Manual:Hotspot HTTPS example: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
(Created page with "__TOC__ ==Hotspot HTTPs redirect== ===Summary=== In this example you will see how to use SSL certificate to enable HTTPS redirect to your Hotspot login page. It is possible...")
 
No edit summary
Line 5: Line 5:
===Summary===
===Summary===


In this example you will see how to use SSL certificate to enable HTTPS redirect to your Hotspot login page.
Using Hotspot  server without enabled HTTPs login, may result in fail to redirect a client to the Hotspot authentication page if the requested page uses HTTPS protocol. To avoid such scenario, the “HTTPS login” should be enabled.
It is possible to use certification authority (CA) as well as self signed certificates.


===Self signed certificates===
'''Hotspot HTTPs login provides:'''
* Extra security using SSL key encryption.
* Ability to redirect clients from HTTPS URLs.


You can generate your own free self signed SSL certificate, and use it in your RouterOS.
This page contains information how to use SSL certificate to enable HTTPS login on Hotspot server. It is possible to use trusted certification authority (CA) signed certificate as well as no cost, self-signed certificate.
This page will show detailed steps how to generate, and import such certificates.
 
===Self-signed certificates===
 
Self-signed certificates can be made with no costs, and without public CA involvement. There are multiple free tools available for creating such certificates. The following examples will show how to use OpenSSL on linux machine, and RouterOS CLI to generate and sign your own certificates.
 
RouterOS example:
OpenSSL example:


http://wiki.mikrotik.com/wiki/Manual:Create_Certificates
http://wiki.mikrotik.com/wiki/Manual:Create_Certificates
Line 18: Line 25:


===Certificate authority===
===Certificate authority===
To use HTTPs login without displaying SSL warning on client browser, requires use of
Trusted CA signed certificate. Certificate import procedure is the same as described in previous example.


===Hotspot HTTPs login===
===Hotspot HTTPs login===

Revision as of 19:50, 28 August 2016

Hotspot HTTPs redirect

Summary

Using Hotspot server without enabled HTTPs login, may result in fail to redirect a client to the Hotspot authentication page if the requested page uses HTTPS protocol. To avoid such scenario, the “HTTPS login” should be enabled.

Hotspot HTTPs login provides:

  • Extra security using SSL key encryption.
  • Ability to redirect clients from HTTPS URLs.

This page contains information how to use SSL certificate to enable HTTPS login on Hotspot server. It is possible to use trusted certification authority (CA) signed certificate as well as no cost, self-signed certificate.

Self-signed certificates

Self-signed certificates can be made with no costs, and without public CA involvement. There are multiple free tools available for creating such certificates. The following examples will show how to use OpenSSL on linux machine, and RouterOS CLI to generate and sign your own certificates.

RouterOS example: OpenSSL example:

http://wiki.mikrotik.com/wiki/Manual:Create_Certificates

Icon-note.png

Note: By using self signed certificate, SSL redirect warnings will still be present. As part of SSL protocol, cause hotspot captive portal will be seen as Man-in-the-Middle by SSL.


Certificate authority

To use HTTPs login without displaying SSL warning on client browser, requires use of Trusted CA signed certificate. Certificate import procedure is the same as described in previous example.

Hotspot HTTPs login

When you have successfully imported certificate and private key on the router, first you need to enable ssl service and add the name of the certificate in /ip service:

/ip service set www-ssl certificate=client.crt_0 disabled=no

Next step is to enable HTTPs login on your Hotspot.

/ip hotspot profile set hsprof1 login-by=https ssl-certificate=client.crt_0 


Now all HTTPs requests from unauthorised clients will be redirected to your Hotspot login page.

Icon-note.png

Note: Such HTTPS sites as google, facebook, etc that use SSL HSTS will still be showing ssl error, and will completely refuse to continue. In such case the end user should try to access different sites.



Full HTTPs Hotspot example

[ Top | Back to Content ]