Providing a Whitelisted Wireless Hotspot?

Ploxis writes "I volunteer some of my day managing a small network (and a ragtag band of computers) for a local nonprofit. I have been asked to set up a second, open, independent wireless network on site that will provide cost-free broadband Internet access to patrons. The catch is that they want to provide access only to a select group of about 25 websites while disallowing everything else. No objectionable sites, no mundane but non-relevant sites such as online banking or YouTube, and no other activities such as P2P or IM. They only want HTTP and HTTPS activity from a set of whitelisted websites." For the rest of Ploxis's question and his intial thoughts on making this happen, read on below. "They'd also like any non-whitelisted URL to be redirected to a 'splash page,' which would just be some HTML providing a list of allowed sites by category. I'd host this page internally on the network. Their primary concerns are liability for access of illegal/objectionable materials and conserving their bandwidth, while still providing access to specific relevant tools online. My initial thought was simply an open wireless router, a set of remarkably restrictive firewall rules, and an in-house server as a custom DNS ... but that's pretty shaky (i.e. anyone specifying their own DNS can still get at whatever they want). I assume they'll need a router with some pretty significant traffic management capabilities as well, but that's not something I've investigated before. Anyone's experiences, recommendations, case studies, or maps of similar networks would be greatly appreciated."

Squid

[eln]

Configure a linux box as a router, put squid on it, set up your whitelist, and you're all set.

Re:Squid

[eln]

I should also add there's some iptables stuff involved too, but if you know the terms "squid" and "transparent proxy", Google will give you plenty of pages telling you how to set it up.

mod_proxy

[ak_hepcat]

mod_proxy, mod_rewrite

your friends at apache have most of the work done for you. All you have to do is slap it together and write some custom rules.

Linux as a firewall, to make sure that all http/http traffic gets redirected through the proxy

if the hostname in the url doesn't match what's in your rewrite rules (aka, to pass through) then rewrite it to your custom splash page.

no need for wacky dns tricks here.

Re:Forget it

[Qzukk]

If it's only 25 sites (and not going to turn into "hundreds") then why play whack-a-mole? Set the default to Deny, look up those 25 IP addresses, and allow only 80 and 443 to those sites. That gets you 90% of the way there (the remaining 10% being virtualhosts on the same IPs). The rest of the IPs can be rewritten to a local webserver, which either is dedicated to this purpose or uses namebased virtual hosts to have it's own website, then the "default" vhost being the message you're putting up.

Make a simple script to add and remove IPs from the list and reload the rules, write down instructions on "What to do if www.foo.com stops working" or "What to do if you want to add www.baz.com", and you're done.

There are probably dozens of ways to actually implement this. Most of them will involve either custom wireless router firmware, or the wireless router plugged into a "real" router.

tinyproxy

[argent]

Instead of squid, use tinyproxy. You're not primarily interested in caching, you're interested in access control. Tinyproxy gives you much finer control of that, and it's also ... well ... tiny.

Just set up a "no proxy" rule for the sites you want them to get to, and redirect everything else to a 404 server.

Re:tinyproxy

[oyenstikker]

As the stated goals are to provide access to a very small number of pages and limit bandwidth, caching is a great idea.