captive portal 2 - ideas and considerations

[ra-at-diladele-com]

What I do not like about how Captive Portal is used now with Azure AD/Entra:

• the proxy is open to everyone who can provide credentials; it means those who cannot provide creds will still be trying to connect potentially flooding the proxy with junk requests
• in order for the user to login I had to open connections to the portal as the user needs to see the portal pages to start authentication - and as the portal lives in the same app as admin ui - anyone now has access to admin ui - very bad and inconvenient
• when going to the portal the browser on the client MUST not use the proxy as then the proxy will need to connect to itself getting into a connection loop

So I do NOT recommend to use the Captive Portal facing general public. This seems to be just not a good mix for now.
I will try to make it work in the next version using;

• letting portal work on another port and be separate from the admin ui ; then access to admin ui can be protected from the open world by the firewall
• automatically letting connections to that port to be skipped from the proxy authentication/filtering (not yet sure how)

It seems the portal does not belong into the proxy package as it must be a third party - maybe it is possible to make it just azure specific and deployed separately. I will need to think.