
# The options available here are an adaptation of the settings used in nodogsplash.conf.
# See https://github.com/nodogsplash/nodogsplash/blob/master/resources/nodogsplash.conf

config nodogsplash
  # Set to 0 to disable nodogsplash
  option enabled 1

  # Set to 0 to disable hook that makes nodogsplash restart when the firewall restarts.
  # This hook is needed as a restart of Firewall overwrites nodogsplash iptables entries.
  option fwhook_enabled '1'

  # Nodogsplash comes preconfigured for two basic modes of operation
  # 1. A simple static splash page (splash.html) with template variables and click to continue (enabled by default)
  # 2. A simple login page requiring username and email address to be entered. (enabled by uncommenting the following line)

  #option preauth '/usr/lib/nodogsplash/login.sh'

  # Both modes may be customised or a full custom system can be developed using FAS and BinAuth
  # See documentation at: https://nodogsplashdocs.readthedocs.io/

  # WebRoot
  # Default: /etc/nodogsplash/htdocs
  #
  # The local path where the splash page content resides.
  # ie. Serve the file splash.html from this directory
  #option webroot '/etc/nodogsplash/htdocs'

  # Use plain configuration file
  #option config '/etc/nodogsplash/nodogsplash.conf'

  # Use this option to set the device nodogsplash will bind to.
  # The value may be an interface section in /etc/config/network or a device name such as br-lan.
  option gatewayinterface 'br-lan'

  # GatewayPort
  # Default: 2050
  #
  # Nodogsplash's own http server uses gateway address as its IP address.
  # The port it listens to at that IP can be set here; default is 2050.
  #
  #option gatewayport '2050'


  option gatewayname 'OpenWrt Nodogsplash'
  option maxclients '250'

  # Enables debug output (0-3)
  # Default: 1
  # 0 : Silent (only LOG_ERR and LOG_EMERG messages will be seen, otherwise there will be no logging.)
  # 1 : LOG_ERR, LOG_EMERG, LOG_WARNING and LOG_NOTICE (this is the default level).
  # 2 : debuglevel 1  + LOG_INFO
  # 3 : debuglevel 2 + LOG_DEBUG
  #option debuglevel '1'

  # Client timeouts in minutes
  option preauthidletimeout '30'
  option authidletimeout '120'
  # Session Timeout is the interval after which clients are forced out (a value of 0 means never)
  option sessiontimeout '1200'

  # The interval in seconds at which nodogsplash checks client timeout status
  option checkinterval '600'

  # Enable BinAuth Support.
  # If set, a program is called with several parameters on authentication (request) and deauthentication.
  # Request for authentication:
  # $<BinAuth> auth_client <client_mac> '<username>' '<password>'
  #
  # The username and password values may be empty strings and are URL encoded.
  # The program is expected to output the number of seconds the client
  # is to be authenticated. Zero or negative seconds will cause the authentification request
  # to be rejected. The same goes for an exit code that is not 0.
  # The output may contain a user specific download and upload limit in KBit/s:
  # <seconds> <upload> <download>
  #
  # Called on authentication or deauthentication:
  # $<BinAuth> <*auth|*deauth> <incoming_bytes> <outgoing_bytes> <session_start> <session_end>
  #
  # "client_auth": Client authenticated via this script.
  # "client_deauth": Client deauthenticated by the client via splash page.
  # "idle_deauth": Client was deauthenticated because of inactivity.
  # "timeout_deauth": Client was deauthenticated because the session timed out.
  # "ndsctl_auth": Client was authenticated manually by the ndsctl tool.
  # "ndsctl_deauth": Client was deauthenticated by the ndsctl tool.
  # "shutdown_deauth": Client was deauthenticated by Nodogsplash terminating.
  #
  # Values session_start and session_start are in seconds since 1970 or 0 for unknown/unlimited.
  #
  #option binauth '/bin/myauth.sh'

  # Enable Forwarding Authentication Service (FAS)
  # If set redirection is changed from splash.html to a FAS (provided by the system administrator)
  # The value is the IP port number of the FAS
  # Note: if FAS is running locally (ie fasremoteip is NOT set), port 80 cannot be used.
  #
  # Typical Remote Shared Hosting Example:
  #option fasport '80'
  #
  # Typical Locally Hosted example (ie fasremoteip not set):
  #option fasport '2080'

  # Option: fasremotefqdn
  # Default: Not set
  # If set, this is the remote fully qualified domain name (FQDN) of the FAS.
  # The protocol must NOT be prepended to the FQDN (ie http:// or https://)
  # To prevent CPD or browser security errors NDS prepends http:// before redirection.
  # If set, DNS MUST resolve fasremotefqdn to be the same ip address as fasremoteip.
  # Typical Remote Shared Hosting Example:
  #option fasremotefqdn 'onboard-wifi.net'

  # Option: fasremoteip
  # Default: GatewayAddress (the IP of NDS)
  # If set, this is the remote ip address of the FAS.
  #
  # Typical Remote Shared Hosting Example:
  #option fasremoteip '46.32.240.41'

  # Option: faspath
  # Default: /
  # This is the path from the FAS Web Root to the FAS login page
  # (not the file system root).
  #
  # Typical Remote Shared Hosting Example (if fasremotefqdn is not specified):
  #option faspath '/onboard-wifi.net/nodog/fas.php'
  #
  # Typical Remote Shared Hosting Example (ie BOTH fasremoteip AND fasremotefqdn set):
  #option faspath '/nodog/fas.php'
  #
  # Typical Locally Hosted Example (ie fasremoteip not set):
  #option faspath '/nodog/fas.php'

