rejetto forum

Software => HFS ~ HTTP File Server => Topic started by: Anonymous on April 03, 2006, 10:52:59 PM

Title: How about SSL support
Post by: Anonymous on April 03, 2006, 10:52:59 PM
Great little program..just wondering if you could make it a little more secure by adding an option for HTTPS?  

Thanks!
Title: SSL
Post by: blueeagle69 on April 18, 2006, 11:46:50 AM
Hi.

You can use STunnel.

It works great.

Just Google for "STunnel"

Hope this helps.
Title: Re: SSL
Post by: Azag on April 21, 2006, 10:13:58 AM
Quote from: "blueeagle69"
Hi.

You can use STunnel.

It works great.

Just Google for "STunnel"

Hope this helps.

blueeagle69 could you show me some proof that you got this to work (HFS using STunnel.) It would save me time in setting it up and finding out that it isn't working if I try again. :P  :roll:  A screen shot or link of a site running with this would be nice. Maybe you could write a little tutorial on how to do it successful, that is if you have tried this. Still though without some proof I have a hard time believing this would work no offense. ;)
Even if it could to me it seems hardly worth the trouble unless maybe you run an e-commerce type site or want more privacy or added security.  I have tried experimenting with this in the past with HFS, STunnel, OpenSSL and made a working certificate (.pem file) and had no success even with STunnel tutorials I found.  :?  

Peace,

Azag
Title: SSL
Post by: blueeagle69 on April 21, 2006, 02:43:11 PM
Hi

I originally used STunnel with Abyss webserver.

Go to http://www.stunnel.org/pem/ and create a free SSL Certificate. Copy this to the STunnel main folder, This certificate should be called STunnel.pem.

Then edit the STunnel config, and find these lines. If they are not there, then simply create this section. If they are there, they may be remarked out by default, so remove the remarks. It should read exactly as below

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0

Change the connect line to match your server port, and change the accept port to whatever port your URL connects to. It is best to leave it at the default though.
Next, I recommend loading HFS first, then STunnel last.

Then either connect to your PC, by using your IP with :443 on the end, or do as I did, and create a DynDNS account.
If you are not aware, you can create a normal Dynamic domain, and have this re-direct to another DynDNS webhop.

I would send you a screen grab, but my mate who normally connects to my server is on his hols. And I can't because I am behind a Router Firtewall. So all I get is my Router logon.

Anyway, here is my address. See if you can connect to it.
It will be pasword protected, but at least you can see the server login, with a bit of luck.
Hope this helps you. http://blueeagle.webhop.org
Title: How about SSL support
Post by: Anonymous on April 21, 2006, 04:33:54 PM
At your login page it is shown as http://blueeagle.webhop.org not https://blueeagle.webhop.org
Title: Hi
Post by: blueeagle69 on April 21, 2006, 05:03:12 PM
Yes, thats correct.

The first URL re-directs you to the secure URL.
Your attempt was picked up both by STunnel and HFS!
Title: Re: Hi
Post by: blueeagle69 on April 21, 2006, 05:05:01 PM
Quote from: "blueeagle69"
Yes, thats correct.

The first URL re-directs you to the secure URL.
Your attempt was picked up both by STunnel and HFS!

It re-directs you to https://blueeagle69.dyndns.org, which is the secure one.

Look on the bottom left of the browser window, in Explorer's case, and you will see the address you are re-directed to.
Title: How about SSL support
Post by: ~GeeS~ on April 21, 2006, 07:23:02 PM
:D  :^^:
Blueeagle69!!! You made my day!!!  :happy:

Stunnel works perfectly on my machine now. edit: And no admin rights reqired & no messing around with the registry  :twisted:

2006.04.21 20:31:19 LOG7[3432:556]: https connecting 127.0.0.1:80
2006.04.21 20:31:19 LOG7[3432:556]: connect_wait: waiting 10 seconds
2006.04.21 20:31:19 LOG7[3432:556]: connect_wait: connected
2006.04.21 20:31:19 LOG7[3432:556]: Remote FD=280 initialized
2006.04.21 20:31:19 LOG7[3432:556]: TCP_NODELAY option set on remote socket
2006.04.21 20:31:59 LOG7[3432:2696]: https accepted FD=304 from 10.0.0.150:1207
2006.04.21 20:31:59 LOG7[3432:2696]: Creating a new thread
2006.04.21 20:31:59 LOG7[3432:2696]: New thread created
2006.04.21 20:31:59 LOG7[3432:2276]: https started
2006.04.21 20:31:59 LOG7[3432:2276]: FD 304 in non-blocking mode
2006.04.21 20:31:59 LOG7[3432:2276]: TCP_NODELAY option set on local socket
2006.04.21 20:31:59 LOG5[3432:2276]: https connected from 10.0.0.150:1207
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): before/accept initialization
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): SSLv3 read client hello A
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): SSLv3 write server hello A
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): SSLv3 write change cipher spec A
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): SSLv3 write finished A
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): SSLv3 flush data
2006.04.21 20:31:59 LOG7[3432:2276]: SSL state (accept): SSLv3 read finished A
2006.04.21 20:31:59 LOG7[3432:2276]:    1 items in the session cache
2006.04.21 20:31:59 LOG7[3432:2276]:    0 client connects (SSL_connect())
2006.04.21 20:31:59 LOG7[3432:2276]:    0 client connects that finished
2006.04.21 20:31:59 LOG7[3432:2276]:    0 client renegotiations requested
2006.04.21 20:31:59 LOG7[3432:2276]:    7 server connects (SSL_accept())
2006.04.21 20:31:59 LOG7[3432:2276]:    7 server connects that finished


Thank you for pointing me to stunnel (had tried it years ago, but never thought about to use it for extending HFS with https/ssl.

