I'm managing a pfSense 1.2.3 based firewall and they asked me to enable logging on the integrated squid proxy and network activity.
I have chosen these services and I have installed them through PfSense's webinterface (WebGui) :
I have chosen these services and I have installed them through PfSense's webinterface (WebGui) :
- bandwithd, for generic bandwidth statistic
- lightsquid, generates detailed navigation report
Bandwidthd and lightsquid collect statistics and create reports about the users navigation and only the administrator should be able to access this datas.
Despite these considerations, PfSense's default configuration doesn't restrict the access to these services.
PfSense management console (WebGui) is password protected but the bandwithd and lightsquid interfaces are accessible with no restriction. You can check this by installing bandwithd and navigating to: https://yourfirewall-IP/bandwithd
Despite these considerations, PfSense's default configuration doesn't restrict the access to these services.
PfSense management console (WebGui) is password protected but the bandwithd and lightsquid interfaces are accessible with no restriction. You can check this by installing bandwithd and navigating to: https://yourfirewall-IP/bandwithd
About PfSense
- PfSense is a BSD derived distribution but its applications, config files and resources have often unusual names and location.
- So, I suggest to use: find / -name findthis.* in order to find out stuff.
- PfSense uses PHP scripts in order boot services and configure them; during the firewall reboot lots of the config files are generated from scratch.
- The service's scripts (in order to stop or restart a service) are located in /etc folder and are named rc.nameservice-restart (they are PHP-scripts).
- PfSense runs all the web interfaces and services using lightppd service (PfSense 1.2.3 is shipped with a lightppd 1.4.x release).
- Web configuration is stored into /var/etc/lighty-webConfigurator.conf ; this file is generated at every service's restart.Modifying this file is useless.
The solution
We are going to configure lightppd server in order to request user's authentication for the fresh new services, this solution is an auth module's guide adaptation.
PfSense enviroment is quite different and WebConfigurator's configuration is generated at every service restart by
We need to log into the firewall shell and hack a bit... let's do:
PfSense enviroment is quite different and WebConfigurator's configuration is generated at every service restart by
/etc/inc/system.inc
PHP scipt.We need to log into the firewall shell and hack a bit... let's do:
- enable PfSense ssh console/shell (form PfSense's WebGui)
- log into PfSense ssh shell (window's users use Putty)
mcedit /etc/inc/system.inc
or nano /etc/inc/system.inc
Somewhere near row 798 (I'm sorry about code indentation, cut&paste problems):
{$network_handler}
## modules to load
server.modules = (
{$captive_portal_module}
"mod_access", "mod_accesslog",
{$module}{$captiveportal},
"mod_auth"
)
Add this one into the file, just after server.modules (but this is not mandatory, I added these lines after access log configuration, at row number 920):
\$HTTP["url"] =~ "^/lightsquid/" {
auth.backend = "plain"
auth.backend.plain.userfile = "/var/etc/lighttpd-plain.myusers"
auth.require = ("/lightsquid" => (
"method" => "digest",
"realm" => "lightsquid",
"require" => "valid-user"
))
}
\$HTTP["url"] =~ "^/bandwidthd/" {
auth.backend = "plain"
auth.backend.plain.userfile = "/var/etc/lighttpd-plain.myusers"
auth.require = ("/
bandwidthd
" => (
"method" => "digest",
"realm" => "
bandwidthd
",
"require" => "valid-user"
))
}
Create users credentials Let's createthe text file /var/etc/lighttpd-plain.myusers
eg.nano /var/etc/lighttpd-plain.myusers
/var/etc/lighttpd-plain.myusers
should contain username/password pairs (don't forget newline!):myusername1:passwordOfUsername1
myusername2:passwordOfUsername2
Restart WebGuiFrom PfSense shell; execute the script:
/etc/rc.restart_webgui
Final note
The digest authentication method secures the password exchange between the browser and the firewall;
Using the plain backend, the usernames and passwords are stored unencrypted on a text file; in case you need password encryption, you have to change the
Please refer the mod_auth (1,2) documentation in order to adapt this solution to your needs.
The proposed changes don't affect the default authentication on the main PfSense WebGui;
Main console authentication is managed elsewhere inside the firewall, I suppose by elves and fairies.
Have fun!
Using the plain backend, the usernames and passwords are stored unencrypted on a text file; in case you need password encryption, you have to change the
auth.backend
option in order to use a different policy (not plain).Please refer the mod_auth (1,2) documentation in order to adapt this solution to your needs.
The proposed changes don't affect the default authentication on the main PfSense WebGui;
Main console authentication is managed elsewhere inside the firewall, I suppose by elves and fairies.
Have fun!