VERMINOR)

LIBS = -lnsl -lpthread


all: Makefile   libhttpd   libwifidog test_wifidog

test_wifidog: src/test_wifidog.o libhttpd libwifidog
      @rm -f test_wifidog
      $(LINK) src/test_wifidog.o $(LIBWIFIDOG_FILENAME).$(LIB_VERMAJOR).$(LIB_VERMINOR)  $(LIBS)

wdctl: $(wdctl_OBJECTS) libhttpd
      @rm -f wdctl
      $(LINK) $(wdctl_OBJECTS) $(wdctl_LDADD) $(LIBS)
wifidog_test: $(wifidog_OBJECTS) libhttpd
      @rm -f wifidog_test
      $(LINK) $(wifidog_OBJECTS) $(wifidog_LDADD) $(LIBS)          

libhttpd:$(LIB_OBJ) ./libhttpd/httpd_priv.h ./libhttpd/httpd.h
      $(CC) $(LIB_CFLAGS) $(LIB_LDFLAGS) $(LIB_OBJ) $(LIBS) \
           -o libhttpd/$(LIB_FILENAME).$(LIB_VERMAJOR).$(LIB_VERMINOR)

libwifidog:$(wifidog_OBJECTS) $(wdctl_OBJECTS) $(LIB_OBJ) ./libhttpd/httpd_priv.h ./libhttpd/httpd.h
      $(CC) $(LIB_CFLAGS) $(LIBWIFIDOG_LDFLAGS) $(LIB_OBJ) $(wifidog_OBJECTS) $(wdctl_OBJECTS) $(LIBS) \
           -o $(LIBWIFIDOG_FILENAME).$(LIB_VERMAJOR).$(LIB_VERMINOR)

.c.o:
    $(CC) $(DEFS) $(AM_CPPFLAGS) $(DEFAULT_INCLUDES) $(INCLUDES) $(CFLAGS) -MD -fPIC -DPIC -c -o $@ $<


clean:
      rm -f  $(LIB_FILENAME)*
  1. 修改src下对应的源代码,同时把scripts/init.d/wifidog脚本提供的功能通过lib库提供,这样 lib库需要提供int wifidogstart(),int wifidogstop(),int wifidogreload(),int wifidogrestart()。make package/wifidog_lib/compile V=s进行编译生成libwifidog.so.0.1和测试程序test_wifidog

本文章由 http://www.wifidog.pro/2015/02/03/wifidog%E7%BC%96%E8%AF%91-1.html 整理编辑,转载请注明出处

wifidog认证流程(图文版)

学习使用wifidog一段时间了,觉得这玩意真的不错,虽然有些代码写的不够严谨,运行效率不够高,但是少量人数情况下实现portal是很好的方案。
下面是我摘自一个博客的内容和apfree写的文档中的一部分发上来的,希望能对研究wifidog的新人给予帮助!

一. 用户上线

  1. 用户访问网络,通过iptables将未认证的用户dnat到wifidog进程,wifidog通过307报文将用户重定向到认证服务器
  2. 用户打开认证服务器登录页面,输入用户名密码,发送认证请求
  3. 认证成功的话服务器会发送302报文,携带token信息重定向到wifidog页面。认证失败的话会返回失败页面
  4. 用户携带token信息向wifidog发起认证请求,wifidog再向认证服务器发起请求,认证成功后授权,并将用户重定向到成功页面
    1.jpg

二. 保活和下线

  1. wifidog会定时向认证服务器发送保活消息
  2. 当用户主动请求下线后,wifidog此时并没有下线
  3. 当wifidog再次发起保活请求时,认证服务器会告诉它用户已下线,此时wifidog会将用户下线
    2.jpg