This combination now makes HFS a real killer!
As soon i've tested it completely, i will provide a non-tech manual in the wiki.
Edit: If you are behind a router, don't forget to forward port 443!

Rejetto: Does it make sense to lower the priority for SSL-support for HFS in your To-Do list? BTW stunnel is open source & GNU
Title: How about SSL support
Post by: rejetto on April 21, 2006, 07:24:23 PM
i never meant to work on it soon, so... :)
Title: SSL
Post by: blueeagle69 on April 21, 2006, 07:35:30 PM
You are very welcome.

Glad I could help!
Title: How about SSL support
Post by: deisler on April 25, 2006, 12:57:39 PM
Hi, i've got mine working too. except i can't seem to login successfully. main page works and public folders work under https and it'll always auto direct to https, but if to login it'll go back to http! how do i direct this to https? sorry if i'm not clear on my question really don't know how to put it into words.
Title: How about SSL support
Post by: maverick on April 25, 2006, 04:43:00 PM
deisler

Does your login IP address start with http or https?  (it should start with https).

You could also create a normal DynDNS account and have that account re-direct to another DynDNS account which would be setup as the secure one.
Title: How about SSL support
Post by: ~GeeS~ on April 25, 2006, 05:45:59 PM
Quote
main page works and public folders work under https and it'll always auto direct to https, but if to login it'll go back to http
Same problem here! Didn't had the time to do some testing on stunnel in combination with HFS.
Did already as Maverick suggested and more ... still the same result:
https://10.0.0.150/~login either from browser command line or template either href="/~login" or href="https://10.0.0.150/~login" didn't work:
The authorization dialog appears and you are kicked back to http://...
But, then enter https://10.0.0.150/doesnotexist/ the error page appears, press "home" and you are. Or enter https://exist/ idem.
Maybe a caching problem?
Maverick, deisler which versions of stunnel and openssl dll's are you using.
I tried & errored the last few days to create my own private key/certificate pem-file and used different compilations instead of the default one's, succesfully  :D
Thought that all problems were solved and just started to write a short manual.
Oh, btw testing on intel, xp SP2, IE, no admin :roll:
precompiled stunnel 4.15, openssl probably 0.9.7i (0.9.8a crashes stunnel 4.15 .exe)

Strange logs in HFS

Code: [Select]
[size=9]2006-04-25 19:53:16 Guest@127.0.0.1:1798 Sent 2038 bytes
2006-04-25 19:53:16 Guest@127.0.0.1:1798 Served 1.79 KB
2006-04-25 19:53:16 127.0.0.1:1797 Got 509 bytes
2006-04-25 19:53:16 127.0.0.1:1797 Requested GET /~img10
2006-04-25 19:53:16 127.0.0.1:1797 Request dump
> GET /~img10 HTTP/1.1
> Accept: */*
> Referer: https://10.0.0.150/Project%20SSL/teststunnel/
> Accept-Language: nl
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
> Host: 10.0.0.150
> Connection: Keep-Alive[/size]

Guest@ dropped?!

In the next hours i'm online edit:[removed] port 80(http) and 443(https)

btw the files you find are just for testing you may download on your own risk pem's and privatekeys are just defaults
Title: How about SSL support
Post by: ~GeeS~ on April 25, 2006, 08:21:06 PM
After testing HFS with stunnel i come to the following conclusion:

1. HFS with stunnel works perfectly  :D as long as the ~login command is not used. In order to enter a protected resource, the user:password dialog pops up and after entering the right credentials, (https) access is granted. This is the expected behaviour, nothing wrong!

2. Use of https://site/~login after entering the user:password replies with http://site without recognising the user. I guess this login command is implemented differently than the "normal" user:pass dialog.

3. If yes, and if it can't be fixed, it would not be a disaster, because working according to 1. would do the job perfectly.

4. But ... i tried to adapt my filesystem to 1. and found that after being looged in as user A for resource A a protected folder for B was not visible anymore. Unfortunately, the option in the menu "Visible only for anonymous users" wouldn't do the job. Shouldn't it has to be "visible for all user". Now i understand the many question of users asking for logout.
If it was visible for all users you could just log in with the other account.

Maybe i missed something... did to much testing on stunnel last days.
Title: How about SSL support
Post by: maverick on April 25, 2006, 10:10:44 PM
deisler and ~GeeS~

Don't know why you are having login problems.  I'm not doing anything different now than I did with just HFS running and everything appears to be working just fine.  I don't, however, and never did, use http://site/~login or https://site/~login for logging in.  Just http://site with just HFS running and https://site with HFS and STunnel running.

I don't have any problems moving from folder to folder, uploading or downloading - https is always active as it should be.

I'm running STunnel v4.15 and openSSL v0.9.7i with HFS v2.0 Final.  Operating System XP SP2.

The machine I'm running HFS and STunnel on isn't behind a router.

