HFS including SSl tools

[bmartino1]

@ bbertrand
-- http://www.rejetto.com/forum/router-port-problems/is-there-any-way-to-protect-repeated-login-attempts/msg1059813/#msg1059813

(1) You have to pay for a serce lilke that to have a cert sigend to the WWW ie : https://sslcheck.globalsign.com/en_US

Otherwise:
In HFS ssl version you must first enable expertmode to enable the ssl tag. stunel cretes the certificate itself within the parmeters of the data you fill witin the tab.
--NOTE-----------
Stunle handles creation of the cert otherwise you will need iis7 and creat certs for that:
https://technet.microsoft.com/en-us/library/cc753127%28v=ws.10%29.aspx
------------
FYI - This forum is for the HFS and stunnel...

(2) Second, yes, but bans aren't apart of HFS..., you will have to use your networking device (ddwrt firewall router as explained here: http://www.rejetto.com/forum/hfs-~-http-file-server/from-russia-with-hate/msg1059214/#msg1059214) or atempt to use peerblocker.../some other form of networking blocking...

(3)Yes there are many ways to make HFS and this program run like a servcice.. search the forum!
ie:

http://www.rejetto.com/forum/f-a-q-s/run-hfs-as-windows-service/msg1059183/#msg1059183

http://www.rejetto.com/forum/hfs-~-http-file-server/run-as-a-service-plus-see-gui-on-logon-how-to/msg1037376/#msg1037376

http://www.rejetto.com/forum/hfs-~-http-file-server/srvany-windows-7-hfs-starts-doesnt-load-template-or-file-system/msg1059429/#msg1059429

http://www.rejetto.com/forum/hfs-~-http-file-server/automatic-refresh-of-the-content-of-the-virtual-folder/msg1059069/#msg1059069

http://www.rejetto.com/forum/hfs-~-http-file-server/started-as-system/msg1058763/#msg1058763

[SilentPliz]

Questions:

1) I have a non self signed digital cert - how do I use it - I don't want to create a self signed
2) If someone tries to break in, can I ban their IP and how?  Standard HTTP HFS can't - it only sees the local 127.0.0.1 IP from STUNNEL
3) Can I run this version like I do HFS as a Windows Service using SRVANY?

1) Once you have created a new SSL configuration with HFS, you edit stunnel.conf as follows :

cert = .\SslCerts\your-certificate-name.pem
key = .\SslCerts\your-private-key-name.pem

The certificate must be in extension ".pem" ( x509 certificate ) .
If your certificate is included in a single file, you enter the same file name in the two entries :

cert = .\SslCerts\your-certificate-name.pem
key = .\SslCerts\your-certificate-name.pem

Then you put your certificate file in the SslCerts folder.

You get the same result by creating entirely your configuration with HFS by giving the same name to the certificate created that your certificate.... then you replace the file created by your file(s) in the SslCerts folder.

3) Yes, you can!

[bbertrand]

bmartino1 - I'm simply confused regarding this software's relationship to HFS. 

I currently run HFS with STUNNEL using my real certification, and using SRVANY running HFS as a Windows Serivce.  I don't need any help with this.

What I wanted to know is how to:

1) Use my cert with this version of HFS (what is this version of HFS called - "HFS with Integrated STUNNEL"?
2) So this version of HFS can be run using SRVANY just like the vanilla version of HFS?
3) If I used IP banning code provided by REJETTO? - to ban too many failed logon attempts from an IP Address, this worked until I added STUNNEL - then HFS only saw 127.0.0.1 - which IP Address does this version of HFS see?

As HFS can't stop someone from repeatedly trying password after password, I have recently shut it down from the Internet as it is not safe.  Since it is ridiculous to daily review logs to see who broke in last night, then add their IP to a network block list, because my time is better spent thinking than being a monkey and I don't work for my computer, and I don't accept fixing a problem AFTER it has already occurred, for anyone to run HFS out on the Internet are wide open to brute force attacks until (preferably) HFS userid logon lockout can be implemented, and I suggest it be the highest priority for new HFS features.  HFS is great, but it can't be safely used on the Internet until an automatic userid suspension (time limited a la Windows preferably) is implemented.

So I was just unclear as to the relationship of "this HFS" versus the non SSL HFS.

