實現(xiàn)的功能
先使用nanohttpd在安卓內(nèi)實現(xiàn)http server的功能,然后在已經(jīng)移植并開啟wifidog的安卓平臺開啟熱點,當(dāng)其它的手機連接到此熱點時磨淌,手機上會彈出我們在手機上搭建的http server中運行的指定的網(wǎng)頁。如果我們的安卓平臺是有多網(wǎng)卡的話,我們也能指定手機連接到此熱點時打開外部其他網(wǎng)站的網(wǎng)頁灾馒。因為是單網(wǎng)卡的設(shè)備即時指定了外部的網(wǎng)頁,手機連接到此熱點因為未連接到互聯(lián)網(wǎng)遣总,也無法打開外部的網(wǎng)頁睬罗。
所需內(nèi)容
1.NanoHttpd是一個安卓平臺的Http Server,具體可看github上的介紹旭斥,本文主要說wifidog在安卓平臺的編譯容达,對NanoHttpd的使用不做介紹。
2.wifidog源碼垂券。
來自github的簡介:The WiFi Guard Dog project is a complete and
embeddable captive portal solution for wireless community groups
or individuals who wish to open a free hotspot while still
preventing abuse of their Internet connection.
3.移植目標的安卓平臺源碼花盐。本文針對的目標平臺是基于三星4418平臺的安卓開發(fā)板。
以上列表中所需的1菇爪,2兩項的源碼鏈接地址如下:
移植步驟
1.使用NanoHttpd在安卓平臺搭建HttpServer(編寫apk程序即可卒暂,具體步驟可見NanoHttpd 在github上的介紹)
2.在安卓平臺的源碼external目錄下新建文件夾命名為wifidog,
3.下載wifidog源碼娄帖,并將下載到的源碼放入第2步中新建的wifidog文件夾中
4.在wifidog目錄下新建config.h文件也祠,在文件中寫入以下代碼:
#define VERSION "v1.0"
#define HAVE_STDARG_H
#define __ANDROID__
5.在wifidog目錄下新建Android.mk文件,在文件中寫入以下內(nèi)容:
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_MODULE := wifidog
LOCAL_C_INCLUDES=$(LOCAL_PATH)/libhttpd
LOCAL_SRC_FILES = src/gateway.c \
src/auth.c \
src/client_list.c \
src/conf.c \
src/firewall.c \
src/http.c \
src/safe.c \
src/centralserver.c \
src/commandline.c \
src/debug.c \
src/fw_iptables.c \
src/httpd_thread.c \
src/ping_thread.c \
src/util.c \
src/wdctl_thread.c \
src/simple_http.c \
src/pstring.c \
src/wd_util.c \
src/main.c \
./libhttpd/api.c \
./libhttpd/ip_acl.c \
./libhttpd/protocol.c \
./libhttpd/version.c
LOCAL_SHARED_LIBRARIES = $(SHARED_LIBRARIES)
include $(BUILD_EXECUTABLE)
以上步驟完成了對代碼的準備近速,此時進入wifidog目錄下使用mm命令已經(jīng)可以編譯通過了诈嘿,但是還沒有完成對wifidog的配置,接下來的我們需要修改配置文件和增加啟動腳本削葱。
6.在wifidog目錄下找到wifidog.conf配置文件奖亚,修改此文件內(nèi)容:
ExternalInterface lo #如果雙網(wǎng)卡設(shè)備此處可設(shè)定為開啟wifi熱點網(wǎng)卡的另外一塊網(wǎng)卡,因為我們的開發(fā)板為單網(wǎng)卡析砸,此處指定了回環(huán)
GatewayInterface wlan0 #指定我們開啟了熱點的網(wǎng)卡設(shè)備名稱
AuthServer {
Hostname 192.168.43.1 #http server 地址
HTTPPort 8080 #http server端口
SSLAvailable no #https是否可用
Path / #http頁面路徑
LoginScriptPathFragment /
PortalScriptPathFragment /
MsgScriptPathFragment /
PingScriptPathFragment /
AuthScriptPathFragment /
}
以上未注釋的配置項的意思在下發(fā)完整的配置文件中有解釋
修改完成后的配置文件內(nèi)容如下:
# $Id$
# WiFiDog Configuration file
# Parameter: GatewayID
# Default: default
# Optional
#
# Set this to the node ID on the auth server
# This is used to give a customized login page to the clients and for
# monitoring/statistics purpose. If you run multiple gateways on the same
# machine each gateway needs to have a different gateway id.
# If none is supplied, the mac address of the GatewayInterface interface will be used,
# without the : separators
# GatewayID default
# Parameter: ExternalInterface
# Default: NONE
# Optional
#
# Set this to the external interface (the one going out to the Inernet or your larger LAN).
# Typically vlan1 for OpenWrt, and eth0 or ppp0 otherwise,
# Normally autodetected
ExternalInterface lo
# Parameter: GatewayInterface
# Default: NONE
# Mandatory
#
# Set this to the internal interface (typically your wifi interface).
# Typically br-lan for Openwrt (by default the wifi interface is bridged with wired lan in openwrt)
# and eth1, wlan0, ath0, etc. otherwise
# You can get this interface with the ifconfig command and finding your wifi interface
GatewayInterface wlan0
# Parameter: GatewayAddress
# Default: Find it from GatewayInterface
# Optional
#
# Set this to the internal IP address of the gateway. Not normally required.
# GatewayAddress 192.168.43.1
# Parameter: HtmlMessageFile
# Default: wifidog-msg.html
# Optional
#
# This allows you to specify a custome HTML file which will be used for
# system errors by the gateway. Any $title, $message and $node variables
# used inside the file will be replaced.
#
# HtmlMessageFile /opt/wifidog/etc/wifidog-.html
# Parameter: AuthServer
# Default: NONE
# Mandatory, repeatable
#
# This allows you to configure your auth server(s). Each one will be tried in order, untill one responds.
# Set this to the hostname or IP of your auth server(s), the path where
# WiFiDog-auth resides in and the port it listens on.
#AuthServer {
# Hostname (Mandatory; Default: NONE)
# SSLAvailable (Optional; Default: no; Possible values: yes, no)
# SSLPort (Optional; Default: 443)
# HTTPPort (Optional; Default: 80)
# Path (Optional; Default: /wifidog/ Note: The path must be both prefixed and suffixed by /. Use a single / for server root.)
# LoginScriptPathFragment (Optional; Default: login/? Note: This is the script the user will be sent to for login.)
# PortalScriptPathFragment (Optional; Default: portal/? Note: This is the script the user will be sent to after a successfull login.)
# MsgScriptPathFragment (Optional; Default: gw_message.php? Note: This is the script the user will be sent to upon error to read a readable message.)
# PingScriptPathFragment (Optional; Default: ping/? Note: This is the wifidog-ping protocol. See http://dev.wifidog.org/wiki/doc/developer/WiFiDogProtocol_V1)
# AuthScriptPathFragment (Optional; Default: auth/? Note: This is the wifidog-auth protocol. See http://dev.wifidog.org/wiki/doc/developer/WiFiDogProtocol_V1)
