* Removing the reverse-proxy

* Forward traffic is now dropped
* HTTPS connections are now rejected

README.md

@@ -8,12 +8,14 @@ Based on [DropCenter](http://projet.idleman.fr/dropcenter/) (the project was pat
 ## Features
 
 * Open wifi Access Point (AP)
-* Once connected to the AP, you can go on *http://pirate.box*, or *http://www.madhouse.gov* or even *http://lqksjdhfkljhsdf.qsdf*
+* Once connected to the AP, you can go on *http://pirate.box*, or *http://www.google.com* or even *http://lqksjdhfkljhsdf.qsdf* (or let your captive portal detection mechanism do its job)
 * All destinations lead to the PirateBox web page
 * No authentication required for uploading, downloading or deleting (lawless zone)
 * Of course, works without internet connection
 * [Screenshot](https://raw.githubusercontent.com/jvaubourg/piratebox_ynh/master/screenshot.png)
 
+The YunoHost administration is only available through the wired connection.
+
 ## Requirements
 
 You have to install the [Wifi Hotspot app for YunoHost](https://github.com/jvaubourg/hotspot_ynh) before and disable the wifi secure access mode thanks to the friendly web interface.
@@ -26,11 +28,9 @@ Explanations:
 2. a fake DNS resolver listens on the port 4253, and systematically responds the IPv4 address of the server (a fake DNS resolver is mandatory for responding to any requests, without internet connection),
 3. a MASQUERADE rule allows the fake DNS to respond in place of the initially requested resolver,
 4. all packets to port 80 are redirected to the port 4280,
-5. a Nginx vhost listens on the port 4280, and redirect to the PirateBox web page (when the requested domain corresponds to the one used by the PirateBox, a reverse-proxy to the port 80 is used).
+5. a Nginx vhost listens on the port 4280, and redirects to the PirateBox web page.
 
 ## Limitations ##
 
-* If the user requests web sites he used to consult once connected, his browser may have a DNS cache entry for it (60s with Firefox) - but there is no problem in the other way because the fake DNS always responds with a TTL of 1s
 * IPv4-only because the NAT table is not available for IPv6 before the kernel 3.8 (not in Debian stable for now)
-* Don't redirect to the PirateBox web page with HTTPS requests (in order to avoid wrong certificates and to allow to use the YunoHost administration - even though disabling it may be a good idea in this case)
-* The PirateBox is not HTTPS compliant, but it's not a problem because there are no privacy issues with a such free app
+* Don't redirect to the PirateBox web page with explicit HTTPS requests (in order to avoid offering self-signed certificates on well-known domains)

conf/init_ynh-piratebox

@@ -42,6 +42,14 @@ is_nat4_web_set() {
   iptables -nvt nat -L PREROUTING | grep 'tcp dpt:80' | grep -q "${ynh_wifi_device}"
 }
 
+is_filt4_nohttps_set() {
+  iptables -nv -L INPUT | grep 'tcp dpt:443 reject' | grep -q "${ynh_wifi_device}"
+}
+
+is_filt4_nofwd_set() {
+  iptables -nv -L FORWARD | grep 'reject-with' | grep -q "${ynh_wifi_device}"
+}
+
 is_fakedns_running() {
   ps aux | grep -v grep | grep -q piratebox_fakedns
 }
@@ -49,6 +57,7 @@ is_fakedns_running() {
 is_running() {
   has_hotspot_app \
   && is_nat4_dns_set && is_nat4_web_set \
+  && is_filt4_nohttps_set && is_filt4_nofwd_set \
   && is_fakedns_running
 }
 
@@ -67,6 +76,14 @@ set_nat4_web() {
   iptables -t nat -A PREROUTING -i "${ynh_wifi_device}" -p tcp --dport 80 -j REDIRECT --to-port 4280
 }
 
+set_filt4_nohttps() {
+  iptables -I INPUT 1 -i "${ynh_wifi_device}" -p tcp --dport 443 -j REJECT
+}
+
+set_filt4_nofwd() {
+  iptables -I FORWARD 1 -j REJECT -i "${ynh_wifi_device}"
+}
+
 start_fakedns() {
   /usr/local/bin/piratebox_fakedns "${ynh_ip4_nat_prefix}.1" 2>&1 > /dev/null &
 }
@@ -82,6 +99,14 @@ unset_nat4_web() {
   iptables -t nat -D PREROUTING -i "${ynh_wifi_device}" -p tcp --dport 80 -j REDIRECT --to-port 4280
 }
 