[bmartino1]

Ok, this is the best I can do to help:

1) To help you clarify things to the best of my ability review how to combine stunnel to HFS (as standalone pieces...)

http://www.rejetto.com/wiki/index.php?title=HFS:_Secure_your_server
http://www.rejetto.com/forum/hfs-~-http-file-server/stunnel-and-hfs-(securing-your-hfs)/msg1058480/#msg1058480

OK, as explained by silentplz

Quote:
****************
----------------
Once you have created a new SSL configuration with HFS, you edit stunnel.conf as follows :

cert = .\SslCerts\your-certificate-name.pem
key = .\SslCerts\your-private-key-name.pem

The certificate must be in extension ".pem" ( x509 certificate ) .
If your certificate is included in a single file, you enter the same file name in the two entries :

cert = .\SslCerts\your-certificate-name.pem
key = .\SslCerts\your-certificate-name.pem

Then you put your certificate file in the SslCerts folder.
---------------------
********************
Stunnel will only accept a certificate in this form:
The certificate must be in extension ".pem" ( x509 certificate ) .

Since you have a pre created certificate, you will need to manually open and edit the stunnel config and change the line to point to your certificate...

Answer to 1 - conclusion -- Edit Stunnel Config!

2) yes, "servany"  https://support.microsoft.com/KB/137890?wa=wsignin1.0

*NOTE(i'm not familiar with "servany" [might have been called that... there are many/other windows program to make a service...] but I have successfully made this version of HFS witch goes by its "own build name" to run as a service before in the past)

So, I can confidently say the servany (with tweaking) will allow you to run this like a service..,
As example of some tweaks: in the stunnel tab make sure you check mark the box that makes stunnel start with HFS and close with HFS....

answer to 2 -- conclusion review https://support.microsoft.com/KB/137890?wa=wsignin1.0 and test it!

3) Sorry but nope!... Again, as you have stated, the unfortunate side effect of using stunnel is that HFS will no longer see the public IP coming!
Hfs IP now shows that the IP that is connecting is your localhost -- 127.0.0.1 or you network ip address 192.168.x.x...)

So HFS built in banning wil not work... Sorry your on your own....

http://www.rejetto.com/wiki/index.php?title=HFS:_IP_masks
http://www.rejetto.com/forum/hfs-~-http-file-server/automatictemporary-ban/

I'm not 100% (as I went over some of this in other areas...)
Silentplz has created a combined was of HFS and its banning tools when you make the stunnel log appear in the hfs window. using a setting in the stunel tab...

BUT!!! HFS still see 127.0.0.1 to connect to hfs,.. so with tha option enabled - it  show hfs 127.0.0.1 then the stunnel connection there by seeing the public ip in HFS..., but unknown if the ban will still work as 127.0.0.1 is the actual ip connecting to HFS....

answer to 3 -- conclusion !Your on your own for banning!... baning ip will now be an stunnel problem...
http://comments.gmane.org/gmane.network.stunnel.user/473

[silvanet]

Thanks. Very nice. The only problem I have run into is that regardless of selecting English as the language, if a remote user logs in through their browser the entire interface is in French.

[SilentPliz]

Hi!

Chose a template in English :

HTML Templates  >  Templates included in HFS  > ...

The templates are independent of the translation of the hfs interface.

[SilentPliz]

18-02-2015     HFS 2.3d SSL 292d is online.

News:
-  Stable release
-  Stunnel 5.11 beta 2
-  bug in self test corrected
.
For users of a previous BUILD, update Stunnel with the "S" button

HFS 2.3d SSL #292d  :
http://silentpliz.perso.sfr.fr/hfs/hfs.292d.exe

Sources :
http://silentpliz.perso.sfr.fr/hfs/Sources_hfs/HFS_2.3d_SSL_292d-src.zip

[silvanet]

I just downloaded and ran this and the self-test button is grayed out.

That was going to be my next question.

I have gotten it to connect nicely and check it from other computers on my LAN.

I am forwarding SSL port.

If I want to limit connections to a single port instead of accepting on any port, does that make a difference in whether the remote users will be logged in under SSL?

So far I have not been able to have a friend connect from outside my network from the Internet.

I found my external IP address and used that when setting up the port forwarding for hfs SSL.

I was hoping to do a self-test to figure out my necessary settings, but that doesn't work yet for me.

Any advice?

[bmartino1]

I would have you review these links to better help you out:
http://www.rejetto.com/forum/router-port-problems/some-router-info-for-newbies-or-not-so-newbies/msg1059916/?topicseen#msg1059916

http://www.rejetto.com/wiki/index.php?title=HFS:_Secure_your_server

http://www.rejetto.com/forum/hfs-~-http-file-server/stunnel-and-hfs-(securing-your-hfs)/msg1058480/#msg1058480


under: HFS location..\stunnel\
there is a file called
stunnel.conf

Which holds all the setting that makes stunnel work (most of which is edited/configured via the sslHFS program windows itself.
To answer your question, yes, via default s tunnel is set to accept 0.0.0.0 (meaning any/all ips)

But in actuality, your public ip on the router is receiving the ip traffic and nat-ing it down to your stunnel via the static ip.

Network connection:
client(not at home) web browser (connects to you public ip/ dns name on port 443) > Cloud/ISP > Your ISP modem Public IP > Your Router(at home) > hfs ip

If you have the network setup properly, the 0.0.0.0 can be the static ip of your hfs machine.

----------------------------
As for the Self test, due to TTL values is not a guarantee test that it is working...., and since it is being transcoded through stunnel, i think silent plz disabled it... (not sure...)

[silvanet]

Thanks,
I don't know if this was the answer in your links, I'll read them. I kept working and sort of figured it out on my own. I tested both the nonSSL and the SSL builds of hfs. I first found that I had set up my router not to accept external Internet pinging to my WAN IP. Then I set up two port forwarding rules: one for the nonSSL on port 8080 and a separate one for the SSL build using port 443.
I found that I could not have them both enabled at the same time. It appeared that I could be using either the SSL or the nonSSL version, but not both at the same time. Still, the SSL version would not connect on my WAN IP until I also created a virtual server directing all external traffic on port 8080 to my private port 443. Once I did that the SSL version worked beautifully and I was able to check with remote users across the Internet and not just my LAN computers. Sometimes when you keep trying you just get stuff to work; but thanks.

[SilentPliz]

I just downloaded and ran this and the self-test button is grayed out.

That was going to be my next question.

I have gotten it to connect nicely and check it from other computers on my LAN.

I am forwarding SSL port.

If I want to limit connections to a single port instead of accepting on any port, does that make a difference in whether the remote users will be logged in under SSL?

So far I have not been able to have a friend connect from outside my network from the Internet.

I found my external IP address and used that when setting up the port forwarding for hfs SSL.

I was hoping to do a self-test to figure out my necessary settings, but that doesn't work yet for me.

Any advice?

Hi!

I'm not sure I understand everything, but I'll try to answer you.

- It is normal for the self-test button is grayed; This function does not work in https (SSL), so I inactivate it when the SSL is active.

A possible workaround is to test in http mode the port, and then simply switch to SSL mode.

- HFS always operates on a single port per instance; The ones you can see in the logs, are the local ports.

- My advice to configure hfs in your case:
Saves configurations of hfs instances that you use in .ini files and especially not in the registry :

Save options > To file (hfs.ini)

- In the SSL tab clicks on the field "Local =" parameter of Stunnel ssl

- For "Add invert ban" option, you can use wildcards "*" for your local network.
e.g  \127.0.0.1;192.168.1.*

I hope this helped you.

See you soon!

[silvanet]

Thanks.
I'm glad you've done all this work to provide a small, (relatively) easy to use, encrypted SSL server.

[darksize]

Hello SilentPliz  for italianlanguage it's possible? Thanks

[SilentPliz]

Hi!

Yes you can ... if you translate yourself, or if you find a translator.
The Italian is not yet available.
I prepared two files for Italian. You must be able to translate, or from the French, or from English.
Just translate the target language of defaut.po or of 1default.po

[SilentPliz]

23-02-2015     HFS 2.3d SSL 292e is online.

News:
- 2 bugfixes in sources files and templates files.

Mars :
http://www.rejetto.com/forum/programmers-corner/last-beta-sources/msg1059938/#msg1059938

Skb :
http://www.rejetto.com/forum/bug-reports/2-3d-%28292%29-delete-after-archive-repeats-the-archive-download-again/msg1059897/#msg1059897
.
For users of a previous BUILD, update Stunnel with the "S" button

HFS 2.3d SSL #292e  :
http://silentpliz.perso.sfr.fr/hfs/hfs.292e.exe

Sources :
http://silentpliz.perso.sfr.fr/hfs/Sources_hfs/HFS_2.3d_SSL_292e-src.zip