marvinoliveiras
(usa Slackware)
Enviado em 12/09/2012 - 17:44h
esse aplicativo faz a função de mediar o tráfego da internet, deixando que só acessem pessoas logadas, inclusive ele possibilita o uso do squid transparente, acho que ele é usando até mesmo no Myauth.
o /usr/local/nocat/gw/nocat.conf
###### gateway.conf -- NoCatAuth Gateway Configuration.
#
# Format of this file is: <Directive> <Value>, one per
# line. Trailing and leading whitespace is ignored. Any
# line beginning with a punctuation character is assumed to
# be a comment.
###### General settings.
#
# See the bottom of this file for options for logging to syslog.
#
# Log verbosity -- 0 is (almost) no logging. 10 is log
# everything. 5 is probably a safe middle road.
#
Verbosity 10
##### Gateway application settings.
#
# GatewayName -- The name of this gateway, to be optionally displayed
# on the splash and status pages. Any short string of text will do.
#
GatewayName ServNet Camara
##
#
# GatewayMode -- Determines the mode of operation of the gateway. Possible
# values are:
#
# Captive - Allow authentication against an auth service. LEGACY.
# Passive - Like Captive, but YOU MUST USE THIS if your gateway
# is behind a NAT. Will work anyway if not. *RECOMMENDED*.
# Open - Simply require a user to view a splash page and accept
# a use agreement.
#
# If Captive or Passive Mode is set, you will need to have values set for
# AuthServiceAddr, AuthServiceURL, and LogoutURL. You will want to leave a
# short value for LoginTimeout (probably <600).
#
# If Open Mode is set, you will need to have values set for SplashForm,
# HomePage, and possibly DocumentRoot (or provide an absolute path for
# SplashForm). Also, you will want to set a large value for LoginTimeout
# (probably >3600).
#
GatewayMode Passive
##
# GatewayLog -- Optional. If unset, messages will go to STDERR.
#
GatewayLog /usr/local/nocat/gw/nocat.log
##
# LoginTimeout - Number of seconds after a client's last
# login/renewal to terminate their connection. Probably
# don't want to set this to less than 60 or a lot of
# bandwidth is likely to get consumed by the client's
# renewal attempts. Defaults to 300 seconds.
#
# For Captive Mode, you want to set this to something
# fairly short (like 10 minutes) to prevent connection
# spoofing
#
LoginTimeout 86400
# For Open Mode portals, you probably want to comment out
# the preceding and set LoginTimeout to
# something large (like 86400, for one notification
# per day).
#
# LoginTimeout 86400
###### Open Portal settings.
#
##
# HomePage -- The authservice's notion of a default
# redirect.
#
HomePage http://www.camaradebarreiras.ba.gov.br
# DocumentRoot -- Where all of the application templates (including
# SplashPage) are hiding. Can be different from Apache's DocumentRoot.
#
DocumentRoot /usr/local/nocat/gw/htdocs
# SplashForm -- Form displayed to users on capture.
#
SplashForm splash.html
# StatusForm -- Page displaying status of logged in users.
#
StatusForm status.html
###### Active/Passive Portal settings.
#
##
# TrustedGroups - A list of groups registered with the auth server
# that a user may claim membership in order to gain Member-class
# access through this portal. The default magic value "Any" indicates
# that a member of *any* group is granted member-class access from
# this gateway..
#
# TrustedGroups NoCat NYCWireless PersonalTelco
#
TrustedGroups Any
##
# Owners - Optional. List all local "owner" class users here, separated
# by spaces. Owners typically get full bandwidth, and unrestricted
# access to all network resources.
#
# Owners rob@nocat.net schuyler@nocat.net
##
# AuthServiceAddr - Required, for captive mode. Must be set to the address of
# your authentication service. You must use an IP address
# if DNS resolution isn't available at gateway startup.
#
# AuthServiceAddr 208.201.239.21
#
AuthServiceAddr 192.168.1.254
##
# AuthServiceURL - HTTPS URL to the login script at the authservice.
#
AuthServiceURL https://$AuthServiceAddr/cgi-bin/login