认证流程描述
i.Wifidog运行之后建立一系列的防火墙规则,主要规则起到如下作用:1.阻断所有内网到外网的访问。2.开通内网到外网的dns访问。3.开通内网到认证服务器以及域名白名单的访问。4.对内网到外网80端口的访问转向到wifidog自己的http服务(2060端口)
ii. 手机、pc连接上来后,app或者系统(安卓、ios会自己连接到各自的服务器上来验证网络的连通性)会发起对外网的访问请求,dns请求会被放过,然后对应的80端口的访问会被指向2060的http服务,其他的请求都会被拦截
iii. Wifidog的http接到web请求后,基本上都会被指向404页面,404页面会给客户端一个重定向返回(302),要求客户端重定向访问认证服务器的login页面,附加参数gw_id、gw_address、gw_port、url
iv. 手机、pc客户端加载、显示认证服务器的login页面,用户根据页面内容做相关的认证操作(qq登录、微博登录、用户名密码登录、手机短信登录等多种登录方式),原则只有一个认证不成功就仍然让用户停留在认证服务器继续认证操作,认证成功给客户端一个302重定向返回,根据login接口提交上来的参数gw_address、gw_port跳转套wifidogweb服务的/wifidog/auth页面上,附带token和url参数
v.Wifidog的web服务收到手机、pc客户端的/wifidog/auth请求后,会主动对认证服务器的auth接口发起一个验证请求,附带参数ip、mac、token、stage=login
vi. 认证服务器的auth接口收到wifidog的请求,要根据内部逻辑返回是否允许通过的应答Auth: 0拒绝Auth: 1 允许
vii. Wifidog接收到验证结果后,如果拒绝访问,就会返回302给客户端,重定向到认证服务器的gw_message接口,附带message=denied参数,客户端的上网访问仍然会回到第二步骤;如果允许访问,则改动防火墙规则,开通改客户端的上网(至此客户端已经能够正常上网),然后返回302重点向给客户端,重定向到认证服务器的portal接口,附带参数gw_id
viii. 认证服务器的的portal接口根据业务流成显示广告业或者做其他的跳转
ix. 整个认证流程完成

本文章由 http://www.wifidog.pro/2015/02/03/wifidog%E6%B5%81%E7%A8%8B-3.html 整理编辑,转载请注明出处

wifidog源码分析 - 用户连接过程(2)

用户连接启动线程(void thread_httpd(void * args))
代码片段1.3分析

此段代码表示wifidog是如何通过http 404回调函数实现客户端重定向了,实际上就是在404回调函数中封装了一个307状态的http报头,http的307状态在http协议中就是用于重定向的,封装完成后通过已经与客户端连接的socket返回给客户端。步骤流程为

  • 判断本机是否处于离线状态
  • 判断认证服务器是否在线
  • 封装http 307报文
  • 发送于目标客户端

代码片段1.3:

void
http_callback_404(httpd *webserver, request *r)
{
    char        tmp_url[MAX_BUF],
            *url;
    s_config    *config = config_get_config();
    t_auth_serv    *auth_server = get_auth_server();

    memset(tmp_url, 0, sizeof(tmp_url));

        snprintf(tmp_url, (sizeof(tmp_url) - 1), "http://%s%s%s%s",
                        r->request.host,
                        r->request.path,
                        r->request.query[0] ? "?" : "",
                        r->request.query);
    url = httpdUrlEncode(tmp_url);

    if (!is_online()) {
        /* 本机处于离线状态,此函数调用结果由认证服务器检测线程设置 */
        char * buf;
        safe_asprintf(&buf, 
            "<p>We apologize, but it seems that the internet connection that powers this hotspot is temporarily unavailable.</p>"
            "<p>If at all possible, please notify the owners of this hotspot that the internet connection is out of service.</p>"
            "<p>The maintainers of this network are aware of this disruption.  We hope that this situation will be resolved soon.</p>"
            "<p>In a while please <a href='%s'>click here</a> to try your request again.</p>", tmp_url);

                send_http_page(r, "Uh oh! Internet access unavailable!", buf);
        free(buf);
        debug(LOG_INFO, "Sent %s an apology since I am not online - no point sending them to auth server", r->clientAddr);
    }
    else if (!is_auth_online()) {
        /* 认证服务器处于离线状态 */
        char * buf;
        safe_asprintf(&buf, 
            "<p>We apologize, but it seems that we are currently unable to re-direct you to the login screen.</p>"
            "<p>The maintainers of this network are aware of this disruption.  We hope that this situation will be resolved soon.</p>"
            "<p>In a couple of minutes please <a href='%s'>click here</a> to try your request again.</p>", tmp_url);

