How to create a fast locked down WEB KIOSK
Posted: Thu Jun 25, 2015 9:35 pm
How to create a WEB KIOSK using a linuxbbq Live Distribution
FYI: This requires a bit of linux familiarity and is quite a bit more in depth than my previous tutorial on creating a simple movie/video client
This project was originally started to quickly and easily create an ISO image for some online catalog at a public library.
In order of priority was
1) Quick install
2) Able to lock down a website with a handful of additional links using whitelists.
3) Able to restart web browser if it somehow gets shutdown
3) Hotkeys to perform some specialized tasks
4) Quick load time
5) Remote management via ssh
6) The final image is smaller than most (I got mine to about 310 meg on final implementation)
7) Create the image so it's very flexible (my opinion easier than porteus web kiosk)
On that last note I have also used this procedure for a staff room timeclock web client.
At any point during the following instructions you can opt out of any of the lockdowns and/or customize it to your own liking. There are also a few alternative applications you can install instead what is listed but what I have below are usually the smallest in download size making the resulting image probably the smallest you can make it with the features I needed. The firewall also is tiny which many don't like working with since it is a bit cumbersome but I just needed it for the particular purpose of piping every web request through the proxy which kept the size down.
Key:
$ symbol means run the proceeding command as user
I) QUICK OVERVIEW creating a web kiosk ISO image
These instructions were originally geared for Academy which uses the wmii window manager.
You can very easily adapt these to other distributions.
[Hint}Alt-Enter is the hotkey shortcut if you want an x-terminal using LinuxBBQ Academy.
Keep in mind any time during your endeavor into bbq, you can use the following commands to see some toys that's included in the base install:
Not necessary to run either of the following commands but just to have an idea of all the tools built into bbq:
$bbq
$bbqpkg
Now is a good time to setup a password for the default user:
$passwd
Let's also setup a new password for root:
$sudo -s
#passwd
$exit
First lets make sure we can read the terminal
$dkeger
Choose a color theme or press ENTER to give you the default high contrast theme (Alternatively colorbar and yellowbeak are not too bad to read)
Now lets setup the timezone:
$sudo dpkg-reconfigure tzdata
If for any reason your time or date is wrong use:
$sudo date --set YYYY-MM-DD
$sudo date --set HH:MM:SS
Now get your network up and running:
$sudo ceni
Make your manual changes to /etc/apt/sources.list.d/debian.list if you want a faster update. In my case I changed the "cn" in the list to "us" by editing the file with the following command:
$sudo nano /etc/apt/sources.list.d/debian.list
then ran the debian update:
$sudo apt-get update
Optionally install apt-spy to keep package repositories up to date:
$sudo apt-get install apt-spy
$apt-spy update
What's needed for download from the repositories:
You can find any package you like using the search keyword:
$search browser
and using the pipe | symbol and grep to limit the result :
$search browser | grep simple
Installing qupzilla because for my purpose it has most of the features I need including proxy configuration, changing browser identification (user agent) for a particular website I use needs it.
$apt-get install qupzilla
or simply:
$ins qupzilla
With tiny proxy alone you can setup a whitelist and only allow certain websites through but adding iptables you can force the user to only use the proxy port and prevent all other activity if a user tries to modify the browser config.
$apt-get install iptables tinyproxy
Needed a hotkey application so decided on using triggerhappy since it's tiny to install compared to something like xbindkeys in this distribution
$apt-get install triggerhappy
For secure remote connection
$apt-get install openssh-server
Optionally if you create scripts in windows you may need to fix problems when you run windows created scripts in linux:
$apt-get install dos2unix
Depending on your policy you might want to capture screen shots remotely of the pc to diagnose and/or keeping users honest. The following will install a smaller vnc server which doesn't allow live session viewing meaning it will only hook up on another display but you can grab a screen capture of the remote display by running scrot after you switch displays then switch back to the vnc display to view the scrot feh the image viewer
$apt-get install tightvncserver feh scrot
To setup hotkeys add your hotkey lines to any file ending in .conf in the /etc/triggerhappy/triggers.d/ folder. For example I want the keypad asterisk key to quickly shutdown qupzilla so I called my conf file keys.conf as so:
$sudo nano /etc/triggerhappy/triggers.d/keys.conf
and add the following:
Create your script you want called on the hotkey event and I put it in the user's home dir for now but you can change that later.