Check your template.  Maybe you have something in there calling a http://server-related-link which would likely cause a switch from https to http because they would both be valid addresses from your server.  But in this situation you would probably have to login again to access the http IP address.

Here are a few examples confirming that HFS & STunnel work together in all major browsers..... :)

Opera...
(http://img296.imageshack.us/img296/4504/hfsstunnel80if.th.jpg) (http://img296.imageshack.us/my.php?image=hfsstunnel80if.jpg)

Netscape...
(http://img82.imageshack.us/img82/695/hfsstunnel70br.th.jpg) (http://img82.imageshack.us/my.php?image=hfsstunnel70br.jpg)

FireFox...
(http://img250.imageshack.us/img250/8371/hfsstunnel69dk.th.jpg) (http://img250.imageshack.us/my.php?image=hfsstunnel69dk.jpg)

Internet Explorer...
(http://img188.imageshack.us/img188/2863/hfsstunnel21pr.th.jpg) (http://img188.imageshack.us/my.php?image=hfsstunnel21pr.jpg)
Title: How about SSL support
Post by: deisler on April 26, 2006, 12:39:35 AM
Hi maverick & GeeS, thank you so much for your very detailed explanation appreciate it. i'll be looking into my template & router forwarding which possibly is causing this when i get back home. by the way i'm using the same  setup as you : WinXP SP2 | STunnel v4.15 | openSSL v0.9.7i | HFS v2.0 Final | Linksys WRT*** Router. will put up screenies after testing! :)

Also, mind me asking another question. is there really any difference or safer to use ports other then 80 / 8080? not regarding SSL.

Code: [Select]
Time to register my username! heh!
Title: How about SSL support
Post by: deisler on April 26, 2006, 12:53:54 AM
GeeS you notice this? apologies for the double post. funny thing is that when i refresh / reload after the failed login it works and is logged in under https! hmmpt :|
Title: How about SSL support
Post by: gees on April 26, 2006, 01:23:59 PM
I tried to locate the problem with new started browser (IE), STunnel 4.15 with openSSL 0.9.7i and HFS 2.0:

Opened https://127.0.0.1 -> https://127.0.0.1 (not loggedin) is served OK!

Entered https://127.0.0.1/~login -> login screen poped up, entered user and pass: browser(IE) warned that you will leave a secure connection:

on "NO" https://127.0.0.1 (not-loggedin) reappeared (from STunnel cache ?,  on "REFRESH" https://127.0.0.1 (loggedin) was displayed. So HFS had received and recognized the posted login. But STunnel finally delivered the cached version of 127.0.0.1.  

on "YES" http://127.0.0.1 (not loggedin) appeared, on "REFRESH" http://127.0.0.1 (not-loggedin) reappered (i requested http not https with the refresh!, so it's OK!)

Entering a protected resource like https://127.0.0.1/protected/ from https://127.0.0.1 (not-loggedin) gave the correct page https://127.0.0.1/protected (loggedin) instantly after correct login, because the page didn't reside in cache already.

Conclusion:
It's most probably a caching problem in the chain:
 
Client(IE,FF,O):443(https) <--> (https):443 Proxy (STunnel):80(http) <--> (http):80 Server (HFS)

I assume, that the described responses are the normal behaviour in this configurations.

Questions:

Could you confirm the results evtl. also with big O and/or FF (weren't "available" on my testing box)? Any expert explanations?

i Will adapt my pages/template to avoid the ~login command and will enter protected resources as usual. Or any other ideas?
Title: How about SSL support
Post by: ~GeeS~ on April 26, 2006, 08:16:10 PM
Just tested with FF and Opera: same behaviour as IE.

deisler wrote:
Quote
is there really any difference or safer to use ports other then 80 / 8080?

Technically no, 80 is the htttp default, saves entering :80 at the end of the ip-address, some people think they can hide their servers ... hmm :roll:
Title: How about SSL support
Post by: maverick on April 26, 2006, 09:35:13 PM
Quote from: "~GeeS~"
Just tested with FF and Opera: same behaviour as IE.
If you have HFS restrict access on the root ( / ) set to NONE - set it to ALL.  Give that a try and see if that works better for you.
Title: How about SSL support
Post by: ~GeeS~ on April 27, 2006, 08:00:11 PM
maverick, deisler, Rejetto and anybody who is interested:

Protecting root is not an option for me. I did some search in the forum for the history of the ~login command.
Quote
Guest wrote on Sun Dec 07, 2003 9:24 am    Post subject: root login
... I like the added function of only allowing users to see the folders they have access to but to have that work, you have to protect the root.
If the root is not protected, they get only the list of unprotected folders.
Is there a way to have this work without protecting the root ex. adding a login to the roots page? ...

Mr. Anon Posted: Wed Jan 14, 2004 11:00 pm    Post subject:   
... @Rafi, the login button is for "Users Login". When you setup a user account in HFS, you could protect items so that those items are shown/accessed only when those users are logged in.

rejetto Posted: Thu Jan 15, 2004 2:26 pm    Post subject:   
... "login" button is to authenticate the user without need to click on a protected resource. purpose can be any, Anon just described one ...

