What I can se one can’t insert resources in subfolders, in file manager. Such as css and resources etc.
Is the only way in these cases to ssh into pfsense and upload files and folders manually? And if so, where and how? Maybe there is an nginx behind the scenes there!?
The options you have for custom captive portal pages inside pfSense seem pretty limited - because they are. However, you can still achieve a lot with what you have.
For example, you can always link stylesheets from other sources. They could be hosted on another server in your intranet or even online (of course making sure that the destination is reachable for clients before authentication).
Another thing you can do is put all the styles and even images inside of the HTML file. For CSS this is trivial (just put the code inside a
<style> tag), for images you can use this method.
For maximum customization, you can do this: For the “Portal page contents”, you can upload a PHP (not just HTML) file where certain placeholders are replaced with strings before execution, just like they will be replaced in the HTML file. This is pretty powerful, because you can assign them to variables. The tricky bit is to make sure that when the placeholders are replaced, you don’t end up with broken code. Normally when the replacements were user-supplied, this would be a very bad practice because a malicious user could potentially inject code. But since all the replacement values are provided by pfSense, you can be reasonably sure this is not a problem. Additionally, the example below uses the safest method for injecting foreign strings into PHP scripts I know. This gets a bit technical, but the only way to inject code into the script would be for one of the placeholders to contain the substring
EOD; on a separate line. With this method, replacement values may even contain qoutes.
$portalAction = <<<'EOD'
// repeat for other placeholders
You can now do all sorts of things in the script, for example you can redirect the user to an entirely different website using the PHP
header function or HTML
Meta-Refresh-Tag. You can pass the data to that site by containing it in the redirect url as a parameter, making sure to
url_encode any data properly. That “external” site now knows the
$PORTAL_ACTION$ value and all the other info supplied by pfSense in order to display an HTML form to the user, which, upon submission, sends the data back to pfSense.