[Nullence]

Howdy! Kind of forgot that I put this up, the registration url can also take an optional pubkey parameter, so you dont have to rely on the server generating the private key for you (docs are a little lacking so I understand the confusion!)

To answer your last question, eBPF XDP which is what I use can only do PASS, DROP or REDIRECT. So I stick with the easiest possible outcome and do PASS/DROP, which means your connections will just stop working.

However you can always set up the detection yourself by adding the captive portal detection pages to your wag MFA list then the browser should do everything else for you.

Unfortunately doing interception or acting like a proxy isnt something Im looking to do with wag (which makes authorisation timeout/logout a bit easier to deal with)

Hope that answers things!

[ta1243]

The problem I've seen when I've looked at this is signalling to the user that the session has ended. Sure your EBF filter stops passing traffic, but the user as to know that they need to visit a page to reauthenticate

That requires integration with a client, which is a massive pain to integrate

[hnarn]

It sounds like upon expiry, you could redirect all 80/443 traffic to the same node, serving an error page. In my mind, that's better than having to install a client.

[Nullence]

Probably then is how you do TLS, i.e do you give your service a wildcard cert to capture any 443 traffic.

Then how do you do that for things like ssh, or other non-http based protocols.