                send_http_page(r, "Uh oh! Login screen unavailable!", buf);
        free(buf);
        debug(LOG_INFO, "Sent %s an apology since auth server not online - no point sending them to auth server", r->clientAddr);
    }
    else {
        /* 本机与认证服务器都在线,返回重定向包于客户端 */
        char *urlFragment;
        safe_asprintf(&urlFragment, "%sgw_address=%s&gw_port=%d&gw_id=%s&url=%s",
            auth_server->authserv_login_script_path_fragment,
            config->gw_address,
            config->gw_port, 
            config->gw_id,
            url);
        debug(LOG_INFO, "Captured %s requesting [%s] and re-directing them to login page", r->clientAddr, url);
        http_send_redirect_to_auth(r, urlFragment, "Redirect to login page");  /* 实际上此函数中通过socket返回一个307状态的http报头给客户端,里面包含有认证服务器地址 */
        free(urlFragment);
    }
    free(url);
}

代码片段1.4分析
此段表明当客户端已经在认证服务器确认登陆,认证服务器将客户端重新重定向回网关,并在重定向包中包含关键路径"/wifidog/auth"和token,认证服务器所执行的操作。
代码片段1.4

void 
http_callback_auth(httpd *webserver, request *r)
{
    t_client    *client;
    httpVar * token;
    char    *mac;
    /* 判断http报文是否包含登出logout */
    httpVar *logout = httpdGetVariableByName(r, "logout");
    if ((token = httpdGetVariableByName(r, "token"))) {
        /* 获取http报文中的token */
        if (!(mac = arp_get(r->clientAddr))) {
            /* 获取客户端mac地址失败 */
            debug(LOG_ERR, "Failed to retrieve MAC address for ip %s", r->clientAddr);
            send_http_page(r, "WiFiDog Error", "Failed to retrieve your MAC address");
        } else {
            LOCK_CLIENT_LIST();
            /* 判断客户端是否存在于列表中 */
            if ((client = client_list_find(r->clientAddr, mac)) == NULL) {
                debug(LOG_DEBUG, "New client for %s", r->clientAddr);
                /* 将此客户端添加到客户端列表 */
                client_list_append(r->clientAddr, mac, token->value);
            } else if (logout) {
                /* http报文为登出 */
                t_authresponse  authresponse;
                s_config *config = config_get_config();
                unsigned long long incoming = client->counters.incoming;
                unsigned long long outgoing = client->counters.outgoing;
                char *ip = safe_strdup(client->ip);
                char *urlFragment = NULL;
                t_auth_serv    *auth_server = get_auth_server();
                /* 修改iptables禁止客户端访问外网 */                
                fw_deny(client->ip, client->mac, client->fw_connection_state);
                /* 从客户端列表中删除此客户端 */
                client_list_delete(client);
                debug(LOG_DEBUG, "Got logout from %s", client->ip);

                if (config->auth_servers != NULL) {
                    UNLOCK_CLIENT_LIST();
                    /* 发送登出认证包给认证服务器 */
                    auth_server_request(&authresponse, REQUEST_TYPE_LOGOUT, ip, mac, token->value, 
                                        incoming, outgoing);
                    LOCK_CLIENT_LIST();

                    /* 将客户端重定向到认证服务器 */
                    debug(LOG_INFO, "Got manual logout from client ip %s, mac %s, token %s"
                    "- redirecting them to logout message", client->ip, client->mac, client->token);
                    safe_asprintf(&urlFragment, "%smessage=%s",
                        auth_server->authserv_msg_script_path_fragment,
                        GATEWAY_MESSAGE_ACCOUNT_LOGGED_OUT
                    );
                    http_send_redirect_to_auth(r, urlFragment, "Redirect to logout message");
                    free(urlFragment);
                }
                free(ip);
             } 
             else {
                debug(LOG_DEBUG, "Client for %s is already in the client list", client->ip);
            }
            UNLOCK_CLIENT_LIST();
            if (!logout) {
                /* 通过认证服务器认证此客户端token */
                authenticate_client(r);
            }
            free(mac);
        }
    } else {
        send_http_page(r, "WiFiDog error", "Invalid token");
    }
}