+unset_filt4_nohttps() {
+  iptables -D INPUT -i "${ynh_wifi_device}" -p tcp --dport 443 -j REJECT
+}
+
+unset_filt4_nofwd() {
+  iptables -D FORWARD -j REJECT -i "${ynh_wifi_device}"
+}
+
 stop_fakedns() {
   kill $(ps aux | grep piratebox_fakedns | awk '{ print $2 }' | head -n1)
 }
@@ -125,6 +150,8 @@ case "$1" in
   start)
     if is_running; then
       echo "Already started"
+    elif ! has_hotspot_app; then
+      echo "[ERR] Hotspot is not running"
     else
       echo "[piratebox] Starting..."
       touch /tmp/.ynh-piratebox-started
@@ -141,6 +168,18 @@ case "$1" in
         set_nat4_web
       fi
 
+      # Set IPv4 No-Https filter rule
+      if ! is_filt4_nohttps_set; then
+        echo "Set IPv4 No-Https filter rule"
+        set_filt4_nohttps
+      fi
+
+      # Set IPv4 No-Forwarding filter rule
+      if ! is_filt4_nofwd_set; then
+        echo "Set IPv4 No-Forwarding filter rule"
+        set_filt4_nofwd
+      fi
+
       # Run fakedns
       if ! is_fakedns_running; then
         echo "Run fakedns"
@@ -162,6 +201,16 @@ case "$1" in
       unset_nat4_web
     fi
 
+    if is_filt4_nohttps_set; then
+      echo "Unset IPv4 No-Https filter rule"
+      unset_filt4_nohttps
+    fi
+
+    if is_filt4_nofwd_set; then
+      echo "Unset IPv4 No-Forwarding filter rule"
+      unset_filt4_nofwd
+    fi
+
     if is_fakedns_running; then
       echo "Stop fakedns"
       stop_fakedns
@@ -193,6 +242,20 @@ case "$1" in
       exitcode=1
     fi
 
+    if is_filt4_nohttps_set; then
+      echo "[OK] IPv4 No-Https filter rule set"
+    else
+      echo "[ERR] No IPv4 No-Https filter rule set"
+      exitcode=1
+    fi
+
+    if is_filt4_nofwd_set; then
+      echo "[OK] IPv4 No-Forwarding filter rule set"
+    else
+      echo "[ERR] No IPv4 No-Forwarding filter rule set"
+      exitcode=1
+    fi
+
     if is_fakedns_running; then
       echo "[OK] Fakedns is running"
     else

conf/nginx_captive-piratebox.conf

@@ -0,0 +1,48 @@
+# PirateBox app for YunoHost
+# Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
+# Contribute at https://github.com/jvaubourg/piratebox_ynh
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+server {
+  listen 4280 default_server;
+  listen [::]:4280 default_server;
+
+  if ($host != '<TPL:DOMAIN>') {
+    set $args '';
+    rewrite ^ http://<TPL:DOMAIN>;
+  }
+
+  location / {
+    alias <TPL:NGINX_REALPATH>;
+  
+    client_max_body_size 10G;
+    index index.php;
+    try_files $uri $uri/ index.php;
+  
+    location ~ [^/]\.php(/|$) {
+      fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+      fastcgi_pass unix:/var/run/php5-fpm-<TPL:PHP_NAME>.sock;
+      fastcgi_index index.php;
+      include fastcgi_params;
+      fastcgi_read_timeout 600;
+      fastcgi_send_timeout 600;
+      fastcgi_param REMOTE_USER $remote_user;
+      fastcgi_param PATH_INFO $fastcgi_path_info;
+    }
+  }
+
+  access_log /var/log/nginx/piratebox-access.log;
+  error_log /var/log/nginx/piratebox-error.log;
+}

conf/nginx_dropcenter.conf

@@ -1,35 +0,0 @@
-# PirateBox app for YunoHost 
-# Copyright (C) 2015 Julien Vaubourg <julien@vaubourg.com>
-# Contribute at https://github.com/jvaubourg/piratebox_ynh
-# 
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-# 
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-# 
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-location <TPL:NGINX_LOCATION> {
-  alias <TPL:NGINX_REALPATH>;
-
-  client_max_body_size 10G;
-  index index.php;
-  try_files $uri $uri/ index.php;
-
-  location ~ [^/]\.php(/|$) {
-    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
-    fastcgi_pass unix:/var/run/php5-fpm-<TPL:PHP_NAME>.sock;
-    fastcgi_index index.php;
-    include fastcgi_params;
-    fastcgi_read_timeout 600;
-    fastcgi_write_timeout 600;
-    fastcgi_param REMOTE_USER $remote_user;
-    fastcgi_param PATH_INFO $fastcgi_path_info;
-  }
-}