$sudo nano /home/user/keyasterisk
and add the following:
Create a script to start the triggerhappy daemon:
The script will keep checking every event which fires. Any event that matches the code in a .conf file will fire the asociated script.
$sudo nano /home/user/thd-start
and add the following:
Now make it executable
$chmod +x /home/user/thd-start
Run a test now to make sure the hotkey daemon is working properly:
$/home/user/thd-start
If your custom hotkey functions as expected then continue otherwise you'll have to deviate from this tutorial to figure it out.
Edit /etc/rc.local and add the following before exit:
Let's modify .xinitrc to loop and restart qupzilla on exit.
Edit /home/user/.xinitrc and after exec x-window-manager & add:
I am testing the homepage with new york times newspaper for the moment. Later on you will see why. Hint: How to check for more relative links.
$sudo nano /usr/bin/sudolocker
and add the following:
$sudo nano /usr/bin/sudounlocker
and add the following:
Now make them executable assuming you have no other with locker as the suffix in folder /usr/bin/:
$chmod +x /usr/bin/*locker
$sudo nano /usr/bin/check4net
and add the following:
Make it executable:
$sudo chmod +x /usr/bin/check4net
Now it's time to optionally setup tinyproxy if you want to use whitelists
Edit the /etc/tinyproxy.conf as root and add the following few lines to the end of the file:
Important: Go back in that same file and comment out the User nobody line by placing a hash in front of it
Add your home page as a test site to the /etc/filter file as root:
$sudo /etc/filter
and add the following:
Edit/Preferences/Browsing/Proxy Configuration Tab
Manual Configuration
HTTP localhost Port 8888
Now if you go to any other website but your home page it should block you. :)
Now when you run it you might be wondering "Hey where is the full page". Simple some pages require other pages to load correctly. But then your next question will be how can I find out what the urls are. Well the good news is that I did my research with this project. I put together a script called curlparse
First install curl:
$sudo apt-get install curl
Then install ack to get the nice color passthrough:
$sudo apt-get install ack
Next create the script file:
$sudo nano /usr/bin/curlparse
Add the following lines:
And run it like so:
$curlparse nytimes.com
Notice that the majority uses the nytimes.com domain (highlighted) but there is a good amount of nyt.com domains that need to get through to display images. That is the magic for this sample. You will have to do your research yourself as far as what sites need to get through he whitelist to work.
$sudo /etc/filters
Add nyt.com and exit
Now run
$service tinyproxy restart
Test it out and assuming you added the proxy to your browser it should prevent other sites.
You might want to set it up to restart every so often with a crontab because one forum mentioned it had a memory leak
If it's loading/blocking sites correctly now we can lock it down to only use the proxy.
Create an iplock script to block.
$sudo nano /usr/bin/iplock
Add the following
The code above does a little more than lockdown it will display the result at the end.
For sanity I wanted to create a quick way to completely reset the iptables to allow full access once again and that is why I created ipreset:
$sudo nano /usr/bin/ipreset
Add the below code to the file
You can now play with iplock file if you want to tweak it and reset it with ipreset if you run into a problem.
To have it lockup during boot you will have to edit /etc/rc.local
$sudo nano /etc/rc.local
add under the /home/user/thd-start line we added above to start the hotkey triggerhappy daemon:
Notice I added my optional tightvncserver (in this case is not secure and you should consider using ssh) which you can instead add x11vnc (instead you would use a command line like x11vnc -usepw -forever &) if you want full remote control of the active display. If you add this though you should set a password for it before you burn the ISO so i'd do it now. The first time you run the tighvncserver it will ask you to set a password. This is the password that you use when connecting remotely.
