D-Link Wi-Fi Hotspot Management

Dissertation

Submitted in partial fulfillment of the requirements

For the degree of

B.E. (Computer Engineering)

By

Hanish Dhume (Seat No. : 0167)

Rahul Devan (Seat No. : 0166)

Reuben D’Mello (Seat No. : 0162)

Madhura Gaunekar (Seat No. : 0170)

Internal Guide: Prof. A. U. Bapat

External Guide: Mr. Dilesh Acharya

Department of Computer Engineering

Goa College of Engineering

(Government of Goa)

Goa University

(2008)

i

CERTIFICATE

DEPARTMENT OF COMPUTER ENGINEERING

GOA COLLEGE OF ENGINEERING

(GOA UNIVERSITY) Farmagudi, Ponda – Goa.

This is to certify that the Final Year Project titled:

D-Link Wi-Fi Hotspot Management

Has been successfully completed by:

Hanish Dhume (Seat No.: 0167)

Rahul Devan (Seat No.: 0166)

Reuben D’Mello (Seat No.: 0162)

Madhura Gaunekar (Seat No.: 0170)

B.E. (Computer Engineering) Semester –VIII

2007-2008

Under the Guidance of:

Mr. A. U. Bapat Mr. Dilesh Acharya

Assistant Professor, Area Manager Sales,

Department of Computer Engineering, D-Link India Limited,

Goa College of Engineering. Verna – Goa.

(Internal Guide) (External Guide)

ii

Approval Sheet

This is to certify that the following students have been admitted to the candidacy of

degree (Computer Engineering) in July – 2004 and they have undertaken the thesis /

dissertation entitled “Wi-Fi Hotspot Management” which is approved for the degree of

B.E. (Computer Engineering) under Goa University, as it is found satisfactory.

Hanish Dhume (Seat No.: 0167)

Rahul Devan (Seat No.: 0166)

Reuben D’Mello (Seat No.: 0162)

Madhura Gaunekar (Seat No.: 0170)

Examiners

__________________ (External Examiner)

__________________ (Internal Examiner)

Guides

_____________________ _____________________

Dr. J. A. Laxminarayana Mr. A. U. Bapat

Head of Department, (Internal Guide)

Department of Computer Engineering,

Goa College of Engineering,

Farmagudi – Goa.

_____________________

Mr. Dilesh Acharya

(External Guide)

Date:_____________

Place:_____________

iii

Project Completion Certificate

iv

DEDICATION SHEET

This thesis is dedicated to our parents, guides, teachers, friends and other

acquaintances, who have been there for us in the thick and thin of the

implementation of this project.

v

ACKNOWLEDGEMENTS

We would like to express our deep gratitude to our external guide Mr. Dilesh Acharya,

(D-Link India Limited), Mr. Nitesh Naik and Mr. Myron Rodrigues, who spent their

precious time in order to guide and support us in carrying out our project work.

We also express our sincere gratitude to Prof. A. U. Bapat, our internal guide who

rendered guidance and motivated us during the tenure. Our special thanks go to the

Head of Department, Dr. J. A. Laxminarayana, for allowing us to work in the

laboratories at our convenience and providing us with necessary facilities.

A special thanks to Mr. Prasad Borkar (Zuari Industries Limited) and Mr. Stanley

Thomas (Online Productivity Solutions Private Limited) for their help and ideas.

We also thank all the lecturers and lab assistants of the Department of Computer

Engineering, who were always ready to help.

And finally, we would like to thank God for His blessings, and our families, teachers

and friends for their constant encouragement and appreciation.

vi

ABSTRACT

Stiff competition in global markets, world-wide movement towards globalization and

similar factors draw the attention of every core sector to change their perception of

business and business strategies. This prevailing scenario forces one to concentrate on

certain areas like marketing of products and also giving extra benefits to clients.

Effective utilization and management of technologies can be used to address these issues

and accomplish objectives of an organization.

The project consists of setting up a Wi-Fi Hotspot and developing a supporting Software

Suite, for the Marketing Division of D-Link India Ltd. It needs to adhere to all the

objectives and constraints set by them.

Our project will be an integral part of a new advertising strategy to be implemented by

D-Link India Ltd. (Goa). The marketing strategy will be used to promote D-Link Wi-Fi

products. Clients will be allowed to use free wireless Internet service, provided he/she

reads product advertising pages first. The software suite would provide D-Link with

detailed information about the usage patterns of their clients.

We have achieved and surpassed all the objectives set by D-Link through our innovative

design and implementation. We have used a proxy server and the Web Proxy Auto-

Discovery (WPAD) Protocol to implement the mandatory steps. We have made the

entire system very easy to use, incorporated extensive monitoring and control by the

administrator and kept the client side requirements to the absolute minimum.

vii

Contents

Title Page No.

List of Figures ix

List of Tables ix

Chapter 1 Introduction 1-2

1.1 Problem Definition 1

1.1.1 Objectives 1

1.2 About Wi-Fi 2

1.2.1 Innovativeness and Usefulness 2

Chapter 2 Analysis: Software 3-9

2.1 Apache Tomcat 3

2.2 Squid Proxy Server Configuration 5

2.2.1 Squid Configuration 5

2.2.2 Starting, Stopping and Restarting Squid 5

2.3 Java Server Pages (JSP) 6

2.4 Web Proxy Auto-Discovery (WPAD) 7

2.5 MySQL 8

2.6 Java Database Connectivity 9

Chapter 3 Analysis: Hardware 10-20

3.1 Wireless LAN Applications and Deployments 10

3.2 Wireless Distribution System 11

3.2.1 Advantages of WDS 11

3.2.2 Disadvantages of WDS 11

3.2.3 Steps in Traffic Flow in WDS 12

3.3 Wireless LAN Standards 13

3.4 DWL – 3200 Access Point 13

3.5 Power-over-Ethernet 15

3.5.1 Single-port DC Voltage Injectors 15

3.5.2 Active Ethernet Switches 15

3.6 Wireless LAN Security 16

3.6.1 Wired Equivalent Privacy (WEP) 16

3.6.2 Wi-Fi Protected Access (WPA) 16

3.7 Site Survey 16

3.7.1 Preparing for a Site Survey 16

3.7.2 Conducting a Site Survey 18

viii

ix

Chapter 4 Design 21-26

4.1 Our Proposal 21

4.2 Benefits of Our Design 21

4.3 Data Flow Diagram (DFD) 22

4.3.1 DFD Notations 22

4.3.2 DFD Symbols 22

4.4 Table Schema 25

4.5 Client Server Interface 26

Chapter 5 Implementation 27-33

5.1 System Configuration 27

5.2 Running the Project 27

Chapter 6 Testing 34-35

6.1 Test Case 1 34

6.2 Test Case 2 34

6.3 Test Case 3 35

6.4 Test Case 4 35

Chapter 7 Conclusion 36

Bibliography 37

Appendix A1-A19

x

List of Figures

Figure No. Title Page No.

2.1 Block diagram of Apache Tomcat placement 3

2.2 Directory Structure of Apache Tomcat 4

2.3 Life-cycle of a JSP 6

3.1 Wireless Distribution System 11

3.2 Steps in Traffic Flow in WDS 12

3.3 DWL-3200AP 13

3.4 Single-port DC Voltage Injectors 15

3.5 Active Ethernet Switches 15

3.6 Signal-to-noise ratio graph 20

4.1 DFD for Administrator module 23

4.2 DFD for Client module 24

4.3 Client Server Interface 26

5.1 Authentication Screen 28

5.2 Welcome page 28

5.3 D-Link Product Advertisement Pages 29

5.4 Registration Page 30

5.5 Administrator Login 31

5.6 Administrator Options 31

5.7 Network Usage Report 32

5.8 Squid Proxy Report 32

5.9 Select Records by Date 33

List of Tables

Table No. Title Page No.

2.1 Starting, Stopping and Restarting Squid 5

4.1 Database Table Schema 25

1

Chapter 1

Introduction

Problem Definition

About Wi-Fi

1.1 Problem Definition

To set up a Wi-Fi Hotspot Management System (from site survey to installation and

administration) across the four campuses of D-Link (India) Private Limited at Verna, Goa.

Marketing Strategy – Any client with a Wi-Fi enabled laptop should be allowed to use the

Internet for free, provided he/she compulsorily views the product advertising pages first.

1.1.1 Objectives

Setting up the Wi-Fi hotspot from site survey to installation and administration.

Developing a suite for managing users’ access to the Wi-Fi network with some

special features like:

1. It should have mandatory steps that take users through certain D-Link

product information, before they can access the Internet.

2. Track the number and usage duration of users logged-in to the Wi-Fi hotspot.

2

3. Control bandwidth available to users

4. Generate reports (preferably in MS Excel format)

1.2 About Wi-Fi

Wi-Fi® is a wireless technology brand owned by the Wi-Fi Alliance intended to improve

the interoperability of wireless local area network products based on the IEEE 802.11

standards.

A Wi-Fi enabled device such as a PC, cell phone or PDA can connect to the Internet when

within range of a wireless network connected to the Internet. The area covered by one or

several interconnected access points is called a hotspot. Hotspots can cover as little as a

single room with wireless-opaque walls or as much as many square miles covered by

overlapping access points.

Business and industrial Wi-Fi is widespread as of 2007. In business environments,

increasing the number of Wi-Fi access points provides redundancy, support for fast

roaming and increased overall network capacity by using more channels or creating

smaller cells. Wi-Fi enables wireless voice applications (VoWLAN or WVOIP). Outdoor

applications utilize true mesh topologies. As of 2007 Wi-Fi installations can provide a

secure computer networking gateway, firewall, DHCP server, intrusion detection system,

and other functions.

1.2.1 Innovativeness and Usefulness

Wi-Fi allows LANs to be deployed without cabling for client devices, typically reducing

the costs of network deployment and expansion. Spaces where cables cannot be run, such

as outdoor areas and historical buildings, can host wireless LANs.