This, and some more related discussions in the old threads, and the Stunnel logs make perfectly clear what's going on:
STunnel serves the cached version of root to the browser. Strange enough, all tested browsers (IE, FF, O) try to fall back to the non-secure page (Opera even without complaining).
How to fix the problem without loosing the feature to use the login button, without protecting root and so keeping at least one public welcome page?
My suggestion is to call a protected welcomepage (accessible for all possible users) from the unprotected root with the login button. This welcome page has some instructions (like "click here to go back and press refresh if correct page is not displayed" ... and more if you like) and a link back to root. Similar to the login to this messageboard! Implementation would be easy: in the template replace href="/~login" by href="protected_welcome.html" or accordingly.
(Would href="https://%host%/...." do the job to switch from http to https, at least with default port 80?
%host% delivers url or 0.0.0.0 with port 80, but url:xxx or 0.0.0.0:xxx with any other port. Still needs a try yet.)


Any other suggestions/comments/critics are welcome!
BTW. i tried to tune the stunnel.conf wrt. caching (session= , options= ), but without success on my precompiled version.

Finally, here's a brief description how to setup STunnel for HFS and for creating your own privatekey/certificate:
EDIT:
Some information given in this description is obsolete. For an update see further down in this thread!


1. Go to http://stunnel.mirt.net (the official STunnel homepage) and download from a mirror of your choice:
...stunnel-4.15-installer.exe.
(This is precompiled binary for windows with a default (non-secure) privatkey/certificate pem-file).

2. In order to produce an unique (secure) private key/certificate pem-file, download
.../openssl/binary-0.9.7i-zdll/openssl.exe from the same location.
Read also the licences and disclaimers at www.stunnel.org and www.openssl.org!
 
3. Run stunnel-4.15-installer.exe (a selfextracting archive, no registry changes & no admin rights required as long as you don't use stunnel as windows service):
Read and accept the license agreement, select all components, choose a destination folder or accept the default (recommended). After the installation is completed you may want to see the installation details. Exit Stunnel.

4. Choose START ->PROGRAMS -> stunnel -> Edit stunnel.conf and change only the following entries in stunnel.conf to:
Code: [Select]
; Some debugging stuff useful for troubleshooting (optional)
debug = 7
output = stunnel.log

;[pop3s]
;accept  = 995
;connect = 110

;[imaps]
;accept  = 993
;connect = 143

;[ssmtp]
;accept  = 465
;connect = 25

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0

and save the stunnel.conf .

5. Choose START ->PROGRAMS -> stunnel -> Run stunnel
Right click the stunnel icon in your taskbar and activate the log window:
Quote
2006.04.24 21:40:23 LOG7[4076:2632]: RAND_status claims sufficient entropy for the PRNG
2006.04.24 21:40:23 LOG6[4076:2632]: PRNG seeded successfully
2006.04.24 21:40:23 LOG7[4076:2632]: Certificate: stunnel.pem
2006.04.24 21:40:23 LOG7[4076:2632]: Key file: stunnel.pem
2006.04.24 21:40:23 LOG7[4076:2632]: SSL context initialized for service https
2006.04.24 21:40:23 LOG5[4076:2632]: stunnel 4.15 on x86-pc-mingw32-gnu with OpenSSL 0.9.7i 14
Oct 2005
2006.04.24 21:40:23 LOG5[4076:2632]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2006.04.24 21:40:23 LOG5[4076:3988]: No limit detected for the number of clients
2006.04.24 21:40:23 LOG7[4076:3988]: FD 204 in non-blocking mode
2006.04.24 21:40:23 LOG7[4076:3988]: SO_REUSEADDR option set on accept socket
2006.04.24 21:40:23 LOG7[4076:3988]: https bound to 0.0.0.0:443
6. Start hfs listening on port 80 and browse https://127.0.0.1  and a warning from your browser will pop-up:
   - certificate is not recognized
   - the certificate has expired
   - the website doesn't fit the certificate

because we are still using the default stunnel.pem certificate this is the expected behavior.
Press "YES" to proceed and check again your stunnel logs.

It is a bad idea to use the stunnel.pem file shipped with stunnel except for testing.
 
7. In order to build your very own secure privatekey/certificate pem-file, delete the default stunnel.pem in the stunnel folder (C:\stunnel\ by default).

8. Create an ASCII textfile in the stunnelfolder and copy/paste the following entries:
Code: [Select]
[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default             = XX
stateOrProvinceName             = State or Province Name (full name)
localityName                    = Locality Name (eg, city)
0.organizationName              = Organization Name (eg, company)
organizationalUnitName          = Organizational Unit Name (eg, section)
0.commonName                    = Common Name (FQDN of your server)

[ cert_type ]
nsCertType = server

9. Save this textfile as stunnel.cnf (not stunnel.conf! ) in the stunnelfolder
(With WIN the cnf-extension might not be displayed and a shortcut icon is displayed instead: Don't panic!)

10. Copy the downloaded openssl.exe to your stunnel folder, run openssl.exe and enter after the commandprompt:
Quote
openssl> req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem

You might want to increase the -days value from 365 to 3650 or more.

This command will ask you the following questions, enter whatever you like:
Quote
Question:      Example Answers
Country name:     PL, UK, US, CA
State or Province name:  Illinois, Ontario
Locality:        Chicago, Toronto
Organization Name:     Bill's Meats, Acme Anvils
Organizational Unit Name:  Ecommerce Division
Common Name (FQDN):  www.example.com
Note: The Common Name (FQDN) should be the hostname of the machine running stunnel. If you can access the machine by more than one hostname some SSL clients will warn you that the certificate is being used on the wrong host, so it's best to have this match the hostname users will be accessing.
A new, unique random privatekey/certificate file stunnel.pem will be created.

