maverick, deisler, Rejetto and anybody who is interested:Protecting root is not an option for me. I did some search in the forum for the history of the ~login command.
Guest wrote on Sun Dec 07, 2003 9:24 am Post subject: root login
... I like the added function of only allowing users to see the folders they have access to but to have that work, you have to protect the root.
If the root is not protected, they get only the list of unprotected folders.
Is there a way to have this work without protecting the root ex. adding a login to the roots page? ...
Mr. Anon Posted: Wed Jan 14, 2004 11:00 pm Post subject:
... @Rafi, the login button is for "Users Login". When you setup a user account in HFS, you could protect items so that those items are shown/accessed only when those users are logged in.
rejetto Posted: Thu Jan 15, 2004 2:26 pm Post subject:
... "login" button is to authenticate the user without need to click on a protected resource. purpose can be any, Anon just described one ...
This, and some more related discussions in the old threads, and the Stunnel logs make perfectly clear what's going on:
STunnel serves the cached version of root to the browser. Strange enough, all tested browsers (IE, FF, O) try to fall back to the non-secure page (Opera even without complaining).
How to fix the problem without loosing the feature to use the login button, without protecting root and so keeping at least one public welcome page?My suggestion is to call a protected welcomepage (accessible for all possible users) from the unprotected root with the login button. This welcome page has some instructions (like "click here to go back and press refresh if correct page is not displayed" ... and more if you like) and a link back to root. Similar to the login to this messageboard! Implementation would be easy: in the template replace href="/~login" by href="protected_welcome.html" or accordingly.
(Would href="https://%host%/...." do the job to switch from http to https, at least with default port 80?
%host% delivers url or 0.0.0.0 with port 80, but url:xxx or 0.0.0.0:xxx with any other port. Still needs a try yet.)Any other suggestions/comments/critics are welcome!
BTW. i tried to tune the stunnel.conf wrt. caching (session= , options= ), but without success on my precompiled version.
Finally, here's a brief description how to setup STunnel for HFS and for creating your own privatekey/certificate:EDIT:
Some information given in this description is obsolete. For an update see further down in this thread!1. Go to
http://stunnel.mirt.net (the official STunnel homepage) and download from a mirror of your choice:
...stunnel-4.15-installer.exe.
(This is precompiled binary for windows with a default (non-secure) privatkey/certificate pem-file).
2. In order to produce an unique (secure) private key/certificate pem-file, download
.../openssl/binary-0.9.7i-zdll/openssl.exe from the same location.
Read also the licences and disclaimers at www.stunnel.org and www.openssl.org! 3. Run
stunnel-4.15-installer.exe (a selfextracting archive, no registry changes & no admin rights required as long as you don't use stunnel as windows service):
Read and accept the license agreement, select all components, choose a destination folder or accept the default (recommended). After the installation is completed you may want to see the installation details. Exit Stunnel.
4. Choose
START ->
PROGRAMS ->
stunnel ->
Edit stunnel.conf and change only the following entries in stunnel.conf to:
; Some debugging stuff useful for troubleshooting (optional)
debug = 7
output = stunnel.log
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
[https]
accept = 443
connect = 80
TIMEOUTclose = 0
and save the stunnel.conf .
5. Choose
START ->PROGRAMS -> stunnel -> Run stunnelRight click the stunnel icon in your taskbar and activate the log window:
2006.04.24 21:40:23 LOG7[4076:2632]: RAND_status claims sufficient entropy for the PRNG
2006.04.24 21:40:23 LOG6[4076:2632]: PRNG seeded successfully
2006.04.24 21:40:23 LOG7[4076:2632]: Certificate: stunnel.pem
2006.04.24 21:40:23 LOG7[4076:2632]: Key file: stunnel.pem
2006.04.24 21:40:23 LOG7[4076:2632]: SSL context initialized for service https
2006.04.24 21:40:23 LOG5[4076:2632]: stunnel 4.15 on x86-pc-mingw32-gnu with OpenSSL 0.9.7i 14
Oct 2005
2006.04.24 21:40:23 LOG5[4076:2632]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2006.04.24 21:40:23 LOG5[4076:3988]: No limit detected for the number of clients
2006.04.24 21:40:23 LOG7[4076:3988]: FD 204 in non-blocking mode
2006.04.24 21:40:23 LOG7[4076:3988]: SO_REUSEADDR option set on accept socket
2006.04.24 21:40:23 LOG7[4076:3988]: https bound to 0.0.0.0:443
6. Start hfs listening on
port 80 and browse http
s://127.0.0.1 and a warning from your browser will pop-up:
- certificate is not recognized
- the certificate has expired
- the website doesn't fit the certificatebecause we are still using the default stunnel.pem certificate this is the expected behavior.
Press "
YES" to proceed and check again your stunnel logs.
It is a bad idea to use the stunnel.pem file shipped with stunnel except for testing. 7. In order to build your very own secure privatekey/certificate pem-file,
delete the default stunnel.pem in the stunnel folder (C:\stunnel\ by default).
8. Create an ASCII textfile in the stunnelfolder and copy/paste the following entries:
[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = XX
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
0.commonName = Common Name (FQDN of your server)
[ cert_type ]
nsCertType = server
9. Save this textfile as stunnel.cnf (
not stunnel.conf! ) in the stunnelfolder
(With WIN the cnf-extension might not be displayed and a shortcut icon is displayed instead:
Don't panic!)
10. Copy the downloaded
openssl.exe to your stunnel folder, run openssl.exe and enter after the commandprompt:
openssl> req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem
You might want to increase the -days value from 365 to 3650 or more.
This command will ask you the following questions, enter whatever you like:
Question: Example Answers
Country name: PL, UK, US, CA
State or Province name: Illinois, Ontario
Locality: Chicago, Toronto
Organization Name: Bill's Meats, Acme Anvils
Organizational Unit Name: Ecommerce Division
Common Name (FQDN): www.example.com
Note:
The Common Name (FQDN) should be the hostname of the machine running stunnel. If you can access the machine by more than one hostname some SSL clients will warn you that the certificate is being used on the wrong host, so it's best to have this match the hostname users will be accessing. A new, unique random privatekey/certificate file stunnel.pem will be created.
It is extremely important, to keep this stunnel.pem file secret! It contains your private key for the encrypted traffic! Congratulations, you're done! Run Stunnel, start HFS, have fun and enjoy your reowned privacy with care!Disclaimer: This brief :roll: instructions are based on my todays best knowledge and reflect only a small part of the plenty more options of openssl.exe. Feel free to consult www.stunnel.org and www.openssl.org for more detailed information. No guarantees or whatsoever.~GeeS~
The web was made for sharing ... the more you give, the more you get!