##
# LogoutURL - HTTP URL to redirect user after logout.
#
LogoutURL https://$AuthServiceAddr/logout.html
### Network Topology
#
# ExternalDevice - Required if and only if NoCatAuth can't figure it out
# from looking at your routing tables and picking the interface
# that carries the default route. Must be set to the interface
# connected to the Internet. Usually 'eth0' or 'eth1'
# under Linux, or maybe even 'ppp0' if you're running
# PPP or PPPoE.
#
ExternalDevice eth0
##
# InternalDevice - Required if and only if you have ethernet devices
# on your gateway besides your wireless device and your 'Net connection.
# Must be set to the interface connected to your local network, normally
# your wireless card. In Linux, some wireless devices are named 'wvlan0'
# or 'wlan0' rather than 'ethX'.
#
InternalDevice eth1
##
# LocalNetwork - Required if and only if NoCatAuth can't figure out
# the network address of your local (probably wireless) network,
# given your InternalDevice(s). Must be set to the network
# address and net mask of your internal network. You
# can use the number of bits in the netmask (e.g. /16, /24, etc.)
# or the full x.x.x.x specification.
#
# LocalNetwork 10.0.1.0/24
##
# DNSAddr - Optional. *If* you choose not to run DNS on your internal network,
# specify the address(es) of one or more domain name server on the Internet
# that wireless clients can use to get out. Should be the same DNS that your
# DHCP server hands out. If left blank, NoCatAuth will presume that you
# want to use whatever nameservers are listed in /etc/resolv.conf.
#
# DNSAddr 111.222.333.444
##
# AllowedWebHosts - Optional. List any domains that you would like to
# allow web access (TCP port 80 and 443) BEFORE logging in (this is the
# pre-'skip' stage, so be careful about what you allow.)
#
# AllowedWebHosts nocat.net
##
# RouteOnly - Required only if you DO NOT want your gateway to act as a NAT.
# Uncomment this only if you're running a strictly routed network, and
# don't need the gateway to enable NAT for you.
#
# RouteOnly 1
##
# IgnoreMAC - Set this if and only if the NoCat gateway isn't directly
# connected (or bridged at Layer 2) to your internal (usually wireless)
# network. In that event, the gateway won't be able to match clients based
# on MAC address, and will fall back to using IPs only. This is
# theoretically less secure, as IP addresses are usually easier to spoof
# than MAC addresses, so don't use this unless you know what you're doing.
#
# IgnoreMAC 1
##
# MembersOnly - Optional. Uncomment this if you want to disable public
# access (i.e. unauthenticated 'skip' button access). You'll also want to
# point AuthServiceURL somewhere that doesn't include a skip button (like
# at your own Auth server.)
#
# MembersOnly 1
##
# IncludePorts - Optional. Specify TCP ports to allow access to when
# public class users login. All others will be denied.
#
# For a list of common services and their respective port numbers, see
# your /etc/services file. Depending on your firewall, you might even
# be able to specify said services here, instead of using port numbers.
#
# IncludePorts 22 80 443
##
# ExcludePorts - Optional. Specify TCP ports to denied access to when
# public class users login. All others will be allowed.
#
# Note that you should use either IncludePorts or ExcludePorts, but not
# both. If neither is specified, access is granted to all ports to
# public class users.
#
# You should *always* exclude port 25, unless you want to run an portal
# for wanton spam sending. Users should have their own way of sending
# mail. It sucks, but that's the way it is. Comment this out *only if*
# you're using IncludePorts instead.
#
# ExcludePorts 23 25 111
#
ExcludePorts 25
####### Syslog Options -- alter these only if you want NoCat to log to the
