ios7 and captive portals-changes to apple request URL

Question

It looks like in ios7 the URL that the device sends a request to to check whether it has an internet connection after connecting to wifi has changed (for the much worse!).

in ios6 and earlier,the request was :

GET /library/test/success.html HTTP/1.0
Host: www.apple.com
User-Agent: CaptiveNetworkSupport/1.0 wispr
Connection: close

(source)

But now in ios7, it can access 'upto 200' (according to cisco ).

Having tested this myself, I can confirm the requests randomly go to appleiphonecell.com, captive.apple.com, airport.us, ibook.info among others.

So my question is: Does anyone have a full list of these URLs (maybe it's just every domain Apple own)? We run a captive portal on our wifi, but just to let users know they need to connect to the VPN after connecting to wifi. Clicking 'cancel' on the captive portal log in page sometimes presents the option 'use without internet' which will then allow the user to connect to the VPN, but sometimes, clicking 'cancel' doesn't give this option, and just disconnects the wifi connection straight away, which then means the user can't connect to the VPN.

Before we could just forge a response to the specific URL (library/test/success.html) which would then leave the wifi connected. We can do this again if we had a list of the sites it can access, otherwise we might have to go back to the drawing board with our captive portal! (Or await an ios7 update that fixes the option to 'use without internet' , which isn't appearing every time). Think we'll look into doing based on user agent for now if thats possible.

Edit-wee update, looks like UA is staying consistent at least with 'CaptiveNetworkSupport' being the common denominator, so we'll change to UA checking for the time being.

Answer 1

Interesting enough, www.appleiphonecell.com and captive.apple.com both currently resolve to Akamai addresses.

~/ > host captive.apple.com
captive.apple.com is an alias for captive.apple.com.edgekey.net.
captive.apple.com.edgekey.net is an alias for e7279.e9.akamaiedge.net.
e7279.e9.akamaiedge.net has address 23.212.87.91

But airport.us and friends resolve directly to to Apple's Class A network.

~/ > host airport.us
airport.us has address 17.149.160.87
airport.us has address 17.172.224.81

From these IP addresses you can find many more hostnames that have the same PTR record. Adding the path /library/test/success.html most often results in a direct response or a redirect to the same page on the www.apple.com hostname.