/* 此函数用于提交token到认证服务器进行认证 */
void
authenticate_client(request *r)
{
    t_client    *client;
    t_authresponse    auth_response;
    char    *mac,
        *token;
    char *urlFragment = NULL;
    s_config    *config = NULL;
    t_auth_serv    *auth_server = NULL;

    LOCK_CLIENT_LIST();

    client = client_list_find_by_ip(r->clientAddr);
    /* 判断此客户端是否在列表中 */
    if (client == NULL) {
        debug(LOG_ERR, "Could not find client for %s", r->clientAddr);
        UNLOCK_CLIENT_LIST();
        return;
    }

    mac = safe_strdup(client->mac);
    token = safe_strdup(client->token);

    UNLOCK_CLIENT_LIST();

    /* 提交token、客户端ip、客户端mac至认证服务器 */
    auth_server_request(&auth_response, REQUEST_TYPE_LOGIN, r->clientAddr, mac, token, 0, 0);

    LOCK_CLIENT_LIST();

    /*再次判断客户端是否存在于列表中,保险起见,因为有可能在于认证服务器认证过程中,客户端检测线程把此客户端下线 */
    client = client_list_find(r->clientAddr, mac);

    if (client == NULL) {
        debug(LOG_ERR, "Could not find client node for %s (%s)", r->clientAddr, mac);
        UNLOCK_CLIENT_LIST();
        free(token);
        free(mac);
        return;
    }

    free(token);
    free(mac);

    config = config_get_config();
    auth_server = get_auth_server();

        /* 判断认证服务器认证结果 */
    switch(auth_response.authcode) {

    case AUTH_ERROR:
        /* 认证错误 */
        debug(LOG_ERR, "Got %d from central server authenticating token %s from %s at %s", auth_response, client->token, client->ip, client->mac);
        send_http_page(r, "Error!", "Error: We did not get a valid answer from the central server");
        break;

    case AUTH_DENIED:
        /* 认证服务器拒绝此客户端 */
        debug(LOG_INFO, "Got DENIED from central server authenticating token %s from %s at %s - redirecting them to denied message", client->token, client->ip, client->mac);
        safe_asprintf(&urlFragment, "%smessage=%s",
            auth_server->authserv_msg_script_path_fragment,
            GATEWAY_MESSAGE_DENIED
        );
        http_send_redirect_to_auth(r, urlFragment, "Redirect to denied message");
        free(urlFragment);
        break;

    case AUTH_VALIDATION:
        /* 认证服务器处于等待此客户端电子邮件确认回执状态 */
        debug(LOG_INFO, "Got VALIDATION from central server authenticating token %s from %s at %s"
                "- adding to firewall and redirecting them to activate message", client->token,
                client->ip, client->mac);
        client->fw_connection_state = FW_MARK_PROBATION;
        fw_allow(client->ip, client->mac, FW_MARK_PROBATION);
        safe_asprintf(&urlFragment, "%smessage=%s",
            auth_server->authserv_msg_script_path_fragment,
            GATEWAY_MESSAGE_ACTIVATE_ACCOUNT
        );
        http_send_redirect_to_auth(r, urlFragment, "Redirect to activate message");
        free(urlFragment);
        break;

    case AUTH_ALLOWED:
        /* 认证通过 */
        debug(LOG_INFO, "Got ALLOWED from central server authenticating token %s from %s at %s - "
                "adding to firewall and redirecting them to portal", client->token, client->ip, client->mac);
        client->fw_connection_state = FW_MARK_KNOWN;
        fw_allow(client->ip, client->mac, FW_MARK_KNOWN);
        served_this_session++;
        safe_asprintf(&urlFragment, "%sgw_id=%s",
            auth_server->authserv_portal_script_path_fragment,
            config->gw_id
        );
        http_send_redirect_to_auth(r, urlFragment, "Redirect to portal");
        free(urlFragment);
        break;