# system log!
#
# Log Facility - syslog or internal. Internal sends log messages
# using the GatewayLog or STDERR if GatewayLog is unset. Syslog
# sends all messages to the system log.
#
# LogFacility internal
##
# SyslogSocket - inet or unix. Inet connects to an inet socket returned
# by getsrvbyname(). Unix connects to a unix domain socket returned by
# _PATH_LOG in syslog.ph (typically /dev/log). Defaults to unix.
#
# SyslogSocket unix
##
# SyslogOptions - Zero or more of the words pid, ndelay, cons, nowait
# Defaults to "cons,pid".
#
# SyslogOptions cons,pid
##
# SyslogPriority - The syslog class of message to use: In decreasing importance,
# the typical priorities are EMERG, ALERT, CRIT, ERR, WARNING, NOTICE, INFO,
# and DEBUG. Defaults to INFO.
#
# SyslogPriority INFO
##
# SyslogFacility - The facility used to log messages. Defaults to user.
# SyslogFacility user
##
# SyslogIdent - The ident of the program that is calling syslog. This will
# be prepended to every log entry made by NoCat. Defaults to NoCat.
#
# SyslogIdent NoCat
###### Other Common Gateway Options. (stuff you probably won't have to change)
#
# ResetCmd, PermitCmd, DenyCmd -- Shell commands to reset,
# open and close the firewall. You probably don't need to
# change these.
#
# ResetCmd initialize.fw
# PermitCmd access.fw permit $MAC $IP $Class
# DenyCmd access.fw deny $MAC $IP $Class
##
# GatewayPort - The TCP port to bind the gateway
# service to. 5280 is de-facto standard for NoCatAuth.
# Change this only if you absolutely need to.
#
GatewayPort 5280
##
# PGPKeyPath -- The directory in which PGP keys are stored.
# NoCat tries to find this in the pgp/ directory above
# the bin/ parent directory. Set this only if you put it
# somewhere that NoCat doesn't expect.
#
PGPKeyPath /usr/local/nocat/gw/pgp
##
# MessageVerify -- Shell command to verify a PGP signed
# message. The actual message is delivered to the
# command's standard input. NoCat tries to find gpg
# and gpgv in your path. Set these only if you need to find
# them elsewhere.
#
# GpgvPath /usr/bin/gpgv
#
# MessageVerify $GpgvPath --homedir=$PGPKeyPath 2>/dev/null
##
#
# IdleTimeout -- How often to check the ARP cache, in seconds,
# for expiration of idle clients.
#
# MaxMissedARP -- How many times a client can be missing from
# the ARP cache before we assume they've gone away, and log them
# out. Set to 0 to disable logout based on ARP cache expiration.
#
# MaxMissedARP 2
#
# IdleTimeout 300
### Fin!
o /usr/local/nocat/authserv/nocat.conf
###### authserv.conf -- NoCatAuth Authentication Service Configuration.
#
# Format of this file is: <Directive> <Value>, one per
# line. Trailing and leading whitespace is ignored. Any
# line beginning with a punctuation character is assumed to
# be a comment.
###### General settings.
#
# Log verbosity -- 0 is (almost) no logging. 10 is log
# everything. 5 is probably a safe middle road.
#
Verbosity 10
##
# PGPKeyPath -- The directory in which PGP keys are stored.
# NoCat tries to find this in the pgp/ directory above
# the bin/ parent directory. Set this only if you put it
# somewhere that NoCat doesn't expect.
#
PGPKeyPath /usr/local/nocat/authserv/pgp
###### Authservice-specific settings.
#
# HomePage -- The authservice's notion of a default
# redirect.
#
HomePage http://www.camaradebarreiras.ba.gov.br
# DocumentRoot -- Where all of the application templates (including
# SplashPage) are hiding. Can be different from Apache's DocumentRoot.
#
DocumentRoot /usr/local/nocat/authserv/htdocs
##### Authservice authentication source.
#
# DataSource -- specifies what to authenticate against.
# Possible values are DBI, Passwd, LDAP, RADIUS, PAM, Samba, IMAP, NIS.
#
DataSource DBI
##
# Auth service database settings.
#
# If you select DataSource DBI, then Database, DB_User, and DB_Password
# are required.
#
# Database is a DBI-style data source specification.
#
# For postgres support:
# Database dbi:Pg:dbname=nocat
#
# For mysql support:
Database dbi:mysql:database=nocat
DB_User root