It is extremely important, to keep this stunnel.pem file secret! It contains your private key for the encrypted traffic!

Congratulations, you're done! Run Stunnel, start HFS, have fun and enjoy your reowned privacy with care!

Disclaimer: This brief  :roll: instructions are based on my todays best knowledge and reflect only a small part of the plenty more options of openssl.exe. Feel free to consult www.stunnel.org and www.openssl.org for more detailed information. No guarantees or whatsoever.

~GeeS~

The web was made for sharing ... the more you give, the more you get!
Title: How about SSL support
Post by: maverick on April 27, 2006, 11:08:50 PM
~GeeS~

After reading the first part of your response above I'm not to sure if you have solved your login problem or not but I think you now know what is causing it.   You do mention using a public welcome page which suggests to me that you are running a public server.  (or at least some parts of your site are in the public domain otherwise why a public welcome page).   Mine, on the other hand, is a totally private site from which I can also include a custom welcome page if I choose to do so.  As my site is totally private, our server setups will probably differ.  I know with the way I have mine setup I don't have any login problems.
Title: How about SSL support
Post by: rejetto on April 28, 2006, 12:36:31 AM
i'm not sure i got what you need, but: what's wrong in putting all the thing you have to protect in a protected folder, and leave the root public for your welcome page?
Title: How about SSL support
Post by: gees on April 28, 2006, 09:13:56 AM
maverick wrote:
Quote
After reading the first part of your response above I'm not to sure if you have solved your login problem or not but I think you now know what is causing it.
You do mention using a public welcome page which suggests to me that you are running a public server.
rejetto wrote:
Quote
i'm not sure i got what you need, but: what's wrong in putting all the thing you have to protect in a protected folder, and leave the root public for your welcome page?
Maybe i should try to clarify to avoid confusion:

I'm running (still under construction) a private server from my home.

When a visitor/searchbot/everybody and there grandmas comes to my site, the first thing (s)he should see is a welcome/home page, not a login dialog or the filesystem.
This is what I call the public part, like public domain, because it contains public information (like credits for HFS, disclaimers, legal, instructions, privacy policy, contact etc).

From this initial welcome/home page, the visitor can then link to other webpages or to the filesystem. All or some parts of these webpages or folders of the filesystem are password-protected for different users.
This is what I refer to as the private sections of my site. Private as in private home or private property. Access to these private sections is granted with my permission only and was managed with ~login (http://www.rejetto.com/forum/viewtopic.php?t=2690 see sections [login] and [logged-in]), which unfortunately isn't compatible with STunnel due to caching.

Indeed, i've already decided to do as rejetto suggested, there is absolutely nothing wrong with it, it does what i need and besides, it's compatibel with Stunnel for enhanced privacy. I do not need the ~login command to achieve this.

Hope i could clarify things, consider the "problem" solved and focus on HFS 2.1beta . Thx rejetto!

~GeeS~
Title: How about SSL support
Post by: rejetto on April 29, 2006, 01:36:28 AM
happy to know your problem is solved.
that's why i often ask you to think twice on your feature requests, folks.
a program with many features is a program hard to use.
when a thing is easily solvable with available features, we should not add a new one.
Title: How about SSL support
Post by: ~GeeS~ on April 29, 2006, 07:25:11 PM
rejetto wrote:
Quote
that's why i often ask you to think twice on your feature requests, folks.
a program with many features is a program hard to use.
when a thing is easily solvable with available features, we should not add a new one.
:^^: This is exactly my concern for some time. HFS should be an easy to use and secure file- and webserver, not an HTML editor.

 :?: Do you agree to refer to STunnel/OpenSSL for "SSL extended HFS"  in the WIKI?
I think both programs add value to HFS and because they are non-commercial, opensource and licensed under GPL, they deserve to be "advertised" and described briefly in the HFS WIKI.
___
~GeeS~
Title: How about SSL support
Post by: rejetto on April 29, 2006, 07:39:27 PM
yes an SSL tutorial would be great :)
Title: Turn-OFF HTTP access and only allow HTTPS
Post by: maverick on April 29, 2006, 08:54:44 PM
I have been experimenting with different configurations.

My question is this...