As of 2007 wireless network adapters are built into most modern laptops. The price of

chipsets for Wi-Fi continues to drop, making it an economical networking option included

in ever more devices. Wi-Fi has become widespread in corporate infrastructures, which

also helps with the deployment of RFID technology that can piggyback on Wi-Fi.

Different competitive brands of access points and client network interfaces are inter-

operable at a basic level of service. Products designated as "Wi-Fi Certified" by the Wi-Fi

Alliance are backwards inter-operable. Wi-Fi is a global set of standards.

Wi-Fi Protected Access (WPA) is not easily cracked if strong passwords are used and

WPA2 encryption has no known weaknesses. New protocols for Quality of Service (Wi-Fi

Multimedia i.e. WMM) make Wi-Fi more suitable for latency-sensitive applications (such

as voice and video), and power saving mechanisms (WMM Power Save) improve battery

operation.

3

Chapter 2

Analysis: Software

Apache Tomcat

Squid

Java Server Pages

WPAD

MySql

JDBC

2.1 Apache Tomcat

Apache Tomcat is the servlet container that is used in the official Reference

Implementation for the Java Servlet and Java Server Pages technologies. Apache Tomcat

is developed in an open and participatory environment.

Figure 2.1: Block diagram of Apache Tomcat placement

WEB APPLICATION:

Directory structure:

A Web Application is organized under a directory hierarchy. The root of this

hierarchy defines the document root of your Web Application.

4

Figure 2.2: Directory Structure of Apache Tomcat

Private files are placed in the WEB-INF directory, under the root directory. All

files under WEB-INF are private, and are not served to a client.

DefaultWebApp/

Place your static files, such as HTML files and JSP files in the directory

that is the document root of your Web Application. In the default

installation of Server, this directory is called DefaultWebApp, under

user_domains/mydomain/applications.

DefaultWebApp/WEB-INF/web.xml

The Web Application deployment descriptor that configures the Web

Application.

DefaultWebApp/WEB-INF/classes

Contains server-side classes such as HTTP servlets and utility classes.

DefaultWebApp/WEB-INF/lib

Contains JAR files used by the Web Application, including JSP tag

libraries.

5

2.2 Squid Proxy Server Configuration

The utility squid is an internet proxy server that can be used within a network to

distribute an internet connection to all the computers within the network. One central

computer is connected to the internet through any means such as dial-up, cable modem,

ISDN, DSL, or T1, runs squid, and thus acts as the firewall to the internet. Because it is a

proxy, it has the capabilities to log all user actions such as the URLs visited. There are

many features that can be configured in squid.

2.2.1 Squid configuration

Squid uses the configuration file squid.conf. It is usually located in the /etc/squid

directory. Access through the proxy can be given by individual IP addresses or by a subnet

of IP addresses.

In squid.conf search for the default access control lists (acl) and add the following

line below them: acl mynetwork src 192.168.1.0/255.255.255.0 (for subnet)

acl mynetwork src 192.168.1.10/255.255.255.0 (for individual

IP)

Then add the access control list named "mynetwork" to the http_access list with the

following line: http_access allow mynetwork

The default port for the proxy is 3128. Uncomment the following line and replace 3128

with the desired port :

http_port 3128

2.2.2 Starting, stopping, and restarting squid:

Start squid /etc/rc.d/init.d/squid start

Restart squid /etc/rc.d/init.d/squid restart

Stop squid /etc/rc.d/init.d/squid stop

Table 2.1: Starting, stopping and restarting Squid

6

2.3 Java Server Pages (JSP) JSP pages are Web pages coded with an extended HTML that makes it possible to embed

Java code in a Web page. JSP pages can call custom Java classes, called taglibs, using

HTML-like tags. The Server JSP compiler, translates JSP pages into servlets. Server

automatically compiles JSP pages if the servlet class file is not present or is older than the

JSP source file.

You can also precompile JSP pages and package the servlet class in the Web Archive to

avoid compiling in the server. Servlets and JSP pages may depend upon additional helper

classes that must also be deployed with the Web Application.

Life cycle of JSP:

Figure 2.3: Life cycle of JSP

1) Client sends a request to a server for a JSP

2) If the servlet corresponding to the JSP exists, then its corresponding servlet

is loaded; Otherwise the JSP is first parsed and compiled to generate the JSP

servlet.

3) Response is generated and sent back to the client

7

2.4 Web Proxy Auto-Discovery (WPAD)

In order to instruct all browsers in your organization to use the same proxy policy, without

configuring each browser manually, you need one of two technologies:

Proxy auto-config (PAC) standard: create and publish one central proxy

configuration file. Details are discussed in a separate article.

Web Proxy Auto-Discovery Protocol (WPAD) standard: ensure that your

organization's browsers will find this file without manual configuration. This is the

topic of this article.

The WPAD standard defines two alternative methods how the system administrator can

publish the location of the proxy configuration file, using the Dynamic Host Configuration

Protocol (DHCP) or the Domain Name System (DNS):

Before fetching its first page, a web browser implementing this method sends the local

DHCP server a DHCPINFORM query, and uses the URL from the WPAD option in the

server's reply. If the DHCP server does not provide the desired information, DNS is used.

If, for example, the network name of the user's computer is

pc.department.branch.example.com, the browser will try the following URLs in turn until

it finds a proxy configuration file within the domain of the client:

http://wpad.department.branch.example.com/wpad.dat

http://wpad.branch.example.com/wpad.dat

http://wpad.example.com/wpad.dat

http://wpad.com/wpad.dat (in incorrect implementations, see note in Security

below)

'''DHCP has a higher priority than DNS: if DHCP provides the WPAD URL, no

DNS lookup is performed......*

DNS lookup removes the first part of the domain name (presumably the client identifier)

and replaces it with wpad. Then, it "moves up" in the hierarchy by removing more parts of

the domain name, until it finds a WPAD PAC file or leaves the current organisation.

The browser guesses where the organisation boundaries are. The guess is often

right for domains like 'company.com' or 'university.edu', but wrong for

'company.co.uk' (see security below).

For DNS lookups, the path of the configuration file is always wpad.dat. For the

DHCP protocol, any URL is usable. For traditional reasons, PAC files are often

called proxy.pac (of course, files with this name will be ignored by the WPAD

DNS search).

The MIME type of the configuration file must be "application/x-ns-proxy-

autoconfig".

8

2.5 MySQL

MySQL is a multithreaded, multi-user SQL database management system (DBMS), which

has, according to MySQL AB, more than 10 million installations. The basic program runs

as a server providing multi-user access to a number of databases.

MySQL offers MySQL 5.0 in two different variants: the MySQL Community Server and

Enterprise Server. Both have a common code base and include the following features:

A broad subset of ANSI SQL 99, as well as extensions

Cross-platform support

Stored procedures

Triggers

Cursors

Updatable Views

True VARCHAR support

INFORMATION_SCHEMA

Strict mode

X/Open XA distributed transaction processing (DTP) support; two phase commit

as part of this, using Oracle's InnoDB engine

Independent storage engines (MyISAM for read speed, InnoDB for transactions

and referential integrity, Archive for storing historical data in little space)

Transactions with the InnoDB, BDB and Cluster storage engines; save points with

InnoDB

SSL support

Query caching

Sub-SELECTs (i.e. nested SELECTs)

Replication with one master per slave, many slaves per master, no automatic

support for multiple masters per slave.

Full-text indexing and searching using MyISAM engine

Embedded database library

Partial Unicode support (UTF-8 sequences longer than 3 bytes are not supported;

UCS-2 encoded strings are also limited to the BMP)

ACID compliance using the InnoDB, BDB and Cluster engines

Shared-nothing clustering through MySQL Cluster

The MySQL Enterprise Server is released once per month and the sources can be obtained

either from MySQL's customer-only Enterprise site or from MySQL's BitKeeper

repository, both under the GPL license. The MySQL Community Server is published on

an unspecified schedule under the GPL and contains all bug fixes that were shipped with

the last MySQL Enterprise Server release. Binaries are no longer provided by MySQL for

every release of the Community Server.

9

2.6 Java Database Connectivity (JDBC)

Java Database Connectivity in short called as JDBC. It is a java API which enables the

java programs to execute SQL statements. It is an application programming interface that

defines how a java programmer can access the database in tabular format from Java code

using a set of standard interfaces and classes written in the Java programming language.

The Java application programming interface provides a mechanism for dynamically

loading the correct Java packages and drivers and registering them with the JDBC Driver

Manager that is used as a connection factory for creating JDBC connections which

supports creating and executing statements such as SQL INSERT, UPDATE and

DELETE. Driver Manager is the backbone of the JDBC architecture.

Generally all Relational Database Management System supports SQL and we all know

that Java is platform independent, so JDBC makes it possible to write a single database

application that can run on different platforms and interact with different Database

Management Systems.

Java Database Connectivity is similar to Open Database Connectivity (ODBC) which is

used for accessing and managing database, but the difference is that JDBC is designed

specifically for Java programs, whereas ODBC is not depended upon any language.

In short JDBC helps the programmers to write java applications that manage these three

programming activities:

1. It helps us to connect to a data source, like a database.

2. It helps us in sending queries and updating statements to the database and

3. Retrieving and processing the results received from the database in terms of answering

to your query.

JDBC has four Components:

1. The JDBC API: Provides the facility for accessing the relational database from the

Java programming language.

2. The JDBC Driver Manager: Defines objects which connect Java applications to a

JDBC driver.

3. The JDBC Test Suite: Tests whether the JDBC drivers will run user's program or not.

4. The JDBC-ODBC Bridge: This driver translates JDBC method calls into ODBC

function calls. The Bridge implements JDBC for any database for which an ODBC

driver is available.

10

Chapter 3

Analysis: Hardware

3.1 Wireless LAN Applications & Deployments

Access Role

Wireless LANs are used as an entry point into wired networks and are mostly

deployed as an access layer role. WLAN solves the problem of the need for data

cabling and offers users a fast and inexpensive solution to stay connected with ability

to roam.