#}
# If SSLAvailable is set, then the client will be redirected to the
# auth daemon on its HTTPS port. If Wifidog is compiled with SSL support,
# then Wifidog will also use HTTPS to talk to the auth server instead of
# plain HTTP.
#
AuthServer {
Hostname 192.168.43.1
HTTPPort 8080
SSLAvailable no
Path /
LoginScriptPathFragment /
PortalScriptPathFragment /
MsgScriptPathFragment /
PingScriptPathFragment /
AuthScriptPathFragment /
}
#AuthServer {
# Hostname auth2.ilesansfil.org
# SSLAvailable yes
# Path /
#}
# Parameter: DeltaTraffic
# Default: no
# Optional
#
# Set this to true if you want to reset each user's traffic (Outgoing and Incoming) value after each Auth operation.
# If this is enabled, Wifidog will add two new parameters to the AuthScriptPathFragment: Incoming_Delta, Outgoing_delta.
# DeltaTraffic no
# Parameter: Daemon
# Default: 1
# Optional
#
# Set this to true if you want to run as a daemon
# Daemon 1
# Parameter: GatewayPort
# Default: 2060
# Optional
#
# Listen on this port
# GatewayPort 2060
# Parameter: ProxyPort
# Default: 0 (disable)
# Optional
#
# Redirect http traffic of knowns & probations users
# to a local transparent proxy listening on ProxyPort port
# ProxyPort 0
# Parameter: HTTPDName
# Default: WiFiDog
# Optional
#
# Define what name the HTTPD server will respond
# HTTPDName WiFiDog
# Parameter: HTTPDMaxConn
# Default: 10
# Optional
#
# How many sockets to listen to
# HTTPDMaxConn 10
# Parameter: HTTPDRealm
# Default: WiFiDog
# Optional
#
# The name of the HTTP authentication realm. This only used when a user
# tries to access a protected WiFiDog internal page. See HTTPUserName.
# HTTPDRealm WiFiDog
# Parameter: HTTPDUserName / HTTPDPassword
# Default: unset
# Optional
#
# The gateway exposes some information such as the status page through its web
# interface. This information can be protected with a username and password,
# which can be set through the HTTPDUserName and HTTPDPassword parameters.
# HTTPDUserName admin
# HTTPDPassword secret
# Parameter: CheckInterval
# Default: 60
# Optional
#
# How many seconds should we wait between timeout checks. This is also
# how often the gateway will ping the auth server and how often it will
# update the traffic counters on the auth server. Setting this too low
# wastes bandwidth, setting this too high will cause the gateway to take
# a long time to switch to it's backup auth server(s).
# CheckInterval 60
# Parameter: ClientTimeout
# Default: 5
# Optional
#
# Set this to the desired of number of CheckInterval of inactivity before a client is logged out
# The timeout will be INTERVAL * TIMEOUT
ClientTimeout 5
# Parameter: SSLPeerVerification
# Default: yes
# Optional
#
# Enable peer certificate verification when talking to the auth
# server over SSL/TLS. Disabling this setting is mainly useful if
# you do not want to install ca-certificates.
#
# If this setting is set to yes, then the certificates in
# the directory indicated by SSLCertPath will be used to
# verify the auth server.
#
# This setting requires that WifiDog is compiled with SSL support.
# It will be ignored otherwise.
#
# To disable SSL completely for testing purposes, set SSLAvailable
# to False for the auth server in question. Note that this will disable
# HTTPS when redirecting clients to your auth server.
#
# SSLPeerVerification yes
# Parameter: SSLCertPath
# Default: /etc/ssl/certs/
# Optional
#
# Where to look for SSL certificates to verify the auth servers
# certificate. Note that these will only be used if the auth server
# in question is configured with SSLAvailable yes.