If the administrator decides to only have HTTPS (SSL) available for his users to connect to, is there a way to turn-off HTTP access so a http://my-site IP address won't work but a https://my-site IP address will?
Title: Re: Turn-OFF HTTP access and only allow HTTPS
Post by: rejetto on April 30, 2006, 03:13:48 AM
Quote from: "maverick"
If the administrator decides to only have HTTPS (SSL) available for his users to connect to, is there a way to turn-off HTTP access so a http://my-site IP address won't work but a https://my-site IP address will?
i'm unsure on how Stunnel works, but if i guess correctly, you can deny access for HFS to the internet, but gran acccess to STunnel. This way people are forced to https.
Title: How about SSL support
Post by: ~GeeS~ on April 30, 2006, 09:07:29 AM
maverick wrote:
Quote
If the administrator decides to only have HTTPS (SSL) available for his users to connect to, is there a way to turn-off HTTP access so a http://my-site IP address won't work but a https://my-site IP address will?
My solution would be:
Use a router and only forward port 443 (https) and not port 80 (http).
You could also have port 80 forwarded and run two instances of HFS:
one on http (80) to redirect to https (443) and the other instance on port 443 with your full content.
Without router its more complicated , because HFS always listens to http. You could obfuscate the http port from 80 to somewhere else or force HFS  to accept connections only from 127.0.0.1 (STunnel).
Didn't test it, but should work.
____
~GeeS~
Title: How about SSL support
Post by: ~GeeS~ on April 30, 2006, 09:20:45 AM
maverick wrote:
Quote
Tested in Opera, Firefox, Netscape and Internet Explorer -> results are the same. -> Damn ...
All your descibed issues can be expected. Takes too long to explain in detail now. But remenber: Stunnel behaves like a proxy server, HFS exepts connections fom clients (browser) and STunnel (client), Stunnel caches and your browsers caches, too. Do the same tests, but let  HFS listen on a port differnt than 80 (and configure STunnel accordingly). Then the browsers can't fall back to their default port 80. Your test results will be different! The issue is, that with STunnel you have a second second server on your IP besides HFS. In one situation (https)HFS behaves like an application which is feeding STunnel, in the other (http) HFS is behaving as server.
Wrt. the logs: If you are serving thru STunnel, HFS has only one client. Didn't test fully the transparency of the Stunnel proxying, but on first sight everything seemed to be Ok.
Try to run two different servers: http(80)-HFS1 and https(443)-STunnel ->HFS2(bound to local host on port f.e. 80xx).

Browser caching can be inhibited with this command:
Code: [Select]
<HEAD>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
</HEAD>
____
GeeS
Title: How about SSL support
Post by: maverick on April 30, 2006, 12:08:38 PM
Quote from: "rejetto"
i'm unsure on how Stunnel works, but if i guess correctly, you can deny access for HFS to the internet, but gran acccess to STunnel. This way people are forced to https.
Thanks for the suggestion rejetto.  Didn't think of doing that.  I'll try it and see how it works.
Title: How about SSL support
Post by: deisler on April 30, 2006, 10:29:34 PM
Thank you Gees, maverick and rejetto for answering all questions i had in mind. apologies for not contributing in this cause :) maverick, you've simplified all scenario fixes for me. really appreciate it! please do update us on your latest venture with rejetto's suggestion, looks promising ;)
Title: How about SSL support
Post by: rejetto on May 01, 2006, 07:48:06 AM
http://www.rejetto.com/wiki/index.php/HFS:_Secure_your_server#HTTPS_and_SSL
;)
Title: Re: SSL
Post by: Azag on May 09, 2006, 05:20:06 AM
Quote from: "blueeagle69"
Hi

I originally used STunnel with Abyss webserver.

Go to http://www.stunnel.org/pem/ and create a free SSL Certificate. Copy this to the STunnel main folder, This certificate should be called STunnel.pem.

Then edit the STunnel config, and find these lines. If they are not there, then simply create this section. If they are there, they may be remarked out by default, so remove the remarks. It should read exactly as below

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0

Change the connect line to match your server port, and change the accept port to whatever port your URL connects to. It is best to leave it at the default though.
Next, I recommend loading HFS first, then STunnel last.

Then either connect to your PC, by using your IP with :443 on the end, or do as I did, and create a DynDNS account.
If you are not aware, you can create a normal Dynamic domain, and have this re-direct to another DynDNS webhop.

I would send you a screen grab, but my mate who normally connects to my server is on his hols. And I can't because I am behind a Router Firtewall. So all I get is my Router logon.

Anyway, here is my address. See if you can connect to it.
It will be pasword protected, but at least you can see the server login, with a bit of luck.
Hope this helps you. http://blueeagle.webhop.org

Nice Job thanks for showing me the way.  And proving me wrong. AS I was a bit skeptical at first. I don't truly need this as a "feature" right now but glad to know it works when/if I need in future. ;) Besides at this point I dare say that HFS v2.0 Final is finally working flawlessly for me now that I switched to Win Server 2003 Enterprise.  :D  Thanks for your explaination and work and all others who tested and showed this to work as well.

Off-Topic:
Any past problems I had that I may have posted before had nothing to do with HFS and sorry for stressing you out. :lol: Using Wiki was a great idea to rejetto and all those whom contributing to documenting this. Very helpful!

Possible Bug:
Only bug I have (for me anyhow) noticed, though not a problem for me since I store backups. If I click cancel while HFS is starting up it wipes out the loading current .vfs file and the tree is empty and file is lost (actually overwritten in HFS root folder...weird. All the other .vfs files that were from differnt older sessions with different names remain untouched.
But I always make backups and store elsewhere just in case. Hey things can go wrong sometimes even the remote possiblity of VFS file corrupt, which I haven't had, but maybe it could during power outage or brown out. So always backup your files. ;)