$/usr/bin/tightvncserver
Optional remote screenshot capture:
$sudo nano /usr/bin/sc
Add the following
With the above script you can type sc into a vnc viewer connected to this machine and grab a screenshot and press a key to return back to terminal command line.
Now let's get ready for the ISO. Add the following to snapshot_exclude.list if you're going to be creating the ISO in a live session.
$sudo nano /usr/lib/bbqsnapshot/snapshot_exclude.list
Add:
Which was easier than a technique I tried on this post http://linuxbbq.org/bbs/viewtopic.php?f ... hot#p41520.
Important note: If you start making larger images you will probably have a problem where you see the final image 1/10th the normal size maybe around 30meg. I found out if I was using 8 Gig RAM from a live session, 32 bit versions of OS only see 4 Gig RAM. Using the command free -m you can divide that number by 1000 to tell how much Gig Mem you are using. You'll have to use the 64 bit versions which are newly posted on this forum YAY!
Ready to burn
$sudo frenchmaid -y
$sudo bbqsnapshot
Make any optional changes and press Ctrl-X to exit each editor & Q to exit ncdu
As you're going through this snapshot procedure I found that I personally like to change the timeout value from 00 to 25 to give it 2.5 secs to boot. I also like to change the first label live in that boot menu (isolinux.cfg) to something short and more descriptive about the snapshot
That is it and now you should have a time stamped .ISO image in the /home/snapshot folder
Just to clarify it, this was all done in one live session which I have been normally running with 8 Gig RAM to create the snapshot. If you'd like to then install it to a HDD when I have time I will leave some information on how to lock down the boot process.
FYI: This requires a bit of linux familiarity and is quite a bit more in depth than my previous tutorial on creating a simple movie/video client
This project was originally started to quickly and easily create an ISO image for some online catalog at a public library.
In order of priority was
1) Quick install
2) Able to lock down a website with a handful of additional links using whitelists.
3) Able to restart web browser if it somehow gets shutdown
3) Hotkeys to perform some specialized tasks
4) Quick load time
5) Remote management via ssh
6) The final image is smaller than most (I got mine to about 310 meg on final implementation)
7) Create the image so it's very flexible (my opinion easier than porteus web kiosk)
On that last note I have also used this procedure for a staff room timeclock web client.
At any point during the following instructions you can opt out of any of the lockdowns and/or customize it to your own liking. There are also a few alternative applications you can install instead what is listed but what I have below are usually the smallest in download size making the resulting image probably the smallest you can make it with the features I needed. The firewall also is tiny which many don't like working with since it is a bit cumbersome but I just needed it for the particular purpose of piping every web request through the proxy which kept the size down.
Key:
$ symbol means run the proceeding command as user
I) QUICK OVERVIEW creating a web kiosk ISO image
These instructions were originally geared for Academy which uses the wmii window manager.
You can very easily adapt these to other distributions.
[Hint}Alt-Enter is the hotkey shortcut if you want an x-terminal using LinuxBBQ Academy.