    case AUTH_VALIDATION_FAILED:
         /* 电子邮件确认回执超时 */
        debug(LOG_INFO, "Got VALIDATION_FAILED from central server authenticating token %s from %s at %s "
                "- redirecting them to failed_validation message", client->token, client->ip, client->mac);
        safe_asprintf(&urlFragment, "%smessage=%s",
            auth_server->authserv_msg_script_path_fragment,
            GATEWAY_MESSAGE_ACCOUNT_VALIDATION_FAILED
        );
        http_send_redirect_to_auth(r, urlFragment, "Redirect to failed validation message");
        free(urlFragment);
        break;

    default:
        debug(LOG_WARNING, "I don't know what the validation code %d means for token %s from %s at %s - sending error message", auth_response.authcode, client->token, client->ip, client->mac);
        send_http_page(r, "Internal Error", "We can not validate your request at this time");
        break;

    }

    UNLOCK_CLIENT_LIST();
    return;
}

本文章由 http://www.wifidog.pro/2015/02/03/wifidog%E7%94%A8%E6%88%B7%E8%BF%9E%E6%8E%A5_2.html 整理编辑,转载请注明出处

wifidog源码分析 - 用户连接过程(1)

引言
  之前的文章已经描述wifidog大概的一个工作流程,这里我们具体说说wifidog是怎么把一个新用户重定向到认证服务器中的,它又是怎么对一个已认证的用户实行放行操作的。我们已经知道wifidog在启动时会删除iptables中mangle、nat、filter表中的所有规则,并在这三个表中添加wifidog自己的规则,其规则简单来说就是将网关80端口重定向到指定端口(默认为2060),禁止非认证用户连接外网(除认证服务器外)。当有新用户连接路由器上网时,wifidog会通过监听2060端口获取新用户的http报文,通过报文即可知道报文是否携带token进行认证,如果没有token,wifidog会返回一个重定向的http报文给新用户,用户则会跳转到认证服务器进行认证,当认证成功后,认真服务器又会对用户重定向到网关,并在重定向报文中添加关键路径"/wifidog/auth"和token,wifidog重新获取到用户的http报文,检测到包含关键路径"/wifidog/auth"后,会通过认证服务器验证token是否有效,有效则修改iptables放行此客户端。

main_loop
  此函数几乎相当于我们写程序的main函数,主要功能都是在这里面实现的,函数主要实现了主循环,并启动了三个线程,这三个线程的功能具体见wifidog源码分析 - wifidog原理,在此函数最后主循环中会等待用户连接,新用户只要通过浏览器打开非认证服务器网页时主循环就会监听到,监听到后会启动一个处理线程。其流程为

  • 设置程序启动时间
  • 获取网关信息
  • 绑定http端口(80重定向到了2060)
  • 设置关键路径和404错误的回调函数
  • 重新建立iptables规则
  • 启动客户端检测线程 (稍后文章分析)
  • 启动wdctrl交互线程 (稍后文章分析)
  • 认证服务器心跳检测线程 (稍后文章分析)
  • 循环等待用户http请求,为每个请求启动一个处理线程。(代码片段1.2 代码片段1.3 代码片段1.4)

代码片段1.1

static void
main_loop(void)
{
    int result;
    pthread_t    tid;
    s_config *config = config_get_config();
    request *r;
    void **params;

    /* 设置启动时间 */
    if (!started_time) {
        debug(LOG_INFO, "Setting started_time");
        started_time = time(NULL);
    }
    else if (started_time < MINIMUM_STARTED_TIME) {
        debug(LOG_WARNING, "Detected possible clock skew - re-setting started_time");
        started_time = time(NULL);
    }

    /* 获取网关IP,失败退出程序 */
    if (!config->gw_address) {
        debug(LOG_DEBUG, "Finding IP address of %s", config->gw_interface);
        if ((config->gw_address = get_iface_ip(config->gw_interface)) == NULL) {
            debug(LOG_ERR, "Could not get IP address information of %s, exiting...", config->gw_interface);
            exit(1);
        }
        debug(LOG_DEBUG, "%s = %s", config->gw_interface, config->gw_address);
    }