Network Extension

Wireless network can serve as an extension to wired networks. WLAN can be

implemented easily to provide seamless connectivity to remote areas within a building

at low cost.

Building-to-Building Connectivity

By using wireless technology, equipment can be installed quickly and easily to two or

more buildings in the same network. It can be done with the use of proper WLAN

antennas, without renting expensive leased line and digging the ground between

buildings.

Small Office, Home Office (SoHo)

Instead of running cables throughout the office or home to create a wired LAN, the

wireless LAN can provide a neat, simple and effective solution to these small offices

and homes which are not usually installed with Ethernet ports.

11

3.2 Wireless Distribution System (WDS)

Figure 3.1: Wireless Distribution System (WDS)

In IEEE 802.11, a distribution system is a system that interconnects Basic Service Sets

(BSS). A BSS is a cell which an access point can cover. A distribution system connects

these cells together to build a bigger area network that allows mobile users to roam and

stay connected to the network resources using the wireless equipment.

3.2.1 Advantages of WDS

Without additional cost, the existing access point with WDS function can have a WDS

link by reconfiguring the device. There is no need to pay for an additional wireless

module. It is more flexible when adding a wireless point compared to a wired Ethernet

point. WDS is able to create a roaming network without the hazard of installing physical

cables. It is excellent for areas where cables are not accessible.

3.2.2 Disadvantages of WDS

It is not possible to use encryption with dynamic assigned rotating keys on a WDS link.

Only fixed assigned Wired Equivalent Privacy (WEP) keys can be used. If the user wants

to secure their network by using 802.1x, it will not be able to use WDS.

12

3.2.3 Steps in Traffic Flow in WDS

Figure 3.2: Steps in Traffic Flow in WDS

There is a wireless module in the access point and it contains Media Access Control

(MAC) address. The wireless client with the wireless module also has MAC address. In a

WDS link, four MAC addresses are involved. That includes sender and destination

computers, sender and destination access points. All these MAC addresses are included in

the 802.11 frame.

Upon receiving the 802.11 frame, the wireless module in the access point will convert it to

an 802.3 Ethernet frame. The 802.3 Ethernet frame consists of both the source and

destination computer’s MAC addresses. It will also pass the frame to the bridge address

table. This bridge address table consists of all the wired and wireless connecting directly

or indirect to it. The wired computers will be listed as “port 1”. As for wireless computers,

it will be listed as one of the six wireless LANs that is associating to the access point as

port 2 to 7.

13

3.3 Wireless LAN Standards

a. IEEE 802.11

This is the original wireless LAN standard with the slowest data transfer rate in

both RF and light-based transmission technologies.

b. IEEE 802.11b

This standard satisfies a faster data transfer rate (a maximum raw data rate of 11

Mbit/s) and it is a more restrictive scope of transmission technologies. It uses the

2.4 GHz frequency bands. This standard is also widely promoted as Wi-Fi by the

Wi-Fi Alliance. It is an amendment from the original 802.11 standard.

c. IEEE 802.11g

This is the most recent standard based on the original 802.11 standard. The data

transfer rates are a maximum raw data rate of 54 Mbit/s, or about 19 Mbit/s net

throughput. 802.11g hardware is fully backwards compatible with 802.11b

hardware.

3.4 DWL-3200AP

Versatile Access Point

The AirPremier 802.11g Managed Access Point allows network administrators to deploy a

highly manageable and extremely robust wireless network. This access point has two

high-gain antennas for optimal wireless coverage. Enclosed in a plenum-rated metal

chassis, it adheres to strict fire codes and ensures complete safety. For advanced

installations, this new high-speed Access Point has an integrated 802.3af Power over

Ethernet (PoE) support to allow installation of this device in areas where power outlets are

not readily available.

Figure 3.3: DWL-3200AP

14

Enhanced Performance

The AirPremier 802.11g Managed Access Point delivers an extremely reliable wireless

performance with maximum wireless signal rates of up to 54Mbps*. This, coupled with

support for Wi-Fi™ Multimedia (WMM™) Quality of Service features, makes it the ideal

access point for audio, video, and voice applications. Network administrators also have the

option to increase the wireless signal rate up to 108Mbps* using D-Link 108G technology,

all while remaining backward compatible with IEEE 802.11b and 802.11g standards.

Security

The DWL-3200AP provides the latest wireless security technologies by supporting WPA

and WPA2 and their included Personal and Enterprise versions along with 802.1x. For

additional network access security, the DWL-3200AP supports VLAN tagging to provide

internal and guest network access options. Other security features included are: MAC

Address Filtering, Wireless LAN segmentation, Rouge AP detection, and Disable SSID

Broadcast.

Multiple Operation Modes

To maximize total return on investment, the DWL-3200AP can be configured to optimize

network performance based on any one of its multiple operation modes: Access Point,

Wireless Distribution System (WDS) with Access Point, and WDS (No AP Broadcasting).

With WDS support, network administrators can also set up multiple DWL-3200APs

throughout a facility and configure them to bridge with one another to effectively deliver

network traffic to and from their respective sources. In WDS mode, the DWL-3200AP

features Spanning Tree Protocol, which provides path redundancy while simultaneously

preventing undesirable loops in the network. Additionally, support for syslog provides an

industry standard for capturing log information for devices on the network.

Network Management

For advanced network management, administrators can use D-Link’s AP Manager II or D-

View SNMPv3 management module to configure and manage multiple access points from

a single location. In addition to a streamlined management process, network

administrators can also verify and conduct regular maintenance checks without wasting

resources by sending personnel out to physically verify proper operation.

15

3.5 Power-over-Ethernet

Power-over-Ethernet (PoE) is a method of delivering DC voltage to an access point or

wireless bridge over the Cat 5 Ethernet cable for the purpose of powering the unit. PoE is

used when the AC power supply is not available at the location where the wireless LAN

infrastructure devices are installed. The Ethernet cable is used to carry both the power and

the data to the units.

3.5.1 Single-port DC Voltage Injectors

Figure 3.4: Single-port DC Voltage Injectors

A pair of single-port DC voltage injectors is needed to connect a set of wireless LAN

infrastructure device, such as an access point. One of the devices is connected to the

passive switch and the power socket. The output UTP cable contains the powered

Ethernet. The other device is connected to the power and LAN input of the access

point.

3.5.2 Active Ethernet Switches

Figure 3.5: Active Ethernet Switches

For an enterprise installation of access points, an active Ethernet switch is used. These

devices incorporate DC voltage injection into the Ethernet switch itself and allow a

large number of PoE devices without any additional hardware in the network.

16

3.6 Wireless LAN Security

3.6.1 Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP) was the only method for security during the early years

for IEEE 802.11 wireless LAN. It can still serve as a barrier for some attacks and

especially unprotected networks. Most attacks require a large amount of transmitted data

and for home users, the number of packets sent is relatively small, therefore, WEP still

provides a fairly safe option. WEP has been designed with the intention of making it

difficult to break in.

IEEE 802.11 (1999) defined two levels of security: open and shared key. Open security

means no security. As for shared key, it means that both ends of the wireless link must

know the matching key value. The key is a shared secret between the trusted parties.

3.6.2 Wi-Fi Protected Access (WPA)

The next generation of wireless security after WEP is IEEE 802.11i. WEP does not

provide any access control to the wireless network. WPA overcomes this problem by

specifying mandatory protocols for secure wireless network. The mandatory protocols are

IEEE 802.1x, Extensible Authentication Protocol (EAP) and Remote Authentication Dial-

in User Service (RADIUS).

3.7 Site Survey

A site survey is also sometimes known as facilities analysis. It is a map to a successful

implementation of a wireless network. A site survey is a process with several tasks in

which the surveyor can find out the RF behavior, coverage, interference and hardware

location. Its primary objective is to ensure the wireless LAN clients have continual strong

RF signal strength even if they are mobile.

3.7.1 Preparing for a Site Survey

These are some topics that need to be touched on before performing a site survey.

a. Facilities Analysis

The coverage area, number of users, security requirements, bandwidth requirements,

and budget are to be determined.

b. Existing Networks

The surveyor needs to find out if there is any existing wired or wireless network in

place. The common information about the existing infrastructure include network

17

operating systems, number of current users, current wireless LAN protocols and

security measures, location of the wired LAN connections and naming convention of

the infrastructure devices.

c. Area Usage & Towers

The surveyor needs to know whether the wireless LAN is meant for indoor, outdoor or

both. For outdoor set up, it is necessary to find out whether there are frequent weather

changes, such as hurricanes or storms in the area. If there are many obstacles such as

trees that block the direct signal path of the outdoor wireless link, it may be necessary

to build a tower on top of the building. Water-proofing enclosure for the bridges or

access points will be required and radomes may be considered for protecting outdoor

antennas.

d. Purpose & Business Requirements

The purpose of having a wireless LAN and the business requirement must first be

considered before conducting a site survey. The wrong recommendation can affect the

business goals of the organization.

e. Bandwidth & Roaming Requirements

The bandwidth and roaming requirement will determine what type of wireless LAN

technology should be implemented. The necessary speed, range and throughput per

user must be determined so that a site survey can be performed to meet the needs of the

users.

f. Available Resources The surveyor will need to find out from the network manager the project budget and the

time allocated for the project. The surveyor may request for a blueprint of the layout of

the building or facility schematics. The diagram will show where the walls, network

closets, power outlets, and other facilities are located.

g. Security Requirements

In some scenarios, data security is very important. It is necessary to explain the pros

and cons of different wireless security methods. The surveyor needs to find out what

the existing security policies are and how to incorporate wireless LAN into it without

violating the rules.