Keep in mind any time during your endeavor into bbq, you can use the following commands to see some toys that's included in the base install:
Not necessary to run either of the following commands but just to have an idea of all the tools built into bbq:
$bbq
$bbqpkg
Now is a good time to setup a password for the default user:
$passwd
Let's also setup a new password for root:
$sudo -s
#passwd
$exit
First lets make sure we can read the terminal
$dkeger
Choose a color theme or press ENTER to give you the default high contrast theme (Alternatively colorbar and yellowbeak are not too bad to read)
Now lets setup the timezone:
$sudo dpkg-reconfigure tzdata
If for any reason your time or date is wrong use:
$sudo date --set YYYY-MM-DD
$sudo date --set HH:MM:SS
Now get your network up and running:
$sudo ceni
Make your manual changes to /etc/apt/sources.list.d/debian.list if you want a faster update. In my case I changed the "cn" in the list to "us" by editing the file with the following command:
$sudo nano /etc/apt/sources.list.d/debian.list
then ran the debian update:
$sudo apt-get update
Optionally install apt-spy to keep package repositories up to date:
$sudo apt-get install apt-spy
$apt-spy update
What's needed for download from the repositories:
You can find any package you like using the search keyword:
$search browser
and using the pipe | symbol and grep to limit the result :
$search browser | grep simple
Installing qupzilla because for my purpose it has most of the features I need including proxy configuration, changing browser identification (user agent) for a particular website I use needs it.
$apt-get install qupzilla
or simply:
$ins qupzilla
With tiny proxy alone you can setup a whitelist and only allow certain websites through but adding iptables you can force the user to only use the proxy port and prevent all other activity if a user tries to modify the browser config.
$apt-get install iptables tinyproxy
Needed a hotkey application so decided on using triggerhappy since it's tiny to install compared to something like xbindkeys in this distribution
$apt-get install triggerhappy
For secure remote connection
$apt-get install openssh-server
Optionally if you create scripts in windows you may need to fix problems when you run windows created scripts in linux:
$apt-get install dos2unix
Depending on your policy you might want to capture screen shots remotely of the pc to diagnose and/or keeping users honest. The following will install a smaller vnc server which doesn't allow live session viewing meaning it will only hook up on another display but you can grab a screen capture of the remote display by running scrot after you switch displays then switch back to the vnc display to view the scrot feh the image viewer
$apt-get install tightvncserver feh scrot
To setup hotkeys add your hotkey lines to any file ending in .conf in the /etc/triggerhappy/triggers.d/ folder. For example I want the keypad asterisk key to quickly shutdown qupzilla so I called my conf file keys.conf as so:
$sudo nano /etc/triggerhappy/triggers.d/keys.conf
and add the following:
Code: Select all
KEY_KPASTERISK 1 /home/user/keyasterisk
$sudo nano /home/user/keyasterisk
and add the following:
Code: Select all
#/bin/bash
#This will quickly close the browser faster than sending Ctrl-Q
#It's not pretty so close your eyes
killall qupzilla
#Purge session data to open up again cleanly
rm /home/user/.config/qupzilla/profiles/default/session.*
The script will keep checking every event which fires. Any event that matches the code in a .conf file will fire the asociated script.
$sudo nano /home/user/thd-start
and add the following:
Code: Select all
#!/bin/bash
/usr/sbin/thd --daemon --triggers /etc/triggerhappy/triggers.d/ /dev/input/event*
$chmod +x /home/user/thd-start
Run a test now to make sure the hotkey daemon is working properly:
$/home/user/thd-start
If your custom hotkey functions as expected then continue otherwise you'll have to deviate from this tutorial to figure it out.
Edit /etc/rc.local and add the following before exit:
Code: Select all
killall thd
/home/user/thd-start
Let's modify .xinitrc to loop and restart qupzilla on exit.