  # Option: faskey
  # Default: not set
  # A key phrase for NDS to encrypt the query string sent to FAS
  # Can be any combination of A-Z, a-z and 0-9, up to 16 characters with no white space
  #option faskey '1234567890'

  # Option: fas_secure_enabled
  # Default: 1
  #
  # ****If set to "0"****
  # the client token is sent to the FAS in clear text in the query string of the
  # redirect along with authaction and redir.
  #
  # ****If set to "1"****
  # authaction and the client token are not revealed and it is the responsibility
  # of the FAS to request the token from NDSCTL.
  #
  # *****If set to 2****
  # clientip, clientmac, gatewayname, client token, gatewayaddress, authdir and originurl
  # are encrypted using faskey and passed to FAS in the query string.
  #
  # The query string will also contain a randomly generated initialization vector to be used by the FAS for decryption.
  #
  # The "php-cli" package and the "php-openssl" module must both be installed for fas_secure level 2.
  #
  # Nodogsplash does not depend on this package and module, but will exit gracefully
  # if this package and module are not installed when this level is set.
  #
  # The FAS must use the query string passed initialisation vector and the pre shared fas_key to decrypt the query string.
  # An example FAS php script is supplied in the source code.
  #
  #option fas_secure_enabled '0'

  # Enable PreAuth Support.
  # PreAuth support allows FAS to call a local program or script with html served by NDS
  #
  # A PreAuth login script is installed by default providing
  # username/emailaddress login as an alternative to the basic splash page.
  #
  # This generates a login page asking for usename and email address.
  # User logins are recorded in the log file /tmp/ndslog.log
  # Details of how the script works are contained in comments in the script itself.
  #
  # If set, a program/script is called by the NDS FAS handler
  # All other FAS settings will be overidden.
  #
  # Initially FAS appends its query string to faspath.
  #
  # The Preauth program will output html code that will be served to the client by NDS
  # Using html GET the Preauth program may call:
  # /nodogsplash_preauth/ to ask the client for more information
  # or
  # /nodogsplash_auth/ to authenticate the client
  #
  # The Preauth program should append at least the client ip to the query string
  # (using html input type hidden) for all calls to /nodogsplash_preauth/
  # It must also obtain the client token using ndsctl
  # for NDS authentication when calling /nodogsplash_auth/
  #

  ################################################################################
  # Enable Default PreAuth login script
  ################################################################################
  # Enable by uncommenting the following line.
  #option preauth '/usr/lib/nodogsplash/login.sh'
  ################################################################################
  #
  ################################################################################

  # Your router may have several interfaces, and you
  # probably want to keep them private from the gatewayinterface.
  # If so, you should block the entire subnets on those interfaces, e.g.:
  #list authenticated_users 'block to 192.168.0.0/16'
  #list authenticated_users 'block to 10.0.0.0/8'

  # Typical ports you will probably want to open up.
  #list authenticated_users 'allow tcp port 22'
  #list authenticated_users 'allow tcp port 53'
  #list authenticated_users 'allow udp port 53'
  #list authenticated_users 'allow tcp port 80'
  #list authenticated_users 'allow tcp port 443'
  # Or for happy customers allow all
  list authenticated_users 'allow all'

  # For preauthenticated users:
  #
  # *****IMPORTANT*****
  # To help prevent DNS tunnelling and DNS Hijacking DO NOT uncomment the following two lines:
  #list preauthenticated_users 'allow tcp port 53'
  #list preauthenticated_users 'allow udp port 53'

  # Allow preauthenticated users to access an external IP address
  # This is commonly referred to as a Walled Garden.
  # Only IPv4 addresses can be used (not domain names) 
  #list preauthenticated_users 'allow tcp port 80 to 112.122.123.124'
  #list preauthenticated_users 'allow udp port 8020 to 112.122.123.124'
  #
  # Alternatively, a preconfigured ipset can be used:
  #list preauthenticated_users 'allow tcp port [port number] ipset [ipset rule name]'

  # Allow ports for SSH/Telnet/DNS/DHCP/HTTP/HTTPS
  list users_to_router 'allow tcp port 22'
  list users_to_router 'allow tcp port 23'
  list users_to_router 'allow tcp port 53'
  list users_to_router 'allow udp port 53'
  list users_to_router 'allow udp port 67'
  list users_to_router 'allow tcp port 80'
  list users_to_router 'allow tcp port 443'

  # MAC addresses that are / are not allowed to access the splash page
  # Value is either 'allow' or 'block'. The allowedmac or blockedmac list is used.
  #option macmechanism 'allow'
  #list allowedmac '00:00:C0:01:D0:0D'
  #list allowedmac '00:00:C0:01:D0:1D'
  #list blockedmac '00:00:C0:01:D0:2D'

  # MAC addresses that do not need to authenticate
  #list trustedmac '00:00:C0:01:D0:1D'

  # Nodogsplash uses specific HEXADECIMAL values to mark packets used by iptables as a bitwise mask.
  # This mask can conflict with the requirements of other packages such as mwan3, sqm etc
  # Any values set here are interpreted as in hex format.
  #
  # List: fw_mark_authenticated
  # Default: 30000 (0011|0000|0000|0000|0000 binary)
  #
  # List: fw_mark_trusted
  # Default: 20000 (0010|0000|0000|0000|0000 binary)
  #
  # List: fw_mark_blocked
  # Default: 10000 (0001|0000|0000|0000|0000 binary)
  #
  #list fw_mark_authenticated '30000'
  #list fw_mark_trusted '20000'
  #list fw_mark_blocked '10000'

