rejetto forum

Software => HFS ~ HTTP File Server => Topic started by: eriksson on August 05, 2007, 11:45:45 PM

Title: HFS stunnel setup
Post by: eriksson on August 05, 2007, 11:45:45 PM
I stumbled upon HFS yesterday and I'm really exited about it! Trouble is, I've read, read and read some more but still haven't got it workin' 100%. Can't seem to pin-point what's missing, documentation is fine but perhaps not my head? ;)

Running HFS by itself, without stunnel, works fine!
However, anyone out there having a hard time getting HFS + stunnel to work?

My config (using defaults from guide):

Stunnel 4.20
Code: [Select]
;https
accept  = 443
connect = 127.0.0.1:44300
Cert. made with filezilla server seems fine

HFS 2.2a
Code: [Select]
http://127.0.0.1:44300
Also tried http://192.168.1.10:44300

router
Code: [Select]
Opened port 443
Forwarding 443 to PC IP: 192.168.1.10

URL tested in browser
Code: [Select]
https://realIP e.g. https://216.239.59.104

So basically when I for example type https://216.239.59.104 my router forwards the HTTPS traffic to my PC ip where stunnel is listening. Stunnel then passes it on to HFS at 127.0.0.1 port 44300? Sounds easy doesn't it.

Running Win XP SP2 with latest firefox, no software firewall.
Any help much appreciated!

Best regards,
Eriksson
Title: Re: HFS stunnel setup
Post by: ~GeeS~ on August 06, 2007, 05:41:27 PM
Did you follow the instructions on http://www.rejetto.com/forum/index.php?topic=3083.45 ?
It should work, try again!
Check your Stunnel logs.
Title: Re: HFS stunnel setup
Post by: eriksson on August 06, 2007, 06:18:01 PM
Did you follow the instructions on http://www.rejetto.com/forum/index.php?topic=3083.45 ?
It should work, try again!
Check your Stunnel logs.

Hi ~GeeS~ thanks for replying!
I'll run that guide once more and get back to you.

Here is my stunnel log
Code: [Select]
2007.08.06 20:09:39 LOG5[1028:424]: stunnel 4.20 on x86-pc-mingw32-gnu with OpenSSL 0.9.8e 23 Feb 2007
2007.08.06 20:09:39 LOG5[1028:424]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2007.08.06 20:09:39 LOG5[1028:1440]: No limit detected for the number of clients
2007.08.06 20:09:39 LOG7[1028:1440]: FD 148 in non-blocking mode
2007.08.06 20:09:39 LOG7[1028:1440]: SO_REUSEADDR option set on accept socket
2007.08.06 20:09:39 LOG7[1028:1440]: ssmtp bound to 0.0.0.0:465
Title: Re: HFS stunnel setup
Post by: eriksson on August 06, 2007, 06:31:15 PM
Well, instead of using filezilla server to create a cert. I used gees notes and it worked.

Thank you, this is GREAT!!!

Now I'm off to try and find out how to make this thing more secure.
username/password on shared files is good, anybody know of a more secure way?
Title: Re: HFS stunnel setup
Post by: ~GeeS~ on August 06, 2007, 07:08:39 PM
Thank you for confirming that the instructions are still valid (as lang as you do exactly as described!)

A more secure way ... for what?
With Stunnel (SSL) the data transmission between your server PC and any client's PC is practically safe. No man in the middle (your ISP, your clients ISP or other possible listeners) can decrypt the transmitted data (as long as you don't compromise your private key). But Stunnel only protects the transfer.
Accessing your data on your server can be restricted by username/password(key words: strong passwords, so non-guessable), number of false log-in attempts (brute forcing) before denial (still in To-Do). Your password policy or how can you trust your clients? Would it do harm you if a user would post the pw on the net?!
If you are really paranoia, you could restrict access to defined IP adresses and/or use Stunnel client side  certificates. But still the question rises: can you trust your users? What happens with the data when they are decrypted on your clients PC?
But nevertheless, with Stunnel and a strong user/pass you have the same security as with an on-line (https) bank account.
Title: Re: HFS stunnel setup
Post by: darkmatter on August 07, 2007, 12:15:27 AM
dam!... rejetto... this is a question for you!