Sorry for cramming off-topic things on this post I am in a big rush but thought I might share that info too. Thanks again rejetto and all testers. :happy2:  Peace......
Title: How about SSL support
Post by: ANTS on May 09, 2006, 08:05:11 AM
Now that SSL can (sort of) be used with HFS, will there be any future additions of SSL inbuilt into HFS?
Title: Login problem
Post by: heffae on May 09, 2006, 06:44:52 PM
It looks like when you have the root of HFS public and protected folders under this that when you click the login button HFS redirects you to a HTTP:// not HTTPS://  this dosn't look like a problem if the first page is HTTPS://
Title: Re: Login problem
Post by: maverick on May 09, 2006, 10:26:37 PM
Quote from: "heffae"
It looks like when you have the root of HFS public and protected folders under this that when you click the login button HFS redirects you to a HTTP:// not HTTPS://  this dosn't look like a problem if the first page is HTTPS://
Already discussed in this thread.
Title: How about SSL support
Post by: Daoloth on May 11, 2006, 07:08:49 AM
Quote from: "ANTS"
Now that SSL can (sort of) be used with HFS, will there be any future additions of SSL inbuilt into HFS?

Personally I think if it works I see no need for this feature to be added to make HFS more complex since I doubt the average user is really going to use or need such a feature. But the addition is in the end up to the majority and really in the end up to rejetto. ;) Besides I would have to guess even though it is in "To Do" list, it would be a complex job to code. And debugging and perfecting this add-on could be a headache imho.  Also most ppl with understanding of SSL would be familiar with using or at least knowledgeable enough to figure out STunnel or OpenSSL and similar apps. Don't get me wrong I am not against against the addition but why give rejetto more work. :lol: He has certainly given us a lot a his time and patience than one could ever ask for and for free at that. ;)

Unrelated Side note:
I haven't even tried the newest beta yet but I will.  But 2.0 final is working flawlessly for me as I had mentioned. Right now I am testing my overall stability after my OS change and trying to see how much uptime I can get. ;) So far server 12.5GB (4391 downloads and 4 uploads) in 5 days with up to 8 downloads at once and about 165 visitors a day according to one counter. Still early into test yet but so far so good.
Even added a google sitemap in XML. It does need updating again and removal of scattered dupe links but it works perfectly for me and it's W3C compliant for google sitemaps specifically as far as online tests have shown me. :D No link on main page yet but gonna add it after minor link fixes/changes. Google sees it and visits a lot, with no errors so far. :D Not trying to brag about this, just very happy things are working so well.  Feel free to check out my sitemap if you wish but be warned its 533KB.  
http://vxchaos.cjb.net/sitemap.xml

Has anyone else tried this yet on HFS just wondering.  Since I found nothing in forum search I figured it was worth mentioning. Criticism is welcome. Thanks in advance. ;) Peace all.
Title: stunnel configuration
Post by: Https help configuration on August 22, 2006, 05:28:37 AM
http://10.10.14.2:443  conect
https://10.10.14.2:443 erro

Help

OpenSSLComando

2006.08.22 02:15:00 LOG5[464:3504]: stunnel 4.15 on x86-pc-mingw32-gnu with OpenSSL 0.9.7i 14 Oct 2005
2006.08.22 02:15:00 LOG5[464:3504]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2006.08.22 02:15:00 LOG5[464:3492]: No limit detected for the number of clients
2006.08.22 02:21:20 LOG5[464:2988]: https connected from 10.10.14.1:54032
2006.08.22 02:21:20 LOG5[464:3264]: https connected from 10.10.14.1:34300
2006.08.22 02:21:20 LOG3[464:2988]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:20 LOG5[464:2988]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:20 LOG3[464:3264]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:20 LOG5[464:3264]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:20 LOG5[464:2984]: https connected from 10.10.14.1:55070
2006.08.22 02:21:20 LOG3[464:2984]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:20 LOG5[464:2984]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:20 LOG5[464:1992]: https connected from 10.10.14.1:55480
2006.08.22 02:21:20 LOG3[464:1992]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:20 LOG5[464:1992]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:20 LOG5[464:3200]: https connected from 10.10.14.1:41328
2006.08.22 02:21:20 LOG3[464:3200]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:20 LOG5[464:3200]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:20 LOG5[464:3408]: https connected from 10.10.14.1:60292
2006.08.22 02:21:20 LOG3[464:3408]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:20 LOG5[464:3408]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:22 LOG5[464:2088]: https connected from 10.10.14.1:42477
2006.08.22 02:21:22 LOG3[464:2088]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:22 LOG5[464:2088]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:22 LOG5[464:3036]: https connected from 10.10.14.1:55688
2006.08.22 02:21:22 LOG3[464:3036]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:22 LOG5[464:3036]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:22 LOG5[464:3320]: https connected from 10.10.14.1:39588
2006.08.22 02:21:22 LOG3[464:3320]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:22 LOG5[464:3320]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2006.08.22 02:21:26 LOG5[464:2060]: https connected from 10.10.14.1:56992
2006.08.22 02:21:26 LOG3[464:2060]: SSL_connect: Peer suddenly disconnected
2006.08.22 02:21:26 LOG5[464:2060]: Connection reset: 0 bytes sent to





--
======
 SSL, 0 bytes sent to socket; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration

; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
cert = stunnel.pem
key = stunnel.pem

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem

; Some debugging stuff useful for troubleshooting
;debug = 7
;output = stunnel.log