Edit /home/user/.xinitrc and after exec x-window-manager & add:
Code: Select all
#The custom script below will loop until the internet is up
sudo check4net
#The custom script below will make a pw required for sudo access
/usr/bin/sudolocker &
while true;
do
/usr/bin/qupzilla www.nytimes.com
#The following custom script is optional that checks for net connection
/usr/bin/check4net
done
$sudo nano /usr/bin/sudolocker
and add the following:
Code: Select all
> /etc/sudoers.d/live
$sudo nano /usr/bin/sudounlocker
and add the following:
Code: Select all
$echo "user ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/live
$chmod +x /usr/bin/*locker
$sudo nano /usr/bin/check4net
and add the following:
Code: Select all
#!/bin/bash
hostip=""
COUNTER=0
while [ -z "$hostip" ];
do
let COUNTER=COUNTER+1
service networking restart
hostip="`timeout 3s gethostip -d www.google.com`"
echo "Counter=$COUNTER : Host (www.google.com)=$hostip"
done
Make it executable:
$sudo chmod +x /usr/bin/check4net
Now it's time to optionally setup tinyproxy if you want to use whitelists
Edit the /etc/tinyproxy.conf as root and add the following few lines to the end of the file:
Code: Select all
$sudo /etc/tinyproxy.conf
and add the following:
FilterExtended On
FilterURLs On
FilterDefaultDeny Yes
Filter "/etc/filter"
User proxy
Add your home page as a test site to the /etc/filter file as root:
$sudo /etc/filter
and add the following:
Code: Select all
www.nytimes.com
Edit/Preferences/Browsing/Proxy Configuration Tab
Manual Configuration
HTTP localhost Port 8888
Now if you go to any other website but your home page it should block you. :)
Now when you run it you might be wondering "Hey where is the full page". Simple some pages require other pages to load correctly. But then your next question will be how can I find out what the urls are. Well the good news is that I did my research with this project. I put together a script called curlparse
First install curl:
$sudo apt-get install curl
Then install ack to get the nice color passthrough:
$sudo apt-get install ack
Next create the script file:
$sudo nano /usr/bin/curlparse
Add the following lines:
Code: Select all
#!/bin/bash
curl -sL $1|grep -oP '(?<=http://)(.*?)(?=")' \
|ack --flush --passthru --color --color-match=on_blue "$1" \
|ack --flush --passthru --color --color-match=on_magenta "(.jpg)|(.png)|(.svg)" \
$curlparse nytimes.com
Notice that the majority uses the nytimes.com domain (highlighted) but there is a good amount of nyt.com domains that need to get through to display images. That is the magic for this sample. You will have to do your research yourself as far as what sites need to get through he whitelist to work.
$sudo /etc/filters
Add nyt.com and exit
Now run
$service tinyproxy restart
Test it out and assuming you added the proxy to your browser it should prevent other sites.
You might want to set it up to restart every so often with a crontab because one forum mentioned it had a memory leak
If it's loading/blocking sites correctly now we can lock it down to only use the proxy.
Create an iplock script to block.
$sudo nano /usr/bin/iplock
Add the following
Code: Select all
#!/bin/bash
### SECTION 1
## First completely clear and reset the iptables. Normally I used iptables -F but that doesn't work all the time
###
echo "Starting IPv4 Fresh..."
# IPv4
##
## set default policies to let everything in
iptables --policy INPUT ACCEPT;
iptables --policy OUTPUT ACCEPT;
iptables --policy FORWARD ACCEPT;
##
## start fresh
iptables -Z; # zero counters
iptables -F; # flush (delete) rules
iptables -X; # delete all extra chains
### END SECTION 1
## End of resetting the iptables
###
### SECTION 2
## Allow inbound and outbound for our host above which dynamically gets the ip address and saves it to variable $hostip
###
echo "Allowing previous connection ..."
#Allow previous connections through
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Allowing DHCP & DNS..."
#Allow DHCP Requests through
iptables -I INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
#Allow DNS Requests through
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
echo "Allowing icmp,lo,eth0 INPUT..."
#Allow ping Requests through
iptables -A INPUT -p icmp -j ACCEPT
#Allow loopback interface through
iptables -A INPUT -i lo -j ACCEPT
#Allow eth0 interface through
iptables -A INPUT -i eth0 -j ACCEPT
echo "Allowing SSH & VNC..."
#Allow SSH through
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#Allow VNC through
iptables -A INPUT -m state --state NEW -m tcp -p tcp -m multiport --dports 5901:5903,6001:6003 -j ACCEPT
echo "Rejecting icmp..."
