0

I've installed and configured pfsense 2.2.4

it works well and redirects unauthenticated users to the login page, as long as they use http; but when I type an https link the redirection doesnt work.

After lots of search I found that enabling https solves the issue but now i have an issue of certificates and users will always have that warning saying the web page is not secure. Which is unpleasant.

I found lately lets encrypt that gives free certificates. but This requires me to buy a domain name and for that i might need a public IP.( if i understand well)

All i need is that when a user is not authenticated, and type https://google.com it redirects it to the login page.

EDIT: more details...

without https enabled, if i try to access an http website redirection works but if i try https it just tells me the website is inaccessible, no redirect. but when i enable https for the login page then redirection works for both http and https however when the user lands on the login page (say 10.10.5.1/index.php) it is in https and the user get the warning of unsafe website.

Improve this question

1 Answer 1

Reset to default
1

In short, this is impossible to avoid. Captive portal systems basically impersonate the real server in order to provide the redirect, and HTTPS is specifically made to prevent such impersonation.

The reason certificates are used in HTTPS is that they act as proof that the server you've connected to actually owns the domain name you entered. When you visit https://google.com the browser wants the server to prove that it is really google.com – and of course your pfSense captive portal server cannot do that, so the browser will always refuse to go any further.

It doesn't matter if you can get a certificate for your own domain and use it for the captive portal – it's still not the same domain that the browser is expecting to see. And it doesn't matter that you want to serve "only" a redirect, not a whole website – it still allows impersonating google.com, so it's still the same kind of security risk.

That said, many browsers and operating systems now perform "captive portal detection" – if they detect that all domains redirect to the same site, then instead of getting the red "bad certificate" message the user often gets a specific "this network requires a login" prompt that directly opens the captive-portal login page. So in many cases the user doesn't actually need to visit anything.

Improve this answer
1
  • that's not the issue, without https enabled, if i try to access an http website redirection works but if i try https it just tells me the website is inaccessible, no redirect. but when i enable https for the login page then redirection works for both http and https however when the user lands on the login page (say 10.10.5.1/index.php) it is in https and the user get the warning of unsafe website. so IMHO I think with a certificate would solve the issue, but again would require a domain and public ip....
    – Xsmael
    Commented Mar 6, 2019 at 22:39

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .