Cake - billing for small ones.
Practically every modern company uses computers connected to the Internet in its work. Whether this company produces any products, sells them or provides services, the Internet helps people run their business. As any resource, access to the Internet needs accounting.
Accounting can be done as a post factum by analyzing various log files of proxy servers. But it does not allow to control resources in real time. To solve this problem, there are specialized software packages which are usually called billing systems. Let's define what billing is and what functions it can perform.
And so, billing is a software and hardware complex providing access, accounting and restriction of communication services consumption, as well as providing an interface for managing users, services and generating reports on service consumption.
')
This functionality can be implemented by various means. The most popular implementation of billing based on firewall counters. To do this, use scripts that read them, enter the data into the DBMS (usually MySQL), then check if the user has reached the limit, if he has reached, then create and run firewall rules that forbid him to access. DBMS is used only for reasons of convenience of working with data. The disadvantages of such a solution are in linking the user to the ip address, lack of user authorization in the system and linking the system to a specific one. The advantages of such a solution are the simplicity of the implementation and the possibility of modifying the solution for yourself.
Another popular implementation is to install a squid proxy using external_acl and a real-time analyzer that logs data to the database. It works this way: when the user sets his limit, he is removed from the access group that reads external acl. The downside of such a solution is a rather high inertia of the system, as well as not very high stability of the system and accounting for the traffic that passes through the proxy server. The advantages are in the availability of user authorization, the possibility of detailed statistics and cross-platform solutions.
As you can see, the first and second implementations are not without their minuses and advantages. Let's look at the third implementation. Its main idea is to use a VPN to provide access, accounting and limiting the consumption of communication services. For this, the pptpd connection manager is used, pppd is a daemon for working with the ppp protocol and a RADIUS server. How it all works: the client connects to pptpd, it starts pppd and transfers control to it. After that, the client sends it the authentication settings. Pppd daemon receiving them makes a request to the RADIUS server. He received the data forms a response to allow or deny the connection. It then sends it to pppd. If pppd was denied, the connection is broken. If permission was obtained, pppd opens the connection and notifies RADIUS of the start of the session. Depending on the settings of pppd, intermediate sessions of the RADIUS server can be sent to the server during the session. As soon as the user quits and disconnects, pppd sends a notification to the RADIUS server that the session has ended and the amount of resources consumed. As you can see, the solution is quite interesting. But he has his drawbacks and disadvantages. The downside is the rather high complexity of the installation of the solution, as well as the lack of detail of traffic. The advantages are in the presence of an authorization system which is quite difficult to crack, the ability to bind an ip address to a user name, as well as the possibility of specifying session limits and automatic disconnection when reaching, also using standard components, the system scales well and is stable in operation.
There are quite a few systems using this implementation. But our goal is to consider systems for small and medium-sized offices with the number of computers no more than 100-200. Among such systems of interest are FreeNIBS and Cake.
Story about Cake.
In this article we will talk about (so far) the little-known billing Cake ("cake" translated from English). This system is designed to account for and control the traffic consumed to work on the Internet. It can be successfully used both by small Internet service providers and medium-sized companies for internal accounting. Since there is no fundamental difference in what quality you use billing (as a provider or within a company), we will not focus on this.
This project is developed by enthusiasts in their free time and is completely open. Lead the project only two people. Improvement work is ongoing. Billing Cake has already been successfully implemented in several small companies that provide Internet access. As well as in several companies for maintaining internal control over the use of Internet resources by employees. The number of such companies is increasing.
There are several reasons for this:
• Billing is distributed free under the GPL v.2 license.
• Just installed. (Of course, sometimes there are difficulties, however, users' questions are dealt with quite quickly on the project support forum.)
• Billing is built on standard GNU components and, in fact, uses what is already there (or there is the possibility of easy installation) on any system.
• Low entry level. Understanding the principle of billing does not pose any difficulty.
• Ease of use - after installation, all work is done through a web interface.
• Since the project is open, it is always possible to change any part of the system to the individual wishes of the user. (For example, the interface. About this below.)
All this allows in a very short time to establish your "pie" and start accounting.
Using billing to control the company's employees is somewhat different from the work of the provider, and therefore imposes some additional requirements on the system. I will not argue with those who consider restricting users to resources more efficiently than restricting traffic. With the restriction on traffic, the voracious user will be left without access to the Internet in a couple of days and it is likely that the next time it will be much more accurate to spend their quota. Moreover, even this issue is easy to solve.
The presence of billing, taking into account only the amount of traffic does not limit the system administrator in any way and does not prevent the use of various log file analyzers, for example, a proxy server. Thus, providing the opportunity to see what resources the user spent the quota allocated to him. Billing in this case will simply help analyze the costs, indicating the total user traffic.
Of the features of billing:
Use only 253 maximum possible users. This limitation is caused by the fact that Cake does not yet have the proper functionality for working with several subnets, so the maximum of users results from the physical addressing limitations. If you have a larger network, the Cake system will not work for you.
Each user, once having established a VPN connection, receives a unique ip address of the internal space of the VPN server. From whatever address this user is connected to, his ip of the internal network will remain unchanged. This is a very useful feature for those who want to see the details on the traffic, as it allows you to configure squid with any analyzer of its log files. It remains only to bind user logins to the addresses of the VPN network and here is a ready specification of the user's adventures.
The Cake system cannot work with several external subnets, so if you want some users to issue external addresses, and some internal ones, you will be disappointed. The system can work with only one subnet.
How it works.
On the client side, a connection to the VPN network is created. When trying to connect to a pptpd (VPN) server, pppd is run to create a VPN tunnel. To allow authorization, pppd refers to radius, which in turn searches for accounts in the DBMS and generates a response. Based on the received information from radius, pppd, if the packet was allowing, sets various connection parameters (time, traffic) per user. After that, pppd sends radius to the server information about the beginning of the session. The session is terminated if the user (or for other reasons) terminates the VPN connection with the server, and also the session can terminate pppd when the limits are exceeded.
Installation
The system uses the following components for its work (some of them have already been named above):
Computer with * nix system.
FreeRADIUS version 0.9.3 and higher.
Pptpd version 1.1.3 and higher.
PPP version 2.4.2.b3 and higher.
PostgreSQL server version 7.4.x (if you have version 8.x use this Cake.opennet.ru/devel scheme and web interface).
JDK (Sun JDK, Blackdown JDK or BEA Jrockit JDK) version 1.3 and higher.
Servlet / JSP container. Tested on resin 3.0.x and tomcat 4.1.31
PostgreSQL JDBC Driver version 3x is used.
The installation can be easily divided into several stages, each of which is described in sufficient detail on the development site (http://npj.ru/Cake/).
It is necessary to clarify that the installation documentation is described for the gentoo linux system, however, if you know how to use the distribution kit that you chose (it’s true, right?), The information from the indicated links will be enough for you. Otherwise, you will have to spend some time further studying the linux distribution you have installed.
An archive of all configuration files (for Gentoo!) Is available at: Cake.opennet.ru/release/etc/etc.tar.bz2
I installed the system in one day without encountering any obstacles. The only thing I want to draw attention to is such an error when windows clients work, like 737: loopback detected. The error is extremely unpleasant, since when it occurs, this client will not be able to connect for quite a long time. This is corrected as follows: the lines “nologfd” are added to the configuration file options.pptpd, and the lines “silent” and “connect-delay” are commented on the contrary.
Using.
After the system was installed and started working, it was time to put it into operation. To do this, go to the address that you specified resin'u when setting up. As a rule, this is ip / Cake or ip : 8080 / Cake depending on the settings.
By default, login: admin, password: 1234 are displayed. After logging in, you will see the main window, which shows the most frequently requested information. Namely, the status of billing by users (in megabytes and cash equivalent), as well as in a separate table shows the users who are currently connected to your VPN server.
Figure 1. Main window.
By default, billing contains only one administrator user. Users should go to the bookmark to change its password and add ASR users. Here you can enter all the information about the user by specifying his full name, login, password, as well as such information as the tariff plan and the need to block access to the Internet with a negative balance of the user. On the same page, payments are made to the account, thus highlighting the quota for the user.
Figure 2. Managing user accounts.
If you intend to use the Cake system as a billing provider, then you will certainly be interested in the next tab “Tariffs”. On this page, a parameter such as the ratio of money to megabytes or simply the price per megabyte is set.
Figure 3. Tariffs.
By the way, if you use billing inside your company, then a good idea would be to set the price per megabyte for the one on which the provider sells traffic to you.
If for some reason this is not convenient for you, then by setting the price per megabyte equal to one ruble, you actually leave rubles when setting quotas. Thus, making a conditional “payment” on the user's page, you actually specify the number of megabytes, without breaking your head with calculations. It sounds trite, but for some reason many people miss such an obvious convenience.
The next page "Reports" will help you track the intensity of the consumption of Internet traffic. By specifying the time interval of interest, you can display both individual user statistics and the entire system.
Figure 4. Statistics.
The last tab in the administrative panel of billing is settings. The following parameters can be set here:
iddle_timeout - if the user does not show activity for a specified period of time, a shutdown occurs;
ipnetmask - your virtual subnet mask;
ipsubnet is a virtual subnet in the “H.H.H” format;
max_pool_ip - maximum ip address that a client can receive;
max_timeout - maximum session time (in seconds);
max_trafout - maximum traffic per session;
min_pool_ip - the minimum ip address that the client can receive;
taffinterval - the period of updating data on traffic consumption (in seconds).
I’ll make a reservation that if you change the max_traffout parameter (the maximum traffic that a user can consume in one session, after which pppd will shut down and the tunnel will be broken. And then re-initialize the connection) you should be careful not to add an extra bit (zero ) at the end of the number. Unfortunately, after that no one can connect to the VPN server anymore.
Figure 5. Settings.
After you have made all the necessary settings and added to the user database, the billing is ready for use.
The system Cake did not forget about ordinary users. If the user enters his login and password on the billing page, he will be able to see the balance of his account, as well as detailed statistics by day.
Figure 6. Personal user statistics.
Some changes in the interface.
At the project support forum for a long time already there were questions about outgoing traffic. The fact is that in view of the free outgoing traffic from most providers, this variable did not seem so interesting to the developers to show it in statistics. The fun of the situation is that this information is actually in the database, it simply needs to be displayed on the screen.
For this, I changed a couple of files. At npj.akeeper.ru/akeeper/Cakemodified you can find jsp files that I modified. These are stat.all.jsp and report.list.jsp Files are complete, so you only need to copy them and replace the existing ones. Compile them yourself server. Unfortunately, the amount of outgoing traffic is displayed only for on-line users. This is due to some difficulties in modifying the common user table. However, the same complete information on outgoing traffic is easily accessible on the reports page. As for a specific user, and for all in general.
In fact, as far as I know, the developers of Cake were already going to make such changes to their system themselves. So, perhaps, by the time the journal is published, you will not have the need for such changes with your own hands.
Current work and future plans of developers.
The developers of billing, as mentioned above, are not going to stop at what has been accomplished and, as far as possible (read as free time becomes available), they finalize their product. Of the recent changes include:
Changes in the structure of the database for the possibility of working with PostgreSQL versions 8.x
The database schema is in a readable form.
Made some changes to the web-interface of the system. (Now when using the web-interface, only one connection to the database is made, and not several, as before.)
Developed automatic cleaning statistics database.
Now you can work with zero tariffs.
Considering both directions of traffic (above, I described how you can see it now).
The ability to set restrictions on both incoming and outgoing traffic is added.
It is planned to write documentation in the gentoo guide xml format.
Planned distribution based on GNAP. (In a nutshell, this is the distribution system for embedded systems. For more information, see www.gentoo.org/proj/en/base/embedded/gnap-userguide.xml ). This will provide an opportunity to quickly deploy the system on the principle of "sat down and go."
At the moment, the developers are working on the revision of the billing version of the 1.x branch. When all the necessary edits to the current version have been made, work on the second version of the product will begin. All plans have not yet been disclosed, but we already know about the pricing plans for such services, such as, for example, VoIP.
In general, we can say that Cake billing is a flexible system that is easy to install and easy to use.
(c) akeeper Korshunov Alexey.
The first published in the electronic supplement to the journal "System Administrator" called OSA .
Update: Recently I was informed that the project Cake has moved.
Accounting can be done as a post factum by analyzing various log files of proxy servers. But it does not allow to control resources in real time. To solve this problem, there are specialized software packages which are usually called billing systems. Let's define what billing is and what functions it can perform.
And so, billing is a software and hardware complex providing access, accounting and restriction of communication services consumption, as well as providing an interface for managing users, services and generating reports on service consumption.
')
This functionality can be implemented by various means. The most popular implementation of billing based on firewall counters. To do this, use scripts that read them, enter the data into the DBMS (usually MySQL), then check if the user has reached the limit, if he has reached, then create and run firewall rules that forbid him to access. DBMS is used only for reasons of convenience of working with data. The disadvantages of such a solution are in linking the user to the ip address, lack of user authorization in the system and linking the system to a specific one. The advantages of such a solution are the simplicity of the implementation and the possibility of modifying the solution for yourself.
Another popular implementation is to install a squid proxy using external_acl and a real-time analyzer that logs data to the database. It works this way: when the user sets his limit, he is removed from the access group that reads external acl. The downside of such a solution is a rather high inertia of the system, as well as not very high stability of the system and accounting for the traffic that passes through the proxy server. The advantages are in the availability of user authorization, the possibility of detailed statistics and cross-platform solutions.
As you can see, the first and second implementations are not without their minuses and advantages. Let's look at the third implementation. Its main idea is to use a VPN to provide access, accounting and limiting the consumption of communication services. For this, the pptpd connection manager is used, pppd is a daemon for working with the ppp protocol and a RADIUS server. How it all works: the client connects to pptpd, it starts pppd and transfers control to it. After that, the client sends it the authentication settings. Pppd daemon receiving them makes a request to the RADIUS server. He received the data forms a response to allow or deny the connection. It then sends it to pppd. If pppd was denied, the connection is broken. If permission was obtained, pppd opens the connection and notifies RADIUS of the start of the session. Depending on the settings of pppd, intermediate sessions of the RADIUS server can be sent to the server during the session. As soon as the user quits and disconnects, pppd sends a notification to the RADIUS server that the session has ended and the amount of resources consumed. As you can see, the solution is quite interesting. But he has his drawbacks and disadvantages. The downside is the rather high complexity of the installation of the solution, as well as the lack of detail of traffic. The advantages are in the presence of an authorization system which is quite difficult to crack, the ability to bind an ip address to a user name, as well as the possibility of specifying session limits and automatic disconnection when reaching, also using standard components, the system scales well and is stable in operation.
There are quite a few systems using this implementation. But our goal is to consider systems for small and medium-sized offices with the number of computers no more than 100-200. Among such systems of interest are FreeNIBS and Cake.
Story about Cake.
In this article we will talk about (so far) the little-known billing Cake ("cake" translated from English). This system is designed to account for and control the traffic consumed to work on the Internet. It can be successfully used both by small Internet service providers and medium-sized companies for internal accounting. Since there is no fundamental difference in what quality you use billing (as a provider or within a company), we will not focus on this.
This project is developed by enthusiasts in their free time and is completely open. Lead the project only two people. Improvement work is ongoing. Billing Cake has already been successfully implemented in several small companies that provide Internet access. As well as in several companies for maintaining internal control over the use of Internet resources by employees. The number of such companies is increasing.
There are several reasons for this:
• Billing is distributed free under the GPL v.2 license.
• Just installed. (Of course, sometimes there are difficulties, however, users' questions are dealt with quite quickly on the project support forum.)
• Billing is built on standard GNU components and, in fact, uses what is already there (or there is the possibility of easy installation) on any system.
• Low entry level. Understanding the principle of billing does not pose any difficulty.
• Ease of use - after installation, all work is done through a web interface.
• Since the project is open, it is always possible to change any part of the system to the individual wishes of the user. (For example, the interface. About this below.)
All this allows in a very short time to establish your "pie" and start accounting.
Using billing to control the company's employees is somewhat different from the work of the provider, and therefore imposes some additional requirements on the system. I will not argue with those who consider restricting users to resources more efficiently than restricting traffic. With the restriction on traffic, the voracious user will be left without access to the Internet in a couple of days and it is likely that the next time it will be much more accurate to spend their quota. Moreover, even this issue is easy to solve.
The presence of billing, taking into account only the amount of traffic does not limit the system administrator in any way and does not prevent the use of various log file analyzers, for example, a proxy server. Thus, providing the opportunity to see what resources the user spent the quota allocated to him. Billing in this case will simply help analyze the costs, indicating the total user traffic.
Of the features of billing:
Use only 253 maximum possible users. This limitation is caused by the fact that Cake does not yet have the proper functionality for working with several subnets, so the maximum of users results from the physical addressing limitations. If you have a larger network, the Cake system will not work for you.
Each user, once having established a VPN connection, receives a unique ip address of the internal space of the VPN server. From whatever address this user is connected to, his ip of the internal network will remain unchanged. This is a very useful feature for those who want to see the details on the traffic, as it allows you to configure squid with any analyzer of its log files. It remains only to bind user logins to the addresses of the VPN network and here is a ready specification of the user's adventures.
The Cake system cannot work with several external subnets, so if you want some users to issue external addresses, and some internal ones, you will be disappointed. The system can work with only one subnet.
How it works.
On the client side, a connection to the VPN network is created. When trying to connect to a pptpd (VPN) server, pppd is run to create a VPN tunnel. To allow authorization, pppd refers to radius, which in turn searches for accounts in the DBMS and generates a response. Based on the received information from radius, pppd, if the packet was allowing, sets various connection parameters (time, traffic) per user. After that, pppd sends radius to the server information about the beginning of the session. The session is terminated if the user (or for other reasons) terminates the VPN connection with the server, and also the session can terminate pppd when the limits are exceeded.
Installation
The system uses the following components for its work (some of them have already been named above):
Computer with * nix system.
FreeRADIUS version 0.9.3 and higher.
Pptpd version 1.1.3 and higher.
PPP version 2.4.2.b3 and higher.
PostgreSQL server version 7.4.x (if you have version 8.x use this Cake.opennet.ru/devel scheme and web interface).
JDK (Sun JDK, Blackdown JDK or BEA Jrockit JDK) version 1.3 and higher.
Servlet / JSP container. Tested on resin 3.0.x and tomcat 4.1.31
PostgreSQL JDBC Driver version 3x is used.
The installation can be easily divided into several stages, each of which is described in sufficient detail on the development site (http://npj.ru/Cake/).
It is necessary to clarify that the installation documentation is described for the gentoo linux system, however, if you know how to use the distribution kit that you chose (it’s true, right?), The information from the indicated links will be enough for you. Otherwise, you will have to spend some time further studying the linux distribution you have installed.
An archive of all configuration files (for Gentoo!) Is available at: Cake.opennet.ru/release/etc/etc.tar.bz2
I installed the system in one day without encountering any obstacles. The only thing I want to draw attention to is such an error when windows clients work, like 737: loopback detected. The error is extremely unpleasant, since when it occurs, this client will not be able to connect for quite a long time. This is corrected as follows: the lines “nologfd” are added to the configuration file options.pptpd, and the lines “silent” and “connect-delay” are commented on the contrary.
Using.
After the system was installed and started working, it was time to put it into operation. To do this, go to the address that you specified resin'u when setting up. As a rule, this is ip / Cake or ip : 8080 / Cake depending on the settings.
By default, login: admin, password: 1234 are displayed. After logging in, you will see the main window, which shows the most frequently requested information. Namely, the status of billing by users (in megabytes and cash equivalent), as well as in a separate table shows the users who are currently connected to your VPN server.
Figure 1. Main window.
By default, billing contains only one administrator user. Users should go to the bookmark to change its password and add ASR users. Here you can enter all the information about the user by specifying his full name, login, password, as well as such information as the tariff plan and the need to block access to the Internet with a negative balance of the user. On the same page, payments are made to the account, thus highlighting the quota for the user.
Figure 2. Managing user accounts.
If you intend to use the Cake system as a billing provider, then you will certainly be interested in the next tab “Tariffs”. On this page, a parameter such as the ratio of money to megabytes or simply the price per megabyte is set.
Figure 3. Tariffs.
By the way, if you use billing inside your company, then a good idea would be to set the price per megabyte for the one on which the provider sells traffic to you.
If for some reason this is not convenient for you, then by setting the price per megabyte equal to one ruble, you actually leave rubles when setting quotas. Thus, making a conditional “payment” on the user's page, you actually specify the number of megabytes, without breaking your head with calculations. It sounds trite, but for some reason many people miss such an obvious convenience.
The next page "Reports" will help you track the intensity of the consumption of Internet traffic. By specifying the time interval of interest, you can display both individual user statistics and the entire system.
Figure 4. Statistics.
The last tab in the administrative panel of billing is settings. The following parameters can be set here:
iddle_timeout - if the user does not show activity for a specified period of time, a shutdown occurs;
ipnetmask - your virtual subnet mask;
ipsubnet is a virtual subnet in the “H.H.H” format;
max_pool_ip - maximum ip address that a client can receive;
max_timeout - maximum session time (in seconds);
max_trafout - maximum traffic per session;
min_pool_ip - the minimum ip address that the client can receive;
taffinterval - the period of updating data on traffic consumption (in seconds).
I’ll make a reservation that if you change the max_traffout parameter (the maximum traffic that a user can consume in one session, after which pppd will shut down and the tunnel will be broken. And then re-initialize the connection) you should be careful not to add an extra bit (zero ) at the end of the number. Unfortunately, after that no one can connect to the VPN server anymore.
Figure 5. Settings.
After you have made all the necessary settings and added to the user database, the billing is ready for use.
The system Cake did not forget about ordinary users. If the user enters his login and password on the billing page, he will be able to see the balance of his account, as well as detailed statistics by day.
Figure 6. Personal user statistics.
Some changes in the interface.
At the project support forum for a long time already there were questions about outgoing traffic. The fact is that in view of the free outgoing traffic from most providers, this variable did not seem so interesting to the developers to show it in statistics. The fun of the situation is that this information is actually in the database, it simply needs to be displayed on the screen.
For this, I changed a couple of files. At npj.akeeper.ru/akeeper/Cakemodified you can find jsp files that I modified. These are stat.all.jsp and report.list.jsp Files are complete, so you only need to copy them and replace the existing ones. Compile them yourself server. Unfortunately, the amount of outgoing traffic is displayed only for on-line users. This is due to some difficulties in modifying the common user table. However, the same complete information on outgoing traffic is easily accessible on the reports page. As for a specific user, and for all in general.
In fact, as far as I know, the developers of Cake were already going to make such changes to their system themselves. So, perhaps, by the time the journal is published, you will not have the need for such changes with your own hands.
Current work and future plans of developers.
The developers of billing, as mentioned above, are not going to stop at what has been accomplished and, as far as possible (read as free time becomes available), they finalize their product. Of the recent changes include:
Changes in the structure of the database for the possibility of working with PostgreSQL versions 8.x
The database schema is in a readable form.
Made some changes to the web-interface of the system. (Now when using the web-interface, only one connection to the database is made, and not several, as before.)
Developed automatic cleaning statistics database.
Now you can work with zero tariffs.
Considering both directions of traffic (above, I described how you can see it now).
The ability to set restrictions on both incoming and outgoing traffic is added.
It is planned to write documentation in the gentoo guide xml format.
Planned distribution based on GNAP. (In a nutshell, this is the distribution system for embedded systems. For more information, see www.gentoo.org/proj/en/base/embedded/gnap-userguide.xml ). This will provide an opportunity to quickly deploy the system on the principle of "sat down and go."
At the moment, the developers are working on the revision of the billing version of the 1.x branch. When all the necessary edits to the current version have been made, work on the second version of the product will begin. All plans have not yet been disclosed, but we already know about the pricing plans for such services, such as, for example, VoIP.
In general, we can say that Cake billing is a flexible system that is easy to install and easy to use.
(c) akeeper Korshunov Alexey.
The first published in the electronic supplement to the journal "System Administrator" called OSA .
Update: Recently I was informed that the project Cake has moved.
Source: https://habr.com/ru/post/5402/
All Articles