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
#echo "Allowing hostlist OUTPUT(Only works on connection to inet w/correct ip)..."
#timeout 3s iplocklist
#echo "Passed timeout 3s getting host list from iplocklist. Continuing..."
echo "Allowing only root and proxy full access"
iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner proxy -j ACCEPT
echo "Dropping the rest of port 80..."
iptables -A OUTPUT -p tcp --dport 80 -j DROP
echo "New iptable settings:"
iptables -L
#echo "Confirm IP address is set correctly"
ifconfig
echo "Done setting up iptables!"
For sanity I wanted to create a quick way to completely reset the iptables to allow full access once again and that is why I created ipreset:
$sudo nano /usr/bin/ipreset
Add the below code to the file
Code: Select all
#!/bin/bash
# IPv6
##
## set default policies to let everything in
ip6tables --policy INPUT ACCEPT;
ip6tables --policy OUTPUT ACCEPT;
ip6tables --policy FORWARD ACCEPT;
##
## start fresh
ip6tables -Z; # zero counters
ip6tables -F; # flush (delete) rules
ip6tables -X; # delete all extra chains
# IPv4
##
## set default policies to let everything in
iptables --policy INPUT ACCEPT;
iptables --policy OUTPUT ACCEPT;
iptables --policy FORWARD ACCEPT;
##
## start fresh
iptables -Z; # zero counters
iptables -F; # flush (delete) rules
iptables -X; # delete all extra chains
echo "Checking for network..."
#sleep 2s
#service networking restart
check4net
echo "New iptable settings:"
iptables -L
echo "Confirm IP address is set correctly"
ifconfig
You can now play with iplock file if you want to tweak it and reset it with ipreset if you run into a problem.
To have it lockup during boot you will have to edit /etc/rc.local
$sudo nano /etc/rc.local
add under the /home/user/thd-start line we added above to start the hotkey triggerhappy daemon:
Code: Select all
sudo -u user tightvncserver :1
/usr/bin/iplock &
exit 0
$/usr/bin/tightvncserver
Optional remote screenshot capture:
$sudo nano /usr/bin/sc
Add the following
Code: Select all
#!/bin/bash
if [ $DISPLAY = ":0" ]; then
clear
echo
echo "**************************************"
echo "This must be run from a remote session"
echo "**************************************"
echo
else
cd /home/user/scrots
#delete old .png
rm -f *.png
#switch to running standard tightvnc remote display
DISPLAY=:0
scrot
#switch back to local vnc viewer display
DISPLAY=:1
feh *.png
fi
Now let's get ready for the ISO. Add the following to snapshot_exclude.list if you're going to be creating the ISO in a live session.
$sudo nano /usr/lib/bbqsnapshot/snapshot_exclude.list
Add:
Code: Select all
- /lib/live/overlay
- /lib/live/image
- /lib/live/rootfs
- /lib/live/mount
- /run/*
Important note: If you start making larger images you will probably have a problem where you see the final image 1/10th the normal size maybe around 30meg. I found out if I was using 8 Gig RAM from a live session, 32 bit versions of OS only see 4 Gig RAM. Using the command free -m you can divide that number by 1000 to tell how much Gig Mem you are using. You'll have to use the 64 bit versions which are newly posted on this forum YAY!
Ready to burn
$sudo frenchmaid -y
$sudo bbqsnapshot
Make any optional changes and press Ctrl-X to exit each editor & Q to exit ncdu
As you're going through this snapshot procedure I found that I personally like to change the timeout value from 00 to 25 to give it 2.5 secs to boot. I also like to change the first label live in that boot menu (isolinux.cfg) to something short and more descriptive about the snapshot
That is it and now you should have a time stamped .ISO image in the /home/snapshot folder
Just to clarify it, this was all done in one live session which I have been normally running with 8 Gig RAM to create the snapshot. If you'd like to then install it to a HDD when I have time I will leave some information on how to lock down the boot process.