~/ > host 17.149.160.87
87.160.149.17.in-addr.arpa domain name pointer airport.us.
87.160.149.17.in-addr.arpa domain name pointer ibook.info.
87.160.149.17.in-addr.arpa domain name pointer macbookair.net.
87.160.149.17.in-addr.arpa domain name pointer macintosh.me.
87.160.149.17.in-addr.arpa domain name pointer applecare.info.
87.160.149.17.in-addr.arpa domain name pointer macintosh.info.
87.160.149.17.in-addr.arpa domain name pointer itunes.info.
87.160.149.17.in-addr.arpa domain name pointer itunes.us.
87.160.149.17.in-addr.arpa domain name pointer iphoto.us.
87.160.149.17.in-addr.arpa domain name pointer applecare.us.
87.160.149.17.in-addr.arpa domain name pointer macbook.us.
87.160.149.17.in-addr.arpa domain name pointer itunesmobile.com.
87.160.149.17.in-addr.arpa domain name pointer ipod.us.
87.160.149.17.in-addr.arpa domain name pointer itunestelevision.com.
87.160.149.17.in-addr.arpa domain name pointer macosxversions.com.
87.160.149.17.in-addr.arpa domain name pointer itunes.me.
87.160.149.17.in-addr.arpa domain name pointer itunesaircheck.com.
87.160.149.17.in-addr.arpa domain name pointer mac.us.
87.160.149.17.in-addr.arpa domain name pointer macbookair.us.
87.160.149.17.in-addr.arpa domain name pointer ipod.me.
87.160.149.17.in-addr.arpa domain name pointer applestore.info.
87.160.149.17.in-addr.arpa domain name pointer iphone.me.
87.160.149.17.in-addr.arpa domain name pointer osxlionlaunchpad.com.
87.160.149.17.in-addr.arpa domain name pointer macgestures.com.
87.160.149.17.in-addr.arpa domain name pointer macbookair.org.
87.160.149.17.in-addr.arpa domain name pointer mac.info.
87.160.149.17.in-addr.arpa domain name pointer macos.us.
87.160.149.17.in-addr.arpa domain name pointer myipod.net.
87.160.149.17.in-addr.arpa domain name pointer itunesu.net.
87.160.149.17.in-addr.arpa domain name pointer appleiphonecell.com.
87.160.149.17.in-addr.arpa domain name pointer firewire.us.
87.160.149.17.in-addr.arpa domain name pointer airport.info.
87.160.149.17.in-addr.arpa domain name pointer itunesparty.com.
87.160.149.17.in-addr.arpa domain name pointer applecomputer.info.
87.160.149.17.in-addr.arpa domain name pointer appletv.info.
87.160.149.17.in-addr.arpa domain name pointer applecomputers.us.
87.160.149.17.in-addr.arpa domain name pointer idvd.us.
87.160.149.17.in-addr.arpa domain name pointer osx.info.
87.160.149.17.in-addr.arpa domain name pointer macbookair.info.
87.160.149.17.in-addr.arpa domain name pointer itunesu.org.
87.160.149.17.in-addr.arpa domain name pointer itunesuniversity.com.
87.160.149.17.in-addr.arpa domain name pointer imovie.us.
87.160.149.17.in-addr.arpa domain name pointer theapplestore.org.
87.160.149.17.in-addr.arpa domain name pointer macbookpro.org.
87.160.149.17.in-addr.arpa domain name pointer apple.me.
87.160.149.17.in-addr.arpa domain name pointer itools.info.
87.160.149.17.in-addr.arpa domain name pointer thinkdifferent.us.
87.160.149.17.in-addr.arpa domain name pointer thinkdifferent.info.
87.160.149.17.in-addr.arpa domain name pointer macintosh.us.
87.160.149.17.in-addr.arpa domain name pointer ipod.info.
87.160.149.17.in-addr.arpa domain name pointer applescript.us.
87.160.149.17.in-addr.arpa domain name pointer quicktime.info.
87.160.149.17.in-addr.arpa domain name pointer macosxlionairdrop.com.
87.160.149.17.in-addr.arpa domain name pointer itunesshow.com.
87.160.149.17.in-addr.arpa domain name pointer airtunes.net.
87.160.149.17.in-addr.arpa domain name pointer ipod.net.
87.160.149.17.in-addr.arpa domain name pointer macos.info.
87.160.149.17.in-addr.arpa domain name pointer imac.info.
87.160.149.17.in-addr.arpa domain name pointer imac.us.
87.160.149.17.in-addr.arpa domain name pointer appleiosv.com.
87.160.149.17.in-addr.arpa domain name pointer ipodnano.me.

Answer 2

In our tests it looked like the CNA also triggers requests with not only "CaptiveNetworkSupport" but a common WebKit User-Agent identifier. Have you actually succeeded in checking only the User-Agent header for CaptiveNetworkSupport?

This is really a mess.

Answer 3

Check for Userv Agent 'CaptiveNetworkSupport'. I tested this on my nginx webserver and works perfectly across all iOS devices.

if ($http_user_agent ~* (CaptiveNetworkSupport)) {
            return 200;
        }

Answer 4

Add those in
/etc/lighttpd/lighttpd.conf

$HTTP["host"] =~ "^(appleiphonecell.com|captive.apple.com|www.itools.info|www.ibook.info|www.aiport.us|www.thinkdifferent.us|www.apple.com)" {
    server.document-root    = "/www/library/test/"
    index-file.names        = ( "success.html" )                                
    dir-listing.activate    = "disable"                                         
    server.error-handler-404 = "/success.html"
    #accesslog.filename = "/var/log/lighttpd/apple-access.log" 
    #server.errorlog = "/var/log/lighttpd/apple-error.log"
    url.rewrite = (
        "^/(.*/)" => "/success.html",
    )
}

Tested on iOS6 & iOS7

Answer 5

A workaround has been posted in the form of a configuration for the Lighttpd server:

http://forum.daviddarts.com/read.php?9,8879

That workaround is based on UA checking for CaptiveNetworkSupport - although iOS will also try to load the same long randomized URLs from the Apple website using the WebKit UA.