18

3.7.2 Conducting a Site Survey

The site survey is normally conducted with general tasks of recording non-RF related

information first. For indoor surveys, most of the information is located and recorded on a

copy of the facilities blueprint or drawing. Things to be taken notice of include potential

RF obstructions such as fire doors, metal blinds, metal mesh windows, and the potential

RF interference sources such as microwave ovens, elevator motors, and 2.4 GHz cordless

phones.

The calculation on the link distance is needed. Weather hazards such as wind, rain, snow

and lightning need to be taken into consideration.

The next task is gathering and recording data on the RF coverage patterns, coverage gaps,

data rate capabilities, and other RF-criteria.

a. Range & Coverage Patterns

It starts by placing an access point in a logical location. More importantly, the

surveyor will need to walk slowly with the laptop, wireless module and site survey

utility software running. While walking, the surveyor will record data rates, signal

strength, noise floor and signal-to-noise ratio (SNR) for every area in the room.

b. Data Rate Boundaries

It is necessary to record the data rate boundaries or sometimes known as concentric

zones around the access points.

c. Documentation

When the copy of the facility blueprint is marked with circles, dead spots, data

rates, and signal strength measurements in key spots, another location will be

selected and the whole process will be repeated.

d. Throughput Tests & Capacity Planning

Another measurement that can be performed by the site surveyor is to test

throughput from the various points. The coverage and data rate documentation will

reflect the user’s experience on the wireless LAN.

e. Interference Sources

The site surveyor will need to determine any existing wireless LANs in use within

or around the facility.

f. Wired Data Connectivity & AC Power Requirements

Some of the best positions are constrained to where the AC power sources and the

network connectivity exist. If the preferred access point locations have very good

and valid reason, the client may consider installing new AC power sources and

new network connectivity point. The client may choose to use Power-over-

Ethernet (PoE).

19

g. Outdoor Antenna Placement

It is necessary to record the outdoor antenna placement, location and availability of

potential mounting and grounding points. The lightning arrestors used by outdoor

antennas require proper grounding. Therefore the antennas need to be mounted on

special mounting materials.

h. Spot Checks

After the wireless LAN is installed, it may not work exactly as it has been planned.

Spot-checking by the site surveyor after the installation is completed is helpful to

avoid troubleshooting after the actual implementation. Items that should be

checked include coverage in perimeter areas, overlapping coverage for seamless

roaming and co-channel or adjacent channel interference in all areas.

20

We used NetStumbler (also known as Network Stumbler), which is a tool for Windows

that facilitates detection of Wireless LANs using the 802.11b, 802.11a and 802.11g

WLAN standards. It runs on Microsoft Windows operating systems from Windows 98 on

up to Windows Vista (under compatibility mode).

The program is commonly used for:

Wardriving

Verifying network configurations

Finding locations with poor coverage in a WLAN

Detecting causes of wireless interference

Detecting unauthorized ("rogue") access points

Aiming directional antennas for long-haul WLAN links

Figure 3.6: Signal-to-noise ratio graph obtained by moving with a laptop in the region

covered by an access point

It measures the signal-to-noise ratio of a wireless signal. This tool is installed and run on a

laptop, which is then carried around the area under survey.

21

Chapter 4

Design

Our Approach

Data Flow Diagram

Table Schema

Client-Server Interface

4.1 Our Proposal

Use a proxy server to intercept all client requests and also provide authorization of

users.

Use of Web Proxy Auto Discovery Protocol to provide Automatic Proxy

Detection.

4.2 Benefits of our design

Robust design and implementation: The system cannot be bypassed.

Universally compatible: Works with ANY operating system and platform.

No special user requirements

Hardware Independent

User Friendly – Client as well as Administrator

Easy to change and update

Extensive administrative capabilities & controls

22

4.3 Data Flow Diagram (DFD)

Data flow diagram (DFD) illustrates how data is processed by a system in terms of input

and outputs. A DFD, also known as “bubble chart”, has the purpose of clarifying system

requirements and identifying the major transformations that will become programs in the

system design. So it is the starting point of the design phase that functionally decomposes

the requirements specification down to the lowest level of detail.

A DFD consists of series of bubbles joint by lines. The bubble represents data

transformations and the lines represent data flows in the system.

4.3.1 DFD Notations

Process: A process transforms incoming data flow into outgoing data flow.

Datastore: Datastores are repositories of data in the system.

Dataflow: Data flows are pipelines through which packets of information

flow. Labels across the arrows indicate the data that moves through it.

External Entity: External entities are objects outside the system, with

which the system communicates. They are the sources and destinations of

the system’s inputs and outputs.

4.3.2 DFD Symbols:

Square: defines a source (originator) or destination of system data.

Arrow identifies data flow-data in motion. It is pipeline through which

data flows.

Circle/bubble represents a process that transforms incoming data flow into

outgoing flow.

Open rectangle is a data store-data at rest, or a temporary repository of

data.

Thus, a DFD describes what data flows (logical) rather then how they are processed, so it

does not depend on hardware, software, data structure, or file organization.

23

DFD of Administrator Module

Figure 4.1: DFD for Administrator module

24

DFD for Client Module

Figure 4.2: DFD for Client module

25

4.4 Table Schema

Table : Customer

Data Field Data Type

ID Auto Number

(Primary key)

*First_Name TINYTEXT

(255 characters)

*Last_Name TINYTEXT

(255 characters)

Address TINYTEXT

(255 characters)

*Email_ID TINYTEXT

(255 characters)

*Username TINYTEXT

(255 characters)

*Password TINYTEXT

(255 characters)

Date DATE

Interested Radio button

Phone_Number BIGINT

The unsigned range is 0 to

18446744073709551615.

Mobile_Number BIGINT

The unsigned range is 0 to

18446744073709551615.

Organization TINYTEXT

(255 characters)

Comment LONGTEXT

(4GB characters)

Table 4.1: Database Table Schema

26

4.5 Client Server Interface

Figure 4.3: Client Server Interface

The client web browser sends a request to the Web Server. The Web Server consists

of either JSP or Servlets which provide server side scripting. The web server will

consist of an application server which will interact with the database. After the

processing, the server will generate a response which is sent back to the client.

27

Chapter 5

Implementation

System Configuration

Running the project

5.1 System Configuration

The various components of the project viz. DHCP, DNS, TOMCAT were configured

using the configuration files available in the Appendix section.

5.2 Running the Project

When a new (unauthenticated) user enters the network, he/she needs to enable the

“Automatically Detect Proxy Settings” in his/her browser. Once this is done when he/she

tries to load a webpage using a URL, an authentication dialog box appears asking for a

valid username and password. If the user is authenticated then he/she can access the

Internet by keying in the info. If not then the user clicks on Cancel on the Dialog box

which takes the user to the D-Link mandatory pages:

28

Authentication Screen:

Figure 5.1: Authentication Screen

New users are redirected to this page on clicking ‘Cancel’:

Figure 5.2: Welcome page

29

The user has to browse through the D-Link Advertisement Page:

Figure 5.3: D-Link Product Advertisement Pages

30

On clicking ‘NEXT’, the user goes to the Registration Page:

At the Registration page the information about the user is obtained and the information is

updated on the MySQL database on the Web Server. The Validation of each of the

textboxes in the registration page is taken care of (eg: the firstname field can contain only

characters, the phone no. field can contain only numbers etc.):

Figure 5.4: Registration Page

After registration the User can provide his/her username and password to obtain free

Internet access.

31

Network Monitoring

This is another module in the Project, for which purpose another web page was designed

for the System Administrator. Only the administrator knows the URL to this page, on

loading this page, on entering this URL the admin is asked for his/her username and

password:

Figure 5.5: Administrator Login

Once authenticated the administrator can get complete information about the Wi-Fi

network:

Figure 5.6: Administrator Options

32

Network Usage Report:

Figure 5.7: Network Usage Report

The Squid Proxy Report: This report is presented to the user in HTML format, and the

user has an option of downloading the same report as an excel spreadsheet (*.xls) format:

Figure 5.8: Squid Proxy Report

33

The Administrator can also view the users of the D-Link Free internet Service along with

their secondary information. Here the admin has a choice of viewing the users who are

interested in knowing more about the D-Link W-Fi products also.

Figure 5.9: Select Records by Date

34

Chapter 6

Testing

6.1 Test Case 1:

Performance of the system in an environment with multiple wireless

networks

We tested our system in an environment in which there were more than one wireless

networks existing at the same time. This can be observed by the multiple wireless

networks which get listed when the wireless adapter of a laptop computer attempts to

connect to a wireless network. They are differentiated by the different SSIDs given to each

by the administrator.

When we tested, there were 3 such wireless networks operational in the same area.

1. D-Link Production

2. D-Link Wi-Fi 3rd

Floor

3. GEC D-Link Test Wi-Fi

Our system performed as per our expectations with no glitches. There could have been a

problem with channel interference, but that was avoided by assigning non-adjacent

channels.

6.2 Test Case 2:

Different Internet Browsers

The system was tested for operations in various Internet browsers. The following most

popular Internet browsers are supported by the system:

1. Internet Explorer

2. Mozilla Firefox

3. Opera

We are thus assured that our system does not need any specific browser to work properly.

This is very useful since we cannot control which browser is used by a client.

35

6.3 Test Case 3:

Operating Systems which are supported

We tested our system to see how it would perform with different operating systems that

could possibly be running on the client’s laptop.

Operating systems tested:

1. Windows XP Professional

2. Windows XP Home

3. Red Hat Linux

Again, we were happy to know that our system would work properly irrespective of the

operating system running on the client’s laptop.

6.4 Test Case 4:

Performance of our system with a firewall running on the client’s laptop

Sometimes the client could have a firewall running on his/her laptop. This could possible

pose problems with networking.

We tested our system with laptops using ZoneAlarm and Comodo Firewall Pro. These

firewalls did not hamper the performance and usability of our system in any way.

36

Chapter 7

Conclusion

We designed a system to manage a wireless hotspot for D-Link (India) Private Limited.