DB_Passwd MINHASENHA
## LDAP support. Requires Net::LDAP & IO::Socket::SSL to be installed from the CPAN.
#
# If you select DataSource LDAP, all of the following settings are required:
#
# LDAP_Host - DNS name or IP Address of LDAP directory
# LDAP_Base - the LDAP container for searching and creating users
# LDAP_Admin_User - the fully distinguished name of the administrative user
# NOTE: this user must be able to create users in the container specified above
# LDAP_Admin_PW - the admin users password
# LDAP_Hash_Passwords - Yes or No
# - if passwords are to be MD5 hashed before being set in the directory
# LDAP_Search_as_Admin - Yes or No
# - "Yes" if all operations are to be done as the admin user, "No" if
# everything but creation should be done as anonymous
# LDAP_Filter - Attribute name containing user's ID, email address
# or username.
#
# This version of LDAP.pm has been updated and tested against a Novell eDirectory
# LDAP server. The login "unique ID" - the e-mail address - is stored as an
# attribute of the user, and the "name" provided by the user is used as the
# directory object name.
#
# Please send bug reports and patches.
#
# Still with this release, the admin tools don't fully work with LDAP support at
# the moment.
#
# LDAP_Host ldap.mydomain.com
# LDAP_Base ou=myContainer,o=universe
# LDAP_Admin_User cn=LDAPAdmin,o=universe
# LDAP_Admin_PW ldapAdminSecret
# LDAP_Hash_Passwords Yes
# LDAP_Search_as_Admin Yes
# LDAP_Filter mail
## RADIUS support. Requires Authen::Radius to be installed from the CPAN.
#
# Right now, this support is totally experimental. Please send bug reports
# and patches. The admin tools don't fully work with RADIUS support at the moment.
#
# The RADIUS_Host may by in a number of different formats and is required:
#
# RADIUS_Host radius.nocat.net
# RADIUS_Host radius1.nocat.net,radius2.nocat.net,radius3.nocat.net
# RADIUS_Host radius1.nocat.net:1645,radius2.nocat.net:1812,radius3.nocat.net
#
# The previous three examples are 1 host and multiple hosts (can be any number of
# hosts separated by a comma) and finally with ports provided after a colon. (If
# no port number is supplied, it uses the Authen::Radius default of the radius
# service in /etc/services or 1645. Mixing entries with and without ports is
# fine.) These examples require a RADIUS_Secret in the format:
#
# RADIUS_Secret sHHHH
#
# The other format is to use the RADIUS_Host with a secret after
# the hostname seperated by a * such as the examples below. This
# allows for different secrets on different hosts.
#
# RADIUS_Host radius1.nocat.net*secret1,radius2.nocat.net*secret2,radius3.nocat.net*secret3
#
# Alternatively, ports can also be used on any number of entries.
# If the secret is not present, it uses the RADIUS_Secret.
#
# RADIUS_Host radius1.nocat.net:1645*secret1,radius2.nocat.net:1812,radius3.nocat.net*secret3
#
# RADIUS_TimeOut is optional and defaults to the Authen::Radius
# default timeout.
#
# RADIUS_TimeOut 5
#
# Finally, RADIUS_Order controls the order in which RADIUS
# servers are used. The acceptable values are "Ordered"
# (the default) and Random (which will share the load
# among the servers.
#
# RADIUS_Order Random
# **** End RADIUS Configuration ****
## PAM support. Requires Authen::PAM to be installed from the CPAN.
#
# Make sure you have an /etc/pam.d/nocat or nocat line(s) in your /etc/pam.conf.
# See etc/pam.conf from this distribution for an example. The PAM_Service
# directive controls which PAM service NoCat attempts to authenticate against,
# but we don't recommend changing it unless you really know what you're doing
# with PAM. It defaults to "nocat". The admin tools don't work with PAM support
# at the moment.
#
# PAM_Service nocat
## Samba support. Requires Authen::Smb to be installed from the CPAN.
#
# Samba_PDC and Samba_Domain are required. Samba_BDC is optional.