#
# The certificates in this directory must be named by their hash
# value. For OpenWRT, you need a ca-certificates package newer
# than what is shipped in Barrier Breaker (see
# https://dev.openwrt.org/ticket/16537).
#
# This setting requires that WifiDog is compiled with SSL support.
# It will be ignored otherwise.
#
# SSLCertPath /etc/ssl/certs/
# Parameter: SSLAllowedCipherList
# Default: all ciphers supported
# Optional
#
# Which cipher suite to allow. Note that CyaSSL will ignore cipher
# suites that use algorithms that aren't compiled in or cipher
# suites *WITH ERRORS IN THEIR NAMES*.
#
# Please see CyaSSL documentation for allowed values, format is a
# string where the ciphers are separated by colons (:) with no
# spaces. Ciphers are ordered from most desirable to least desirable.
#
# SSLAllowedCipherList ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:AES128-SHA:AES256-SHA
# Parameter: SSLUseSNI
# Default: no
# Optional
#
# Enable SNI (Server Name Indication) TLS extension.
# Enabling this setting is mainly useful if the auth server is hosted
# multiple secure (HTTPS) websites. The WifiDog should indicate which hostname
# it is attempting to connect to at the start of the handshaking process.
#
# This setting requires that WifiDog is compiled with SSL support.
# It will be ignored otherwise.
#
# SSLUseSNI no
# Parameter: TrustedMACList
# Default: none
# Optional
#
# Check DNS health by querying IPs of these hosts
PopularServers kernel.org,ieee.org
# Comma separated list of MAC addresses who are allowed to pass
# through without authentication.
# N.B.: weak security, since MAC addresses are easy to spoof.
#
#TrustedMACList 00:00:DE:AD:BE:AF,00:00:C0:1D:F0:0D
# Parameter: FirewallRuleSet
# Default: none
# Mandatory
#
# Groups a number of FirewallRule statements together.
# Parameter: FirewallRule
# Default: none
#
# Define one firewall rule in a rule set.
# Rule Set: global
#
# Used for rules to be applied to all other rulesets except locked.
FirewallRuleSet global {
# FirewallRule syntax:
# FirewallRule (block|drop|allow|log|ulog) [(tcp|udp|icmp) [port X or port-range X:Y]] [to IP/CIDR]
## To block SMTP out, as it's a tech support nightmare, and a legal liability
#FirewallRule block tcp port 25
## Use the following if you don't want clients to be able to access machines on
## the private LAN that gives internet access to wifidog. Note that this is not
## client isolation; The laptops will still be able to talk to one another, as
## well as to any machine bridged to the wifi of the router.
# FirewallRule block to 192.168.0.0/16
# FirewallRule block to 172.16.0.0/12
# FirewallRule block to 10.0.0.0/8
## This is an example ruleset for the Teliphone service.
#FirewallRule allow udp to 69.90.89.192/27
#FirewallRule allow udp to 69.90.85.0/27
#FirewallRule allow tcp port 80 to 69.90.89.205
## This is an example ruleset for example.com
## example.com means example.com and *.example.com
#FirewallRule allow tcp to example.com
## Use the following if you are having problems with Apple iOS 7 clients.
## See #7 and #14 at https://github.com/wifidog/wifidog-gateway/issues/
#FirewallRule allow tcp to apple.com
#FirewallRule allow tcp to icloud.com