conf/nginx_piratebox.conf

@@ -15,26 +15,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-server {
-  listen 4280 default_server;
-  listen [::]:4280 default_server;
-
-  if ($host != '<TPL:DOMAIN>') {
-    rewrite ^ http://<TPL:DOMAIN><TPL:URL_PATH>;
-  }
-
-  location ~ {
-    proxy_pass http://127.0.0.1:80;
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_connect_timeout 90;
-    proxy_send_timeout 600;
-    proxy_read_timeout 600;
-    proxy_buffers 32 4k;
-    client_max_body_size 10G;
-  }
-
-  access_log /dev/null;
-  error_log /dev/null;
+location /piratebox {
+  set $args '';
+  rewrite ^ http://$server_name:4280;
 }

manifest.json

@@ -20,16 +20,8 @@
             "en": "Choose a domain",
             "fr": "Choisissez un domaine"
         },
-        "example": "domain.org"
-      },
-      {
-        "name": "path",
-        "ask": {
-            "en": "Choose a path",
-            "fr": "Choissez un chemin"
-        },
-        "example": "/piratebox",
-        "default": "/piratebox"
+        "example": "pirate.box",
+        "default": "pirate.box"
       }
     ]
   }

scripts/install

@@ -19,7 +19,7 @@
 
 # Retrieve arguments
 domain=${1}
-url_path=${2}
+url_path=/piratebox
 
 # Check domain/path availability
 sudo yunohost app checkurl ${domain}${url_path} -a piratebox
@@ -39,49 +39,46 @@ if [ $? -ne 0 ]; then
 fi
 
 # Create web user
-sudo useradd -r dropcenter
+sudo useradd -r piratebox
 
 # Copy confs
 sudo mkdir -pm 0755 /var/log/nginx/
 
-sudo install -b -o root -g root -m 0644 ../conf/nginx_piratebox.conf "/etc/nginx/conf.d/piratebox.conf"
-sudo install -b -o root -g root -m 0644 ../conf/nginx_dropcenter.conf "/etc/nginx/conf.d/${domain}.d/dropcenter.conf"
-sudo install -b -o root -g root -m 0644 ../conf/phpfpm_dropcenter.conf /etc/php5/fpm/pool.d/dropcenter.conf
+sudo install -b -o root -g root -m 0644 ../conf/nginx_captive-piratebox.conf /etc/nginx/conf.d/captive-piratebox.conf
+sudo install -b -o root -g root -m 0644 ../conf/nginx_piratebox.conf "/etc/nginx/conf.d/${domain}.d/piratebox.conf"
+sudo install -b -o root -g root -m 0644 ../conf/phpfpm_piratebox.conf /etc/php5/fpm/pool.d/piratebox.conf
 
 # Copy web sources
-sudo mkdir -pm 0755 /var/www/dropcenter/
-sudo cp -a ../sources/* /var/www/dropcenter/
-sudo mkdir /var/www/dropcenter/tpl/tmp/
+sudo mkdir -pm 0755 /var/www/piratebox/
+sudo cp -a ../sources/* /var/www/piratebox/
+sudo mkdir /var/www/piratebox/tpl/tmp/
 
-sudo chown -R root: /var/www/dropcenter/
-sudo chmod -R 0644 /var/www/dropcenter/*
-sudo find /var/www/dropcenter/ -type d -exec chmod +x {} \;
+sudo chown -R root: /var/www/piratebox/
+sudo chmod -R 0644 /var/www/piratebox/*
+sudo find /var/www/piratebox/ -type d -exec chmod +x {} \;
 
 # Fix permissions
-sudo chown -R dropcenter: /var/www/dropcenter/tpl/tmp/
-sudo chown -R dropcenter: /var/www/dropcenter/uploads/
+sudo chown -R piratebox: /var/www/piratebox/tpl/tmp/
+sudo chown -R piratebox: /var/www/piratebox/uploads/
 
 # Create fixed DC user
-sudo tee /var/www/dropcenter/uploads/.dc/.user.dc.php > /dev/null << EOF
+sudo tee /var/www/piratebox/uploads/.dc/.user.dc.php > /dev/null << EOF
 <?php /*{"login":"pirate","avatar":"","password":"","rank":"admin","mail":"","notifMail":"off","lang":"en - English"}*/ ?>
 EOF
 
-sudo touch /var/www/dropcenter/uploads/avatars/pirate.jpg
+sudo touch /var/www/piratebox/uploads/avatars/pirate.jpg
 