Through our system we ensure that any client with a Wi-Fi-enabled laptop can get free

Internet access provided by D-Link, provided they compulsorily view product information

pages and give their personal details. This system would be the integral part of new marketing

strategy to be implemented by D-Link.

We have learnt a lot from this project. We learnt many ways in which we could not find a

solution. Apart from learning the details of existing technologies, we had to apply that

knowledge to design a new solution to the specific problem. Our final solution was simple

and yet powerful. It successfully passed the various test cases that we subjected it to. We

can safely say that we matched and surpassed the expectations of our “client” – D-Link

(India) Private Limited.

Doing a project for a highly professional company like D-Link gave us useful real-life

experience. We worked in a corporate environment with deadlines and the expectance of

perfection. Such an environment highlighted team-work and responsibility. The valuable

experienced gained will definitely help us in our careers.

The most satisfying part of this whole exercise is that our project is actually going to be

implemented immediately by D-Link (India) Private Limited. All permissions for the

same have already been obtained from their senior management, and the system will be

operational within one month. This knowledge is incredibly encouraging and motivating.

37

Bibliography

Books:

1. Head First Servlets and JSP by Brian Basham, Kathy Sierra and Bert Bates.

2. Java Completed Reference

3. Red Hat Linux Reference Guide (E-book)

Web sites:

1. www.wpad.com

2. www.squid-cache.org

3. www.wikipedia.com

4. www.ietf.org

5. www.wlug.org.nz/WPAD

6. www.windowsnetworking.com

7. www.coreservlets.com

8. www.dlink.co.in

9. www.macromedia.com

10. www.wikipedia.com

Other:

1. Wi-Fi Concepts and Applications, a presentation by Mr. Nitesh Naik (D-Link)

A-1

Appendix

DNS CONFIGURATION

1)NAMED.CONF

## named.conf - configuration for bind

#

# Generated automatically by redhat-config-bind, alchemist et al.

# Any changes not supported by redhat-config-bind should be put

# in /etc/named.custom

#

# Let only the local machine control the server:

controls {

inet 127.0.0.1 allow { localhost; } keys { rndckey; };

};

# Include other things into the configuration file, things that

# automatic configuration tools that modify this file might make

# a mess of: (Though, if you don't use such tools, you can do

# all the configuration within this file. Nowadays, I have it

# all in the one /etc/named.conf file.)

include "/etc/named.custom";

# Cryptographic key to allow certain things: (Refer to a file

# with the information, here, and in other configuration files,

# rather than copy the information in that file into each

# configuration file.)

include "/etc/rndc.key";

# Set up the file used for the local domain's records:

zone "hrrm.gec" {

type master;

file "hrrm.gec.zone";

allow-update { key "rndckey"; };

allow-transfer { 192.168.15/24; };

notify yes;

};

zone "15.168.192.in-addr.arpa" {

type master;

file "192.168.15.zone";

allow-update { key "rndckey"; };

allow-transfer { 192.168.15/24; };

notify yes;

};

2)RESOLV.CONF

nameserver 203.197.12.30

nameserver 4.2.2.2

nameserver 192.168.15.10

domain hrrm.gec

search localdomain

3)FORWARD ZONE FILE – HRRM.GEC

$ORIGIN .

$TTL 86400 ; 1 day

hrrm.gec IN SOA velma.hrrm.gec. foo.bar.tld. (

200612062 ; serial

A-2

7200 ; refresh (2 hours)

300 ; retry (5 minutes)

604800 ; expire (1 week)

60 ; minimum (1 minute)

)

NS velma.hrrm.gec.

MX 10 mail.hrrm.gec.

$ORIGIN hrrm.gec.

daphne A 192.168.15.5

dhcp01 A 192.168.15.100

dhcp02 A 192.168.15.101

dhcp03 A 192.168.15.102

dhcp04 A 192.168.15.103

dhcp05 A 192.168.15.104

dhcp06 A 192.168.15.200

$TTL 10800 ; 3 hours

DHUME A 192.168.15.200

TXT "3167572e9e5de102bad70dc9413aca4cf6"

$TTL 86400 ; 1 day

fred A 192.168.15.1

mail CNAME mysterymachine

mysterymachine A 192.168.15.6

$TTL 10800 ; 3 hours

Reuben A 192.168.15.200

TXT "315d22b1359128d7de7e461759a0b2c6b5"

$TTL 86400 ; 1 day

scooby A 192.168.15.2

scooby-dum A 192.168.15.4

scrappy A 192.168.15.7

shaggy A 192.168.15.3

velma A 192.168.15.10

virtual CNAME velma

www CNAME velma

$ORIGIN hrrm.gec.

wpad IN A 192.168.15.10

IN TXT "service: wpad:!http://wpad.hrrm.gec:80/proxy.pac"

wpad.tcp IN SRV 0 0 80 wpad.hrrm.gec.

4)REVERSE ZONE FILE – 192.168.15

$ORIGIN .

$TTL 86400 ; 1 day

15.168.192.in-addr.arpa IN SOA velma.hrrm.gec. foo.bar.tld. (

200612061 ; serial

7200 ; refresh (2 hours)

300 ; retry (5 minutes)

604800 ; expire (1 week)

60 ; minimum (1 minute)

)

NS velma.hrrm.gec.

$ORIGIN 15.168.192.in-addr.arpa.

1 PTR fred.hrrm.gec.

10 PTR velma.hrrm.gec.

100 PTR dhcp01.hrrm.gec.

101 PTR dhcp02.hrrm.gec.

102 PTR dhcp03.hrrm.gec.

103 PTR dhcp04.hrrm.gec.

104 PTR dhcp05.hrrm.gec.

2 PTR scooby.hrrm.gec.

$TTL 10800 ; 3 hours

200 PTR Reuben.hrrm.gec.

$TTL 86400 ; 1 day

3 PTR shaggy.hrrm.gec.

4 PTR scooby-dum.hrrm.gec.

5 PTR daphne.hrrm.gec.

6 PTR mysterymachine.hrrm.gec.

7 PTR scrappy.hrrm.gec.

5)IFCFG-ETH1

A-3

# Please read /usr/share/doc/initscripts-*/sysconfig.txt

# for the documentation of these parameters.

USERCTL=no

PEERDNS=yes

TYPE=Ethernet

DEVICE=eth1

HWADDR=00:40:05:72:e1:64

BOOTPROTO=none

ONBOOT=yes

IPADDR=192.168.15.10

NETMASK=255.255.255.0

NETWORK=192.168.15.0

BROADCAST=192.168.15.255

DHCP CONFIGURATION

DHCPD.CONF

authoritative;

include "/etc/rndc.key";

# (This is the same key used by BIND and the rndc tool, it's needed to

# be able to update DNS records.)

# Server configuration:

ddns-domainname "hrrm.gec.";

ddns-rev-domainname "in-addr.arpa.";

ddns-update-style interim;

ddns-updates on;

allow client-updates;

default-lease-time 21600; # 6 hours

max-lease-time 43200; # 12 hours

# Client configuration:

option domain-name "hrrm.gec.";

option nntp-server news.hrrm.gec;

option pop-server pop3.hrrm.gec;

option smtp-server smtp.hrrm.gec;

option wpad-url code 252 = text;

option wpad-url "http://wpad.hrrm.gec/wpad.dat\n";

option www-server www.hrrm.gec;

option ntp-servers time.hrrm.gec;

#option time-offset 34200; # Australian Central Standard Time

option time-offset 37800; # Central Australia Daylight Time

option ip-forwarding off; # tell clients not to act as gateways (?)

subnet 192.168.15.0 netmask 255.255.255.0 {

range 192.168.15.100 192.168.15.200; # allocate IPs within this range

option routers 192.168.15.1; # default gateway

option subnet-mask 255.255.255.0;

option broadcast-address 192.168.15.255;

option domain-name-servers 192.168.15.10;

option netbios-name-servers 192.168.15.10; # WINS

option netbios-dd-server 192.168.15.10; # SMB

option netbios-node-type 8;

option netbios-scope "";

option finger-server 192.168.15.10;

zone 15.168.192.in-addr.arpa. {

primary 192.168.15.10;

A-4

key rndckey;

}

zone hrrm.gec. {

primary 192.168.15.10;

key rndckey;

}

}

TOMCAT CONFIGURATION

1) TOMCAT4.CONF

# tomcat /etc/rc.d script example configuration file

# Use with version 1.07 of the scripts or later

# Where your java installation lives

# JAVA_HOME=/usr/java/jdk

JAVA_HOME="/usr/java/j2sdk1.4.2_17"

# You can pass some parameters to java

# here if you wish to

#JAVACMD="$JAVA_HOME/bin/java -Xminf0.1 -Xmaxf0.3"

# Where your tomcat installation lives

# That change from previous RPM where TOMCAT_HOME

# used to be /var/tomcat.

# Now /var/tomcat will be the base for webapps only

CATALINA_HOME="/var/tomcat4"

JASPER_HOME="/var/tomcat4"

CATALINA_TMPDIR="/var/tomcat4/temp"

# What user should run tomcat

TOMCAT_USER="tomcat4"

# You can change your tomcat locale here

#LANG=en_US

# If you wish to further customize your tomcat environment,

# put your own definitions here

# (i.e. LD_LIBRARY_PATH for some jdbc drivers)

2)SERVER.XML

<Server port="8005" shutdown="SHUTDOWN" debug="0">

<Service name="Tomcat-Standalone">

<Connector className="org.apache.catalina.connector.http.HttpConnector"

port="8085" minProcessors="5" maxProcessors="75"

enableLookups="true" redirectPort="8543"

acceptCount="10" debug="0" connectionTimeout="60000"/>

<Connector className="org.apache.ajp.tomcat4.Ajp13Connector"

port="8109" minProcessors="5" maxProcessors="75"

acceptCount="10" debug="0"/>

<Engine name="Standalone" defaultHost="localhost" debug="0">

<Logger className="org.apache.catalina.logger.FileLogger"

prefix="catalina_log." suffix=".txt"

timestamp="true"/>

<Realm className="org.apache.catalina.realm.MemoryRealm" />

<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true">

<Valve className="org.apache.catalina.valves.AccessLogValve"

directory="logs" prefix="localhost_access_log." suffix=".txt"

pattern="common"/>

<Logger className="org.apache.catalina.logger.FileLogger"

