we're building a landing page to use with Unifi (v3-beta). The landing page should show a facebook (and later LinkedIn) button to login.
After they login with fb (or allow our app) they get unlimited access to the internet.
We can whitelist facebook's IP adresses using this: https://developers.facebook.com/docs/ApplicationSecurity/#facebook_scraper
Facebook uses Akamai as CDN. And for Akamai, it's not that easy. They have a lot more IPs and have different AS numbers.
Is there a way to get a list of all IPs behind "fbstatic-a.akamaihd.net"?
# nslookup fbstatic-a.akamaihd.net
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
fbstatic-a.akamaihd.net canonical name = fbstatic-a.akamaihd.net.edgesuite.net.
fbstatic-a.akamaihd.net.edgesuite.net canonical name = a1168.dsw4.akamai.net.
Name: a1168.dsw4.akamai.net
Address: 195.10.11.64
Name: a1168.dsw4.akamai.net
Address: 195.10.11.43
Should we just whitelist ALL of Akamai's network (thousands of IPs)?
What would be the best solution for this?
Akamai does DNS-based global load balancing, so your nslookup would only give you a set of result out of many possible results. Relying on these would be too flakey because routes could change, Akamai could relocate resources, etc.
Whitelisting all of Akamai's network is one method.
The other way is to build a transparent proxy using squid and then configure ACL based on URL (i.e. hostname portion of the URL must be "fbstatic-a.akamaihd.net"). Transparent proxy wouldn't work well with SSL though, so you might want to advertise proxy settings via DHCP (e.g. using a PAC file)
One option I have found useful is giving temporary access to a guest and asking him to login for continued access.
Check my portal if you want to see exact implementation https://github.com/unifispot