    /* 获取网关ID,失败退出程序 */
    if (!config->gw_id) {
        debug(LOG_DEBUG, "Finding MAC address of %s", config->gw_interface);
        if ((config->gw_id = get_iface_mac(config->gw_interface)) == NULL) {
            debug(LOG_ERR, "Could not get MAC address information of %s, exiting...", config->gw_interface);
            exit(1);
        }
        debug(LOG_DEBUG, "%s = %s", config->gw_interface, config->gw_id);
    }

    /* 初始化监听网关2060端口的socket */
    debug(LOG_NOTICE, "Creating web server on %s:%d", config->gw_address, config->gw_port);

    if ((webserver = httpdCreate(config->gw_address, config->gw_port)) == NULL) {
        debug(LOG_ERR, "Could not create web server: %s", strerror(errno));
        exit(1);
    }

    debug(LOG_DEBUG, "Assigning callbacks to web server");
    /* 设置关键路径及其回调函数,在代码片段1.2中会使用到 */
    httpdAddCContent(webserver, "/", "wifidog", 0, NULL, http_callback_wifidog);
    httpdAddCContent(webserver, "/wifidog", "", 0, NULL, http_callback_wifidog);
    httpdAddCContent(webserver, "/wifidog", "about", 0, NULL, http_callback_about);
    httpdAddCContent(webserver, "/wifidog", "status", 0, NULL, http_callback_status);
    httpdAddCContent(webserver, "/wifidog", "auth", 0, NULL, http_callback_auth);
    /* 设置404错误回调函数,在里面实现了重定向至认证服务器 */
    httpdAddC404Content(webserver, http_callback_404);

    /* 清除iptables规则 */
    fw_destroy();
    /* 重新设置iptables规则 */
    if (!fw_init()) {
        debug(LOG_ERR, "FATAL: Failed to initialize firewall");
        exit(1);
    }

    /* 客户端检测线程 */
    result = pthread_create(&tid_fw_counter, NULL, (void *)thread_client_timeout_check, NULL);
    if (result != 0) {
        debug(LOG_ERR, "FATAL: Failed to create a new thread (fw_counter) - exiting");
        termination_handler(0);
    }
    pthread_detach(tid_fw_counter);

    /* wdctrl交互线程 */
    result = pthread_create(&tid, NULL, (void *)thread_wdctl, (void *)safe_strdup(config->wdctl_sock));
    if (result != 0) {
        debug(LOG_ERR, "FATAL: Failed to create a new thread (wdctl) - exiting");
        termination_handler(0);
    }
    pthread_detach(tid);

    /* 认证服务器心跳检测线程 */
    result = pthread_create(&tid_ping, NULL, (void *)thread_ping, NULL);
    if (result != 0) {
        debug(LOG_ERR, "FATAL: Failed to create a new thread (ping) - exiting");
        termination_handler(0);
    }
    pthread_detach(tid_ping);

    debug(LOG_NOTICE, "Waiting for connections");
    while(1) {
        /* 监听2060端口等待用户http请求 */
        r = httpdGetConnection(webserver, NULL);

        /* 错误处理 */
        if (webserver->lastError == -1) {
            /* Interrupted system call */
            continue; /* restart loop */
        }
        else if (webserver->lastError < -1) {
            debug(LOG_ERR, "FATAL: httpdGetConnection returned unexpected value %d, exiting.", webserver->lastError);
            termination_handler(0);
        }
        else if (r != NULL) {
            /* 用户http请求接收成功 */
            debug(LOG_INFO, "Received connection from %s, spawning worker thread", r->clientAddr);
            params = safe_malloc(2 * sizeof(void *));
            *params = webserver;
            *(params + 1) = r;

            /* 开启http请求处理线程 */
            result = pthread_create(&tid, NULL, (void *)thread_httpd, (void *)params);
            if (result != 0) {
                debug(LOG_ERR, "FATAL: Failed to create a new thread (httpd) - exiting");
                termination_handler(0);
            }
            pthread_detach(tid);
        }
        else {
            ;
        }
    }