## Use the following to log or ulog the traffic you want to allow or block.
# For OPENWRT: use of these feature requires modules ipt_LOG or ipt_ULOG present in dependencies
# iptables-mod-extra and iptables-mod-ulog (to adapt it to the linux distribution).
# Note: the log or ulog rule must be passed before, the rule you want to match.
# for openwrt: use of these feature requires modules ipt_LOG or ipt_ULOG present in dependencies
# iptables-mod-extra and iptables-mod-ulog
# For example, you want to log (ulog works the same way) the traffic allowed on port 80 to the ip 69.90.89.205:
#FirewallRule log tcp port 80 to 69.90.89.205
#FirewallRule allow tcp port 80 to 69.90.89.205
# And you want to know, who matche your block rule:
#FirewallRule log to 0.0.0.0/0
#FirewallRule block to 0.0.0.0/0
}
# Rule Set: validating-users
#
# Used for new users validating their account
FirewallRuleSet validating-users {
FirewallRule allow to 0.0.0.0/0
}
# Rule Set: known-users
#
# Used for normal validated users.
FirewallRuleSet known-users {
FirewallRule allow to 0.0.0.0/0
}
# Rule Set: auth-is-down
#
# Does nothing when not configured.
#
# Used when auth server is down
#FirewallRuleSet auth-is-down {
# FirewallRule allow to 0.0.0.0/0
#}
# Rule Set: unknown-users
#
# Used for unvalidated users, this is the ruleset that gets redirected.
#
# XXX The redirect code adds the Default DROP clause.
FirewallRuleSet unknown-users {
# Use to-ipset to block or allow externally specified hosts.
# Ipsets are created with the ipset utility. This is useful to
# block or allow hosts at runtime externally.
# For example, if your auth server requires users to log in
# via Facebook, use the ipset feature built into dnsmasq to
# to populate a list of various IPs used by the Facebook networks.
#FirewallRule allow to-ipset fb
FirewallRule allow udp port 53
FirewallRule allow tcp port 53
FirewallRule allow udp port 67
FirewallRule allow tcp port 67
}
# Rule Set: locked-users
#
# Not currently used
FirewallRuleSet locked-users {
FirewallRule block to 0.0.0.0/0
}
7.在安卓平臺源碼中增加文件拷貝項昔字,在編譯時將此配置文件復(fù)制至/system/etc目錄中。不同平臺路徑不完全一樣,此處就不寫我的路徑了作郭,具體方式可參考各平臺的說明
8.修改啟動腳本陨囊,在wifidog目錄下找到scripts目錄下的init.d文件夾,修改init.d文件夾中的wifidog文件內(nèi)容
刪除第一行的:#!/bin/sh
將以下兩行內(nèi)容修改:
IPT=/usr/sbin/iptables
WD_DIR=/usr/bin
為
IPT=/system/bin/iptables
WD_DIR=/system/bin
修改完成后的腳本內(nèi)容為:
#
# Could be better, but it's working as expected
#
#
#
# chkconfig: 345 65 35
#
# description: Startup/shutdown script for Wifidog captive portal
# processname: wifidog
# Date : 2004-08-25
# Version : 1.0
IPT=/system/bin/iptables
WD_DIR=/system/bin
OPTIONS=""
case "$1" in
start)
echo "Starting Wifidog ... "
if $WD_DIR/wdctl status 2> /dev/null
then
echo "FAILED: Wifidog already running"
else
$0 test-module
if $WD_DIR/wifidog $OPTIONS
then
echo "OK"
else
echo "FAILED: Wifidog exited with non 0 status"
fi
fi
;;
restart)
$0 stop
sleep 2
$0 start
;;
reload)
$0 stop
sleep 2
$0 start
;;
stop)
echo "Stopping Wifidog ... "
if $WD_DIR/wdctl status 2> /dev/null
then
if $WD_DIR/wdctl stop
then
echo "OK"
else
echo "FAILED: wdctl stop exited with non 0 status"
fi
else
echo "FAILED: Wifidog was not running"
fi
;;
status)
$WD_DIR/wdctl status
;;
debug|test-module)
### Test ipt_mark with iptables
test_ipt_mark () {
IPTABLES_OK=$($IPT -A FORWARD -m mark --mark 2 -j ACCEPT 2>&1 | grep "No chain.target.match")
if [ -z "$IPTABLES_OK" ]; then
$IPT -D FORWARD -m mark --mark 2 -j ACCEPT 2>&1
echo 1
else
echo 0
fi
}
### Test ipt_mac with iptables
test_ipt_mac () {
IPTABLES_OK=$($IPT -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT 2>&1 | grep "No chain.target.match")
