Community discussions

MikroTik App
 
Croc
just joined
Topic Author
Posts: 2
Joined: Mon Aug 06, 2018 11:22 am

HTTPS & Force to login from devices

Mon Aug 06, 2018 11:52 am

Hi there,
I'm new to hotspot world I have some questions.

I have setup a hostpot with external webiste login page with Socials (Facebook/Google) ex: company.mydomain.com
Also I have created wildcard certificated with let's encyrpt and is trusted.
My DNS name is login.mydomain.com

So all working great about HTTPS.

Some questions / problems
1) I use wallgarden to allow the traffic to facebook and google to able to allow clients to login, so I have allowed
*fbcdn.*, *facebook.*, *google*,*gstatic.com ( In reallity I have more strict rules using deny for video/playstore/facebook content, using the deny rule)

The problem is some times when the user visits a domain like https://ebay.com is not reditrected to login page (Untrusted SSL) and some times with other websites (https) is redirected
This strange right? On an other router using only facebook login, this (redirect to login.mydomain.com) works great on any website. Any clue?

2) On airports when you connect to wifi it automaticaly pop-ups you to login page or message to go to login. As I know google uses connectivitycheck.gstatic.com or clients3.google.com
This should be blocked or not. There is different behaviour on android / desktop (chrome/firebox reacts differently). How you have solved this issue?

3) Can i block all traffic from 443 (excluding google/facebook/mydomain.com) and force them to reditrected to login.mydomain.com?
I think with his way users will never see again untrusted SSL for websites
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: HTTPS & Force to login from devices

Mon Aug 06, 2018 4:34 pm

Of course you should not block that page, which the devices check. How will they know that a popup must be shown? Apple also uses various domains, so see if you have internet, or there is a login page. This is what makes the popups work, and you won't have the problems with https webpages also.

This is how it works:

1. User device, depending on brand, checks their secret webpage for special text.
2. User device finds that the secret text is not there, but there is some login form
3. User device makes a popup and shows your login form

This happens BEFORE the user tries to open a HTTPS webpage, so the issue doesn't even happen.
 
R1CH
Forum Guru
Forum Guru
Posts: 1099
Joined: Sun Oct 01, 2006 11:44 pm

Re: HTTPS & Force to login from devices

Mon Aug 06, 2018 5:48 pm

Allowing *google* and gstatic.com will likely break captive portal detection on client devices.

Who is online

Users browsing this forum: Ahrefs [Bot], scoobyn8 and 57 guests