#
# Samba_Domain MyWorkgroup
# Samba_PDC MyPrimaryDomainController
# Samba_BDC MyBackupDomainController
## IMAP support. Requires Net::IMAP::Simple to be installed from the CPAN.
#
# IMAP_Server is required. The admin tools don't work with this auth method.
#
# IMAP_Server imap.yourdomain.net
# (or more likely:)
# IMAP_Server localhost
## NIS support. Requires Net::NIS to be installed from the CPAN.
#
# The admin tools don't work with this auth source, surprise.
#
# DataSource NIS
## Alternately, you can use the Passwd data source.
#
# UserFile /usr/local/nocat/authserv/etc/passwd
# GroupUserFile /usr/local/nocat/authserv/etc/group
# GroupAdminFile /usr/local/nocat/authserv/etc/groupadm
#
# The format of these files is as follows:
#
# In UserFile, each line is of the form <username>:<password>, where the
# password is an MD5 digest of the user's actual password.
#
# In GroupUserFile and GroupAuthFile, each line is of the form
# <group>:<user1>,<user2>,<user3>,...
#
# The UserFile may be updated with the bin/admintool script included in this
# distribution.
###### Auth service user table settings.
#
# UserTable names the table containing the user ID data.
#
# UserIDField names the column containing the ID that the
# client uses to uniquely identifying themselves, i.e. their
# e-mail address or username.
#
# UserPasswdField stores the user's MD5-hashed password.
#
# UserAuthField is deprecated and will go away.
#
UserTable member
UserIDField login
UserPasswdField pass
UserAuthField status
UserStampField created
GroupTable network
GroupIDField network
GroupAdminField admin
####### Auth service web application settings.
#
# MinPasswdLength -- Enforced minimum user password length.
# Not much other checking is done on the user's p/w.
#
MinPasswdLength 6
# MessageSign -- shell command to sign an auth notification
# with. The message to be signed is written to the
# command's standard in, and the signed message is read
# from standard out.
#
# GpgPath /usr/bin/gpg
#
# MessageSign $GpgPath --clearsign --homedir=$PGPKeyPath -o-
# LocalGateway -- If you run auth service on the same subnet
# (or host) as the gateway you need to specify the hostname
# of the gateway. Otherwise omit it. (Requires Net::Netmask)
#
# LocalGateway 192.168.1.7
# Auth service template names. See the individual templates
# for details on what each one does.
#
LoginForm login.html
LoginOKForm login_ok.html
FatalForm fatal.html
ExpiredForm expired.html
RenewForm renew.html
PassiveRenewForm renew_pasv.html
RegisterForm register.html
RegisterOKForm register_ok.html
RegisterFields name url description
UpdateForm update.html
UpdateFields url description
###### Auth service user messages. Should be self-explanatory.
#
LoginGreeting Greetings! Welcome to the NoCat Network.
LoginMissing Please fill in all fields!
LoginBadUser That e-mail address is unknown. Please try again.
LoginBadPass That e-mail and password do not match. Please try again.
LoginBadStatus Sorry, you are not a registered co-op member.
RegisterGreeting Welcome! Please enter the following information to register.
RegisterMissing Name, E-mail, and password fields must be filled in.
RegisterUserExists Sorry, that e-mail address is already taken. Are you already registered?
RegisterBadUser The e-mail address provided appears to be invalid. Did you spell it correctly?
RegisterInvalidPass All passwords must be at least six characters long.
RegisterPassNoMatch The passwords you provided do not match. Please try again.
RegisterSuccess Congratulations, you have successfully registered.
UpdateGreeting Enter your E-mail and password to update your info.
UpdateBadUser That e-mail address is unknown. Please try again.
UpdateBadPass That e-mail and password do not match. Please try again.
UpdateInvalidPass New passwords must be at least six characters long.
UpdatePassNoMatch The new passwords you provided do not match. Please try again.
UpdateSuccess Congratulations, you have successfully updated your account.
###### Fin.