    /* never reached */
}

用户连接启动线程(void thread_httpd(void * args))
代码片段1.2分析

此段代码是当有新用户(未认证的用户 代码片段1.3,已在认证服务器上认证但没有在wifidog认证的用户 代码片段1.4)连接时创建的线程,其主要功能为

  • 获取用户浏览器发送过来的http报头
  • 分析http报头,分析是否包含关键路径
  • 不包含关键路径则调用404回调函数
  • 包含关键路径则执行关键路径回调函数(这里主要讲解"/wifidog/auth"路径)

代码片段1.2

void
thread_httpd(void *args)
{
    void    **params;
    httpd    *webserver;
    request    *r;

    params = (void **)args;
    webserver = *params;
    r = *(params + 1);
    free(params);

    /* 获取http报文 */
    if (httpdReadRequest(webserver, r) == 0) {
        debug(LOG_DEBUG, "Processing request from %s", r->clientAddr);
        debug(LOG_DEBUG, "Calling httpdProcessRequest() for %s", r->clientAddr);
        /* 分析http报文 */
        httpdProcessRequest(webserver, r);
        debug(LOG_DEBUG, "Returned from httpdProcessRequest() for %s", r->clientAddr);
    }
    else {
        debug(LOG_DEBUG, "No valid request received from %s", r->clientAddr);
    }
    debug(LOG_DEBUG, "Closing connection with %s", r->clientAddr);
    httpdEndRequest(r);
}



/* 被thread_httpd调用 */
void httpdProcessRequest(httpd *server, request *r)
{
    char    dirName[HTTP_MAX_URL],
        entryName[HTTP_MAX_URL],
        *cp;
    httpDir    *dir;
    httpContent *entry;

    r->response.responseLength = 0;
    strncpy(dirName, httpdRequestPath(r), HTTP_MAX_URL);
    dirName[HTTP_MAX_URL-1]=0;
    cp = rindex(dirName, '/');
    if (cp == NULL)
    {
        printf("Invalid request path '%s'\n",dirName);
        return;
    }
    strncpy(entryName, cp + 1, HTTP_MAX_URL);
    entryName[HTTP_MAX_URL-1]=0;
    if (cp != dirName)
        *cp = 0;
    else
        *(cp+1) = 0;

     /* 获取http报文中的关键路径,在main_loop中已经设置 */
    dir = _httpd_findContentDir(server, dirName, HTTP_FALSE);
    if (dir == NULL)
    {
        /* http报文中未包含关键路径,执行404回调函数(在404回调函数中新用户被重定向到认证服务器),见代码片段1.3 */
        _httpd_send404(server, r);
        _httpd_writeAccessLog(server, r);
        return;
    }
    /* 获取关键路径内容描述符 */
    entry = _httpd_findContentEntry(r, dir, entryName);
    if (entry == NULL)
    {
        _httpd_send404(server, r);
        _httpd_writeAccessLog(server, r);
        return;
    }
    if (entry->preload)
    {
        if ((entry->preload)(server) < 0)
        {
            _httpd_writeAccessLog(server, r);
            return;
        }
    }
    switch(entry->type)
    {
        case HTTP_C_FUNCT:
        case HTTP_C_WILDCARD:
            /* 如果是被认证服务器重定向到网关的用户,此处的关键路径为"/wifidog/auth",并执行回调函数 */
            (entry->function)(server, r);
            break;

        case HTTP_STATIC:
            _httpd_sendStatic(server, r, entry->data);
            break;

        case HTTP_FILE:
            _httpd_sendFile(server, r, entry->path);
            break;

        case HTTP_WILDCARD:
            if (_httpd_sendDirectoryEntry(server, r, entry,
                        entryName)<0)
            {
                _httpd_send404(server, r);
            }
            break;
    }
    _httpd_writeAccessLog(server, r);
}

本文章由 http://www.wifidog.pro/2015/02/03/wifidog%E7%94%A8%E6%88%B7%E8%BF%9E%E6%8E%A5%E8%BF%87%E7%A8%8B_1.html 整理编辑,转载请注明出处