A-5

directory="logs" prefix="localhost_log." suffix=".txt"

timestamp="true"/>

<Context path="/manager" docBase="manager"

debug="0" privileged="true"/>

<Context path="/examples" docBase="examples" debug="0"

reloadable="true" crossContext="true">

<Logger className="org.apache.catalina.logger.FileLogger"

prefix="localhost_examples_log." suffix=".txt"

timestamp="true"/>

<Ejb name="ejb/EmplRecord" type="Entity"

home="com.wombat.empl.EmployeeRecordHome"

remote="com.wombat.empl.EmployeeRecord"/>

<Environment name="maxExemptions" type="java.lang.Integer"

value="15"/>

<Parameter name="context.param.name" value="context.param.value"

override="false"/>

<Resource name="jdbc/EmployeeAppDb" auth="SERVLET"

type="javax.sql.DataSource"/>

<ResourceParams name="jdbc/EmployeeAppDb">

<parameter><name>user</name><value>sa</value></parameter>

<parameter><name>password</name><value></value></parameter>

<parameter><name>driverClassName</name>

<value>org.hsql.jdbcDriver</value></parameter>

<parameter><name>driverName</name>

<value>jdbc:HypersonicSQL:database</value></parameter>

</ResourceParams>

<Resource name="mail/Session" auth="Container"

type="javax.mail.Session"/>

<ResourceParams name="mail/Session">

<parameter>

<name>mail.smtp.host</name>

<value>localhost</value>

</parameter>

</ResourceParams>

</Context>

</Host>

</Engine>

</Service>

<Service name="Tomcat-Apache">

<Connector className="org.apache.catalina.connector.warp.WarpConnector"

port="8008" minProcessors="5" maxProcessors="75"

enableLookups="true" appBase="webapps"

acceptCount="10" debug="0"/>

<Engine className="org.apache.catalina.connector.warp.WarpEngine"

name="Apache" debug="0">

<Logger className="org.apache.catalina.logger.FileLogger"

prefix="apache_log." suffix=".txt"

timestamp="true"/>

<Realm className="org.apache.catalina.realm.MemoryRealm" />

</Engine>

</Service>

</Server>

A-6

APACHE CONFIGURATION

Listen dlinkwifi:80

<VirtualHost 192.168.15.10>

ServerName wpad.hrrm.gec

ServerAlias 192.168.15.10

AddType application/x-ns-proxy-autoconfig .dat

</VirtualHost>

SQUID CONFIGURATION

SQUID.CONF

# WELCOME TO SQUID 2

# ------------------

#

# This is the default Squid configuration file. You may wish

# to look at the Squid home page (http://www.squid-cache.org/)

# for the FAQ and other documentation.

#

# The default Squid config file shows what the defaults for

# various options happen to be. If you don't need to change the

# default, you shouldn't uncomment the line. Doing so may cause

# run-time problems. In some cases "none" refers to no default

# setting at all, while in other cases it refers to a valid

# option - the comments for that keyword indicate if this is the

# case.

#

# NETWORK OPTIONS

# -----------------------------------------------------------------------------

# TAG: http_port

# Usage: port

# hostname:port

# 1.2.3.4:port

#

# The socket addresses where Squid will listen for HTTP client

# requests. You may specify multiple socket addresses.

# There are three forms: port alone, hostname with port, and

# IP address with port. If you specify a hostname or IP

# address, then Squid binds the socket to that specific

# address. This replaces the old 'tcp_incoming_address'

# option. Most likely, you do not need to bind to a specific

# address, so you can use the port number alone.

#

# The default port number is 3128.

#

# If you are running Squid in accelerator mode, then you

# probably want to listen on port 80 also, or instead.

#

# The -a command line option will override the *first* port

# number listed here. That option will NOT override an IP

# address, however.

#

# You may specify multiple socket addresses on multiple lines.

#

# If you run Squid on a dual-homed machine with an internal

# and an external interface then we recommend you to specify the

# internal address:port in http_port. This way Squid will only be

# visible on the internal address.

#

#Default:

http_port 192.168.15.10:3128

A-7

# TAG: icp_port

# The port number where Squid sends and receives ICP queries to

# and from neighbor caches. Default is 3130. To disable use

# "0". May be overridden with -u on the command line.

#

#Default:

icp_port 0

# TAG: hierarchy_stoplist

# A list of words which, if found in a URL, cause the object to

# be handled directly by this cache. In other words, use this

# to not query neighbor caches for certain objects. You may

# list this option multiple times.

#We recommend you to use at least the following line.

hierarchy_stoplist cgi-bin ?

# TAG: no_cache

# A list of ACL elements which, if matched, cause the request to

# not be satisfied from the cache and the reply to not be cached.

# In other words, use this to force certain objects to never be cached.

#

# You must use the word 'DENY' to indicate the ACL names which should

# NOT be cached.

#

#We recommend you to use the following two lines.

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

# LOGFILE PATHNAMES AND CACHE DIRECTORIES

# -----------------------------------------------------------------------------

# TAG: cache_dir

# Usage:

#

# cache_dir Type Directory-Name Fs-specific-data [options]

#

# cache_dir diskd Maxobjsize Directory-Name MB L1 L2 Q1 Q2

#

# You can specify multiple cache_dir lines to spread the

# cache among different disk partitions.

#

# Type specifies the kind of storage system to use. Only "ufs"

# is built by default. To eanble any of the other storage systems

# see the --enable-storeio configure option.

#

# 'Directory' is a top-level directory where cache swap

# files will be stored. If you want to use an entire disk

# for caching, then this can be the mount-point directory.

# The directory must exist and be writable by the Squid

# process. Squid will NOT create this directory for you.

#

# The ufs store type:

#

# "ufs" is the old well-known Squid storage format that has always

# been there.

#

# cache_dir ufs Directory-Name Mbytes L1 L2 [options]

#

# 'Mbytes' is the amount of disk space (MB) to use under this

# directory. The default is 100 MB. Change this to suit your

# configuration. Do NOT put the size of your disk drive here.

# Instead, if you want Squid to use the entire disk drive,

# subtract 20% and use that value.

#

# 'Level-1' is the number of first-level subdirectories which

# will be created under the 'Directory'. The default is 16.

A-8

#

# 'Level-2' is the number of second-level subdirectories which

# will be created under each first-level directory. The default

# is 256.

#

# The aufs store type:

#

# "aufs" uses the same storage format as "ufs", utilizing

# POSIX-threads to avoid blocking the main Squid process on

# disk-I/O. This was formerly known in Squid as async-io.

#

# cache_dir aufs Directory-Name Mbytes L1 L2 [options]

#

# see argument descriptions under ufs above

#

# The diskd store type:

#

# "diskd" uses the same storage format as "ufs", utilizing a

# separate process to avoid blocking the main Squid process on

# disk-I/O.

#

# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n]

#

# see argument descriptions under ufs above

#

# Q1 specifies the number of unacknowledged I/O requests when Squid

# stops opening new files. If this many messages are in the queues,

# Squid won't open new files. Default is 64

#

# Q2 specifies the number of unacknowledged messages when Squid

# starts blocking. If this many messages are in the queues,

# Squid blocks until it recevies some replies. Default is 72

#

# Common options:

#

# read-only, this cache_dir is read only.

#

# max-size=n, refers to the max object size this storedir supports.

# It is used to initially choose the storedir to dump the object.

# Note: To make optimal use of the max-size limits you should order

# the cache_dir lines with the smallest max-size value first and the

# ones with no max-size specification last.

#

#Default:

cache_dir ufs /var/spool/squid 300 16 256

# TAG: cache_access_log

# Logs the client request activity. Contains an entry for

# every HTTP and ICP queries received. To disable, enter "none".

#

#Default:

cache_access_log /var/log/squid/access.log

# TAG: cache_log

# Cache logging file. This is where general information about

# your cache's behavior goes. You can increase the amount of data

# logged to this file with the "debug_options" tag below.

#

#Default:

cache_log /var/log/squid/cache.log

# TAG: cache_store_log

# Logs the activities of the storage manager. Shows which

# objects are ejected from the cache, and which objects are

# saved and for how long. To disable, enter "none". There are

# not really utilities to analyze this data, so you can safely

# disable it.

#

#Default:

cache_store_log /var/log/squid/store.log

A-9

# TAG: mime_table

# Pathname to Squid's MIME table. You shouldn't need to change

# this, but the default file contains examples and formatting

# information if you do.

#

#Default:

mime_table /etc/squid/mime.conf

# TAG: pid_filename

# A filename to write the process-id to. To disable, enter "none".

#

#Default:

pid_filename /var/run/squid.pid

# TAG: pinger_program

# Note: This option is only available if Squid is rebuilt with the

# --enable-icmp option

#

# Specify the location of the executable for the pinger process.

#

#Default:

pinger_program /usr/lib/squid/

# TAG: auth_param

# This is used to pass parameters to the various authentication

# schemes.

# format: auth_param scheme parameter [setting]

#

# auth_param basic program /usr/bin/ncsa_auth /usr/etc/passwd

# would tell the basic authentication scheme it's program parameter.

#

# The order that authentication prompts are presented to the client_agent

# is dependant on the order the scheme first appears in config file.

# IE has a bug (it's not rfc 2617 compliant) in that it will use the basic

# scheme if basic is the first entry presented, even if more secure schemes

# are presented. For now use the order in the file below. If other browsers

# have difficulties (don't recognise the schemes offered even if you are using

# basic) then either put basic first, or disable the other schemes (by commenting

# out their program entry).

#

# Once an authentication scheme is fully configured, it can only be shutdown

# by shutting squid down and restarting. Changes can be made on the fly and

# activated with a reconfigure. I.E. You can change to a different helper,

# but not unconfigure the helper completely.

#

# === Parameters for the basic scheme follow. ===

#

# "program" cmdline

# Specify the command for the external authenticator. Such a

# program reads a line containing "username password" and replies

# "OK" or "ERR" in an endless loop. If you use an authenticator,

# make sure you have 1 acl of type proxy_auth. By default, the

# authenticate_program is not used.

#

# If you want to use the traditional proxy authentication,

# jump over to the ../auth_modules/NCSA directory and

# type:

# % make

# % make install

#

# Then, set this line to something like

#

# auth_param basic program /usr/bin/ncsa_auth /usr/etc/passwd

#

# "children" numberofchildren

# The number of authenticator processes to spawn (no default).

# If you start too few Squid will have to wait for them to

A-10

# process a backlog of usercode/password verifications, slowing

# it down. When password verifications are done via a (slow)

# network you are likely to need lots of authenticator

# processes.

# auth_param basic children 5

#

# "realm" realmstring

# Specifies the realm name which is to be reported to the

# client for the basic proxy authentication scheme (part of

# the text the user will see when prompted their username and

# password). There is no default.

# auth_param basic realm Squid proxy-caching web server

#

# "credentialsttl" timetolive

# Specifies how long squid assumes an externally validated

# username:password pair is valid for - in other words how

# often the helper program is called for that user. Set this

# low to force revalidation with short lived passwords. Note

# that setting this high does not impact your susceptability

# to replay attacks unless you are using an one-time password

# system (such as SecureID). If you are using such a system,

# you will be vulnerable to replay attacks unless you also

# use the max_user_ip ACL in an http_access rule.

#

# === Parameters for the digest scheme follow ===

#

# "program" cmdline

# Specify the command for the external authenticator. Such

# a program reads a line containing "username":"realm" and

# replies with the appropriate H(A1) value base64 encoded.

# See rfc 2616 for the definition of H(A1). If you use an

# authenticator, make sure you have 1 acl of type proxy_auth.

# By default, authentication is not used.

#

# If you want to use build an authenticator,

# jump over to the ../digest_auth_modules directory and choose the

# authenticator to use. It it's directory type

# % make

# % make install

#

# Then, set this line to something like

#

# auth_param digest program /usr/bin/digest_auth_pw /usr/etc/digpass

#

#

# "children" numberofchildren

# The number of authenticator processes to spawn (no default).

# If you start too few Squid will have to wait for them to

# process a backlog of H(A1) calculations, slowing it down.

# When the H(A1) calculations are done via a (slow) network

# you are likely to need lots of authenticator processes.

# auth_param digest children 5

#

# "realm" realmstring

# Specifies the realm name which is to be reported to the

# client for the digest proxy authentication scheme (part of

# the text the user will see when prompted their username and

# password). There is no default.

# auth_param digest realm Squid proxy-caching web server

#

# "nonce_garbage_interval" timeinterval

# Specifies the interval that nonces that have been issued

# to client_agent's are checked for validity.

#

# "nonce_max_duration" timeinterval

# Specifies the maximum length of time a given nonce will be

# valid for.

#

# "nonce_max_count" number

# Specifies the maximum number of times a given nonce can be

# used.

A-11

#

# "nonce_strictness" on|off

# Determines if squid requires increment-by-1 behaviour for

# nonce counts (on - the default), or strictly incrementing

# (off - for use when useragents generate nonce counts that

# occasionally miss 1 (ie, 1,2,4,6)).

#

# === NTLM scheme options follow ===

#

# "program" cmdline

# Specify the command for the external ntlm authenticator.

# Such a program reads a line containing the uuencoded NEGOTIATE

# and replies with the ntlm CHALLENGE, then waits for the

# response and answers with "OK" or "ERR" in an endless loop.

# If you use an ntlm authenticator, make sure you have 1 acl

# of type proxy_auth. By default, the ntlm authenticator_program

# is not used.

#

# auth_param ntlm program /usr/bin/ntlm_auth

#

# "children" numberofchildren

# The number of authenticator processes to spawn (no default).

# If you start too few Squid will have to wait for them to

# process a backlog of credential verifications, slowing it

# down. When crendential verifications are done via a (slow)

# network you are likely to need lots of authenticator

# processes.

# auth_param ntlm children 5

#

# "max_challenge_reuses" number

# The maximum number of times a challenge given by a ntlm

# authentication helper can be reused. Increasing this number

# increases your exposure to replay attacks on your network.

# 0 means use the challenge only once. (disable challenge

# caching) See max_ntlm_challenge_lifetime for more information.

# auth_param ntlm max_challenge_reuses 0

#

# "max_challenge_lifetime" timespan

# The maximum time period that a ntlm challenge is reused

# over. The actual period will be the minimum of this time

# AND the number of reused challenges.

# auth_param ntlm max_challenge_lifetime 2 minutes

#

#Recommended minimum configuration:

#auth_param digest program <uncomment and complete this line>

#auth_param digest children 5

#auth_param digest realm Squid proxy-caching web server

#auth_param digest nonce_garbage_interval 5 minutes

#auth_param digest nonce_max_duration 30 minutes

#auth_param digest nonce_max_count 50

#auth_param ntlm program <uncomment and complete this line to activate>

#auth_param ntlm children 5

#auth_param ntlm max_challenge_reuses 0

#auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/mysql_auth

auth_param basic children 5

auth_param basic realm Please cancel if not authenticated

auth_param basic credentialsttl 2 minutes

# TAG: refresh_pattern

# usage: refresh_pattern [-i] regex min percent max [options]

#

# By default, regular expressions are CASE-SENSITIVE. To make

# them case-insensitive, use the -i option.

#

# 'Min' is the time (in minutes) an object without an explicit

# expiry time should be considered fresh. The recommended

# value is 0, any higher values may cause dynamic applications

# to be erroneously cached unless the application designer

# has taken the appropriate actions.

A-12

#

# 'Percent' is a percentage of the objects age (time since last

# modification age) an object without explicit expiry time

# will be considered fresh.

#

# 'Max' is an upper limit on how long objects without an explicit

# expiry time will be considered fresh.

#

# options: override-expire

# override-lastmod

# reload-into-ims

# ignore-reload

#

# override-expire enforces min age even if the server

# sent a Expires: header. Doing this VIOLATES the HTTP

# standard. Enabling this feature could make you liable

# for problems which it causes.

#

# override-lastmod enforces min age even on objects

# that was modified recently.

#

# reload-into-ims changes client no-cache or ``reload''

# to If-Modified-Since requests. Doing this VIOLATES the

# HTTP standard. Enabling this feature could make you

# liable for problems which it causes.

#

# ignore-reload ignores a client no-cache or ``reload''

# header. Doing this VIOLATES the HTTP standard. Enabling

# this feature could make you liable for problems which

# it causes.

#

# Basically a cached object is:

#

# FRESH if expires < now, else STALE

# STALE if age > max

# FRESH if lm-factor < percent, else STALE

# FRESH if age < min

# else STALE

#

# The refresh_pattern lines are checked in the order listed here.

# The first entry which matches is used. If none of the entries

# match, then the default will be used.

#

# Note, you must uncomment all the default lines if you want

# to change one. The default setting is only active if none is

# used.

#

#Suggested default:

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 0 20% 4320

# ACCESS CONTROLS

# -----------------------------------------------------------------------------

# TAG: acl

# Defining an Access List

#

# acl aclname acltype string1 ...

# acl aclname acltype "file" ...

#

# when using "file", the file should contain one item per line

#

# acltype is one of the types described below

#

# By default, regular expressions are CASE-SENSITIVE. To make

# them case-insensitive, use the -i option.

#

# acl aclname src ip-address/netmask ... (clients IP address)

A-13

# acl aclname src addr1-addr2/netmask ... (range of addresses)

# acl aclname dst ip-address/netmask ... (URL host's IP address)

# acl aclname myip ip-address/netmask ... (local socket IP address)

#

# acl aclname srcdomain .foo.com ... # reverse lookup, client IP

# acl aclname dstdomain .foo.com ... # Destination server from URL

# acl aclname srcdom_regex [-i] xxx ... # regex matching client name

# acl aclname dstdom_regex [-i] xxx ... # regex matching server

# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP

# # based URL is used. The name "none" is used if the reverse lookup

# # fails.

#

# acl aclname time [day-abbrevs] [h1:m1-h2:m2]

# day-abbrevs:

# S - Sunday

# M - Monday

# T - Tuesday

# W - Wednesday

# H - Thursday

# F - Friday

# A - Saturday

# h1:m1 must be less than h2:m2

# acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL

# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path

# acl aclname port 80 70 21 ...

# acl aclname port 0-1024 ... # ranges allowed

# acl aclname myport 3128 ... # (local socket TCP port)

# acl aclname proto HTTP FTP ...

# acl aclname method GET POST ...

# acl aclname browser [-i] regexp ...

# # pattern match on User-Agent header

# acl aclname referer_regex [-i] regexp ...

# # pattern match on Referer header

# # Referer is highly unreliable, so use with care

# acl aclname ident username ...

# acl aclname ident_regex [-i] pattern ...

# # string match on ident output.

# # use REQUIRED to accept any non-null ident.

# acl aclname src_as number ...

# acl aclname dst_as number ...

# # Except for access control, AS numbers can be used for

# # routing of requests to specific caches. Here's an

# # example for routing all requests for AS#1241 and only

# # those to mycache.mydomain.net:

# # acl asexample dst_as 1241

# # cache_peer_access mycache.mydomain.net allow asexample

# # cache_peer_access mycache_mydomain.net deny all

#

# acl aclname proxy_auth username ...

# acl aclname proxy_auth_regex [-i] pattern ...

# # list of valid usernames

# # use REQUIRED to accept any valid username.

# #

# # NOTE: when a Proxy-Authentication header is sent but it is not

# # needed during ACL checking the username is NOT logged

# # in access.log.

# #

# # NOTE: proxy_auth requires a EXTERNAL authentication program

# # to check username/password combinations (see

# # authenticate_program).

# #

# # WARNING: proxy_auth can't be used in a transparent proxy. It

# # collides with any authentication done by origin servers. It may

# # seem like it works at first, but it doesn't.

#

# acl aclname snmp_community string ...

# # A community string to limit access to your SNMP Agent

# # Example:

# #

# # acl snmppublic snmp_community public

#

A-14

# acl aclname maxconn number

# # This will be matched when the client's IP address has

# # more than <number> HTTP connections established.

#

# acl aclname max_user_ip [-s] number

# # This will be matched when the user attempts to log in from more

# # than <number> different ip addresses. The authenticate_ip_ttl

# # parameter controls the timeout on the ip entries.

# # If -s is specified then the limit is strict, denying browsing

# # from any further IP addresses until the ttl has expired. Without

# # -s Squid will just annoy the user by "randomly" denying requests.

# # (the counter is then reset each time the limit is reached and a

# # request is denied)

# # NOTE: in acceleration mode or where there is mesh of child proxies,

# # clients may appear to come from multiple addresses if they are

# # going through proxy farms, so a limit of 1 may cause user problems.

#

# acl aclname req_mime_type mime-type1 ...

# # regex match agains the mime type of the request generated

# # by the client. Can be used to detect file upload or some

# # types HTTP tunelling requests.

# # NOTE: This does NOT match the reply. You cannot use this

# # to match the returned file type.

#

# acl aclname rep_mime_type mime-type1 ...

# # regex match against the mime type of the reply recieved by

# # squid. Can be used to detect file download or some

# # types HTTP tunelling requests.

# # NOTE: This has no effect in http_access rules. It only has

# # effect in rules that affect the reply data stream such as

# # http_reply_access.

#

# acl acl_name external class_name [arguments...]

# # external ACL lookup via a helper class defined by the

# # external_acl_type directive.

#

#Examples:

#acl myexample dst_as 1241

acl password proxy_auth REQUIRED

#acl fileupload req_mime_type -i ^multipart/form-data$

#acl javascript rep_mime_type -i ^application/x-javascript$

#

#Recommended minimum configuration:

acl tomcat dst 192.168.15.10

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 563 # https, snews

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

# TAG: http_access

# Allowing or Denying access based on defined access lists

#

# Access to the HTTP port:

# http_access allow|deny [!]aclname ...

#

# NOTE on default values:

#

# If there are no "access" lines present, the default is to deny

# the request.

A-15

#

# If none of the "access" lines cause a match, the default is the

# opposite of the last line in the list. If the last line was

# deny, then the default is allow. Conversely, if the last line

# is allow, the default will be deny. For these reasons, it is a

# good idea to have an "deny all" or "allow all" entry at the end

# of your access lists to avoid potential confusion.

#

#Default:

# http_access deny all

#

#Recommended minimum configuration:

#

# Only allow cachemgr access from localhost

http_access allow tomcat

http_access allow password

http_access allow manager localhost

http_access deny manager

# Deny requests to unknown ports

http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports

http_access deny CONNECT !SSL_ports

#

# We strongly recommend to uncomment the following to protect innocent

# web applications running on the proxy server who think that the only

# one who can access services on "localhost" is a local user

#http_access deny to_localhost

#

# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Exampe rule allowing access from your local networks. Adapt

# to list your (internal) IP networks from where browsing should

# be allowed

#acl our_networks src 192.168.1.0/24 192.168.2.0/24

#http_access allow our_networks

# And finally deny all other access to this proxy

http_access allow localhost

http_access deny all

# TAG: http_reply_access

# Allow replies to client requests. This is complementary to http_access.

#

# http_reply_access allow|deny [!] aclname ...

#

# NOTE: if there are no access lines present, the default is to allow

# all replies

#

# If none of the access lines cause a match, then the opposite of the

# last line will apply. Thus it is good practice to end the rules

# with an "allow all" or "deny all" entry.

#

#Default:

# http_reply_access allow all

#

#Recommended minimum configuration:

#

# Insert your own rules here.

#

#

# and finally allow by default

http_reply_access allow all

# TAG: icp_access

# Allowing or Denying access to the ICP port based on defined

# access lists

#

# icp_access allow|deny [!]aclname ...

#

# See http_access for details

#

A-16

#Default:

# icp_access deny all

#

#Allow ICP queries from everyone

icp_access allow all

# TAG: deny_info

# Usage: deny_info err_page_name acl

# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys

#

# This can be used to return a ERR_ page for requests which

# do not pass the 'http_access' rules. A single ACL will cause

# the http_access check to fail. If a 'deny_info' line exists

# for that ACL then Squid returns a corresponding error page.

#

# You may use ERR_ pages that come with Squid or create your own pages

# and put them into the configured errors/ directory.

#

# Alternatively you can tell Squid to reset the TCP connection

# by specifying TCP_RESET.

#

#Default:

# none

deny_info index.html password

# TAG: error_directory

# Directory where the error files are read from.

# /usr/lib/squid/errors contains sets of error files

# in different languages. The default error directory

# is /etc/squid/errors, which is a link to one of these

# error sets.

#

# If you wish to create your own versions of the error files,

# either to customize them to suit your language or company,

# copy the template English files to another

# directory and point this tag at them.

#

#error_directory /usr/share/squid/errors

#

#Default:

# error_directory /usr/share/squid/errors

error_directory /usr/custom

# TAG: coredump_dir

# By default Squid leaves core files in the directory from where

# it was started. If you set 'coredump_dir' to a directory

# that exists, Squid will chdir() to that directory at startup

# and coredump files will be left there.

#

coredump_dir /var/spool/squid

2)MYSQL_AUTH.C

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include "mysql.h"

/* comment out next line if you use clear text password in MySQL DB */

//#define ENCRYPTED_PASS

/* can use NULL for localhost, current user, or no password */

#define DBHOST "localhost"

#define DBUSER "root"

#define DB "wifi"

#define DBPASSWORD NULL

A-17

/* table for the user database for the squid authentication,

column names for auth username and auth password */

#define A_TABLE "customer"

#define A_USERNAME "username"

#define A_PASSWORD "password"

#define BUFSIZE 256

int main(int argc, char *argv[])

{

char buf[BUFSIZE], qbuf[BUFSIZE];

char *p;

MYSQL mysql,*sock;

MYSQL_RES *res;

/* make standard output line buffered */

if (setvbuf(stdout, NULL, _IOLBF, 0) != 0)

return;

while (1) {

if (fgets(buf, BUFSIZE, stdin) == NULL)

break;

if ((p = strchr(buf, '\n')) != NULL)

*p = '\0'; /* strip \n */

if ((p = strchr(buf, ' ')) == NULL) {

(void) printf("ERR\n");

continue;

}

*p++ = '\0';

/* buf is username and p is password now */

if (!(sock = mysql_connect(&mysql, DBHOST, DBUSER, DBPASSWORD)))

{

/* couldn't connect to database server */

(void) printf("ERR\n");

continue;

}

if (mysql_select_db(sock, DB))

{

/* couldn't use the database */

(void) printf("ERR\n");

mysql_close(sock);

continue;

}

sprintf(qbuf, "select " A_USERNAME " from " A_TABLE " where "

A_USERNAME "='%s' and " A_PASSWORD

#ifdef ENCRYPTED_PASS

"=password('%s')", buf, p);

#else

"='%s'", buf, p);

#endif

if(mysql_query(sock,qbuf) || !(res=mysql_store_result(sock)))

{

/* query failed */

(void) printf("ERR\n");

mysql_close(sock);

continue;

}

if ( res->row_count !=0 )

(void) printf("OK\n");

else

(void) printf("ERR\n");

mysql_free_result(res);

mysql_close(sock);

}

exit(0);

return 0;

}

A-18

WPAD CONFIGURATION

1)HOSTS FILE

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1 localhost.localdomain localhost

192.168.15.10 wpad.hrrm.gec wpad

2)DHCPD.CONF

option wpad-url code 252 = text;

option wpad-url "http://wpad.hrrm.gec/wpad.dat\n";

3)DNS FORWARD ZONE FILE – HRRM.GEC

$ORIGIN hrrm.gec.

wpad IN A 192.168.15.10

IN TXT "service: wpad:!http://wpad.hrrm.gec:80/proxy.pac"

wpad.tcp IN SRV 0 0 80 wpad.hrrm.gec.

4)APACHE – HTTPD.CONF

<VirtualHost 192.168.15.10>

ServerName wpad.hrrm.gec

ServerAlias 192.168.15.10

AddType application/x-ns-proxy-autoconfig .dat

</VirtualHost>

5)PROXY.PAC OR WPAD.DAT

function FindProxyForURL(url, host)

{

return "PROXY 192.168.15.10:3128; DIRECT";

}

CALAMARIS

REPORT.SH

#!/bin/sh

# This script will remove the current Squid HTML report, and will replace

# it with a fresh one. The report will include all available squid access

# log files.. Roughly 7 days worth. The report will then be dumped into

# /home/httpd/html/ to be viewed via a web browser.

# Remove the current report!

cd /var/tomcat4/webapps/dlink/

rm -f squidreport.html

echo > squidreport.html

cd /

# Create the new report and place it into the /var/tomcat4/webapps/dlink/ dir..

cd /var/log/squid/

cat access.log | /usr/calamaris-2.59/./calamaris -a -F html >

/var/tomcat4/webapps/dlink/squidreport.html

A-19

BOOTUP SCRIPT

START.SH

service dhcpd start

service named start

service httpd start

service tomcat4 start

service squid start

service mysqld start

service iptables stop