 # Fix confs
 ## nginx
-sudo sed "s|<TPL:URL_PATH>|${url_path}|g" -i "/etc/nginx/conf.d/piratebox.conf"
-sudo sed "s|<TPL:DOMAIN>|${domain}|g" -i "/etc/nginx/conf.d/piratebox.conf"
-
-sudo sed "s|<TPL:NGINX_LOCATION>|${url_path}|g" -i "/etc/nginx/conf.d/${domain}.d/dropcenter.conf"
-sudo sed 's|<TPL:NGINX_REALPATH>|/var/www/dropcenter/|g' -i "/etc/nginx/conf.d/${domain}.d/dropcenter.conf"
-sudo sed 's|<TPL:PHP_NAME>|dropcenter|g' -i "/etc/nginx/conf.d/${domain}.d/dropcenter.conf"
+sudo sed "s|<TPL:DOMAIN>|${domain}|g" -i /etc/nginx/conf.d/captive-piratebox.conf
+sudo sed 's|<TPL:NGINX_REALPATH>|/var/www/piratebox/|g' -i /etc/nginx/conf.d/captive-piratebox.conf
+sudo sed 's|<TPL:PHP_NAME>|piratebox|g' -i /etc/nginx/conf.d/captive-piratebox.conf
 
 ## php-fpm
-sudo sed 's|<TPL:PHP_NAME>|dropcenter|g' -i /etc/php5/fpm/pool.d/dropcenter.conf
-sudo sed 's|<TPL:PHP_USER>|dropcenter|g' -i /etc/php5/fpm/pool.d/dropcenter.conf
-sudo sed 's|<TPL:PHP_GROUP>|dropcenter|g' -i /etc/php5/fpm/pool.d/dropcenter.conf
-sudo sed 's|<TPL:NGINX_REALPATH>|/var/www/dropcenter/|g' -i /etc/php5/fpm/pool.d/dropcenter.conf
+sudo sed 's|<TPL:PHP_NAME>|piratebox|g' -i /etc/php5/fpm/pool.d/piratebox.conf
+sudo sed 's|<TPL:PHP_USER>|piratebox|g' -i /etc/php5/fpm/pool.d/piratebox.conf
+sudo sed 's|<TPL:PHP_GROUP>|piratebox|g' -i /etc/php5/fpm/pool.d/piratebox.conf
+sudo sed 's|<TPL:NGINX_REALPATH>|/var/www/piratebox/|g' -i /etc/php5/fpm/pool.d/piratebox.conf
 sudo sed 's|^;\?\s*max_execution_time.\+|max_execution_time = 600|' -i /etc/php5/fpm/php.ini
 
 # Install fakedns

scripts/remove

@@ -31,9 +31,9 @@ sudo yunohost firewall disallow UDP 4253
 sudo yunohost firewall disallow TCP 4280
 
 # Remove confs
-sudo rm -f /etc/nginx/conf.d/piratebox.conf
-sudo rm -f /etc/nginx/conf.d/${domain}.d/dropcenter.conf
-sudo rm -f /etc/php5/fpm/pool.d/dropcenter.conf
+sudo rm -f /etc/nginx/conf.d/captive-piratebox.conf
+sudo rm -f "/etc/nginx/conf.d/${domain}.d/piratebox.conf"
+sudo rm -f /etc/php5/fpm/pool.d/piratebox.conf
 
 # Delete fakedns
 sudo rm -f /usr/local/bin/piratebox_fakedns
@@ -44,9 +44,9 @@ sudo yunohost service start php5-fpm
 sudo service nginx reload
 
 # Remove web user
-sudo userdel dropcenter
+sudo userdel piratebox
 
 # Remove sources
-sudo rm -rf /var/www/dropcenter/
+sudo rm -rf /var/www/piratebox/
 
 exit 0

sources/php/config.php

@@ -15,7 +15,7 @@ define('AVATARFOLDER',UPLOAD_FOLDER.'avatars/'); //dossier contenant les avatars
 define('FORTUNE',false);//Affiche une citation aléatoire Chuck Norris Facts (mettre à false pour ne pas afficher)
 define('RSS_MAIL','rss@mail.com');
 define('READ_FOR_ANONYMOUS',false);// Définit si les visiteurs non authentifiés peuvent lire le contenu du dropCenter (true = lecture possible, false = lecture interdite)
-define('DC_LANG','fr - Francais');//Définit la langue par défaut
+define('DC_LANG','en - English');//Définit la langue par défaut
 define('DIR_LANG','lang/');//Dossier des fichiers de langue
 define('MAIL',false);//Autorise les notifications par e-mail
 define('DISPLAY_DOTFILES',false);//Affiche ou non les dossiers/fichiers commençant par un point