if [ -z "$IPTABLES_OK" ]; then
$IPT -D INPUT -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT 2>&1
echo 1
else
echo 0
fi
}
### Test ipt_REDIRECT with iptables
test_ipt_REDIRECT () {
IPTABLES_OK=$($IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 2060 2>&1 | grep "No chain.target.match")
if [ -z "$IPTABLES_OK" ]; then
$IPT -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 2060 2>&1
echo 1
else
echo 0
fi
}
### Find a module on disk
module_exists () {
echo " Looking for a module on disk"
EXIST=$(find /lib/modules/`uname -r` -name $1.*o 2>/dev/null)
if [ -n "$EXIST" ]; then
echo 1
else
echo 0
fi
}
### Test if a module is in memory
module_in_memory () {
MODULE=$(lsmod | grep $1 | awk '{print $1}')
if [ "$MODULE" = "$1" ]; then
echo 1
else
echo 0
fi
}
echo "Testing for iptables modules"
echo " Testing ipt_mac"
TEST_IPT_MAC=$(test_ipt_mac)
if [ "$TEST_IPT_MAC" = "0" ]; then
echo " iptables is not working with ipt_mac"
echo " Scanning disk for ipt_mac module"
TEST_IPT_MAC_MODULE_EXISTS=$(module_exists "ipt_mac")
if [ "$TEST_IPT_MAC_MODULE_EXISTS" = "0" ]; then
echo " ipt_mac module is missing, please install it (kernel or module)"
exit
else
echo " ipt_mac module exists, trying to load"
insmod ipt_mac > /dev/null
TEST_IPT_MAC_MODULE_MEMORY=$(module_in_memory "ipt_mac")
if [ "$TEST_IPT_MAC_MODULE_MEMORY" = "0" ]; then
echo " Error: ipt_mac not loaded"
exit
else
echo " ipt_mac loaded sucessfully"
fi
fi
else
echo " ipt_mac module is working"
fi
echo " Testing ipt_mark"
TEST_IPT_MARK=$(test_ipt_mark)
if [ "$TEST_IPT_MARK" = "0" ]; then
echo " iptables is not working with ipt_mark"
echo " Scanning disk for ipt_mark module"
TEST_IPT_MARK_MODULE_EXISTS=$(module_exists "ipt_mark")
if [ "$TEST_IPT_MARK_MODULE_EXISTS" = "0" ]; then
echo " iptables ipt_mark module missing, please install it (kernel or module)"
exit
else
echo " ipt_mark module exists, trying to load"
insmod ipt_mark
TEST_IPT_MARK_MODULE_MEMORY=$(module_in_memory "ipt_mark")
if [ "$TEST_IPT_MARK_MODULE_MEMORY" = "0" ]; then
echo " Error: ipt_mark not loaded"
exit
else
echo " ipt_mark loaded sucessfully"
fi
fi
else
echo " ipt_mark module is working"
fi
##TODO: This will not test if required iptables userspace (iptables-mod-nat on Kamikaze) is installed
echo " Testing ipt_REDIRECT"
TEST_IPT_MAC=$(test_ipt_REDIRECT)
if [ "$TEST_IPT_MAC" = "0" ]; then
echo " iptables is not working with ipt_REDIRECT"
echo " Scanning disk for ipt_REDIRECT module"
TEST_IPT_MAC_MODULE_EXISTS=$(module_exists "ipt_REDIRECT")
if [ "$TEST_IPT_MAC_MODULE_EXISTS" = "0" ]; then
echo " ipt_REDIRECT module is missing, please install it (kernel or module)"
exit
else
echo " ipt_REDIRECT module exists, trying to load"
insmod ipt_REDIRECT > /dev/null
TEST_IPT_MAC_MODULE_MEMORY=$(module_in_memory "ipt_REDIRECT")
if [ "$TEST_IPT_MAC_MODULE_MEMORY" = "0" ]; then
echo " Error: ipt_REDIRECT not loaded"
exit
else
echo " ipt_REDIRECT loaded sucessfully"
fi
fi
else
echo " ipt_REDIRECT module is working"
fi
;;
*)
echo "Usage: $0 {start|stop|restart|reload|status|test-module}"
exit 1
;;
esac
9.在安卓平臺源碼中增加文件拷貝項夹攒,在編譯時將init.d目錄連同底下的wifidog啟動腳本復(fù)制至/system/etc目錄中蜘醋。不同平臺路徑不完全一樣,此處就不寫我的路徑了咏尝,具體方式可參考各平臺的說明
10.增加開機自啟動wifidog的功能压语,修改安卓平臺的init腳本
增加以下內(nèi)容
on post-fs-data節(jié)點下增加:
chmod 0777 /etc/init.d/wifidog #為了給啟動腳本增加執(zhí)行權(quán)限
增加服務(wù)啟動:
service wifiDog /system/etc/init.d/wifidog start
class late_start
user root
group root
oneshot
10.移植完成佛呻,開始愉快的編譯安卓源碼吧财著。