; Use it for client mode
client = yes

; Service-level configuration

[pop3s]
accept  = 995
connect = 110

[imaps]
accept  = 993
connect = 143

[ssmtp]
accept  = 465
connect = 25

[https]
accept = 10.10.14.2:443
connect = 10.10.14.2:80
TIMEOUTclose = 0

; vim:ft=dosini
Title: How about SSL support
Post by: maverick on August 22, 2006, 06:21:50 AM
Should be:

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0
Title: How about SSL support
Post by: gees on August 22, 2006, 06:24:34 AM
Quote
[https]
accept = 10.10.14.2:443
connect = 10.10.14.2:80
TIMEOUTclose = 0


Please do exactly as described in this thread:

accept = 443
connect = 80


Only port numbers are valid, Stunnel listens to localhost.
_________
~GeeS~
Title: Re: How about SSL support
Post by: ~GeeS~ on September 08, 2006, 05:36:03 PM
Vulnerability in openssl, please update:

http://www.openssl.org/news/secadv_20060905.txt
Title: Re: How about SSL support
Post by: ~GeeS~ on September 18, 2006, 08:30:07 PM
 :)
~login issue solved:
http://www.rejetto.com/forum/index.php?topic=3691.0
Title: Re: How about SSL support
Post by: tenacious_b on March 27, 2007, 04:43:36 PM
Maybe I am just stupid but its not working.

I installed it created a certificate put it in the proper place (I think) but whenever I go to http://localhost:*accept port* i get a page cannot be displayed. I am positive this isnt enough info for anyone to help but I dont know where to start :/ Help would be greatly appreciated.
Title: Re: How about SSL support
Post by: GeeS on March 28, 2007, 06:52:29 AM
... I am positive this isnt enough info for anyone to help ...
Indeed not much info, but did you try to connect to https://localhost:your_port_stunnel_listens_to ?

Title: Re: How about SSL support
Post by: tenacious_b on March 28, 2007, 08:47:51 PM
Yes I did try that and to no avail it says nothing is on that page like nothing is lestening there.
Title: Re: How about SSL support
Post by: ~GeeS~ on March 30, 2007, 05:05:47 PM
Yes I did try that and to no avail it says nothing is on that page like nothing is lestening there.
I just followed my procedure as described earlier in this thread ( and updated to stunnel 4.20).
Everything works fine! Even download speed with stunnel is still high enough (tested on localhost) : 3500kB/s.
Try again!
Title: Re: How about SSL support
Post by: GrapeApe on April 02, 2007, 03:09:05 PM
I have followed your very simple procedure several times and I cant get this to work.I am using win xp sp2 I am putting the https in the url , my port is 8245 but I have put that in the .config.
https://grapeape.myftp.org
I put the stunnel.pem in the stunnel folder
When I open the stunnel log this is all I get

2007.04.02 09:51:15 LOG5[3004:2676]: stunnel 4.20 on x86-pc-mingw32-gnu with OpenSSL 0.9.8d 28 Sep 2006
2007.04.02 09:51:15 LOG5[3004:2676]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2007.04.02 09:51:15 LOG5[3004:3576]: No limit detected for the number of clients

I'm not a total idiot but I am at a loss here
Title: Re: How about SSL support
Post by: ~GeeS~ on April 02, 2007, 07:57:45 PM
Please change debug to debug = 7 in your stunnel.conf and publish again please.

Did I understand well and has your stunnel.conf the entry

[https]
accept = 8245
connect = same portnumber as HFS???

If yhat is true, then your URL should be https://grapeape.myftp.org:8245 because you have to add the portnumber if you use a non-default port for https.
Or did you forward port 8245 or blocked it with your firewall?
Try port 443 (https default) for stunnel to accept, connect to 44300, do not block these ports and forward 443 only. HFS listens to 44300.

Before I read your post I just finished an update on HFS with Stunnel. Will publish within some days. No time yet. Good luck.
If it still does not work, please publish your logs and portnumbers for debugging.
Title: Re: How about SSL support
Post by: GrapeApe on April 02, 2007, 09:43:18 PM
I  connect via a proxy and evidently thats where my problem is.I hope I don't confuse you here but my internet explorer is set to connect directly and my Firefox is through a proxy I was testing on both of them with nothing working.Now when I change the Firefox setting to connect directly both the internet explorer and my Firefox connect (why one is effecting the other I don't know).So stunnel works great without a proxy for me which is fine unless you have suggestion for that , but what I would really to fix is I cant connect via my noip address. I have to put in my ip plus the :443 port number  for it to connect.
Ive tried https://grapeape.myftp.org:443 and it doesn't work.
This is what I have in the  .conf and The port setting on hfs is 8245

[https]
accept  = 443
connect = 8245
TIMEOUTclose = 0

By the way thx for the response
Title: Re: How about SSL support
Post by: GrapeApe on April 02, 2007, 11:15:11 PM
I got it all sorted out now thx for thread  and the response.
Title: Re: How about SSL support
Post by: GeeS on April 03, 2007, 06:25:48 AM
I  connect via a proxy and evidently thats where my problem is. ... So stunnel works great without a proxy for me which is fine unless you have suggestion for that , ...
Many (free) proxies will not handle https and/or other ports than 80 (http default) or 443 (https default) and just drop the connection without warning when your browser tries so.
My suggestion is to use the default ports 80 for http and 443 for https.
Title: Re: How about SSL support
Post by: ~GeeS~ on April 03, 2007, 06:48:20 PM
I've reviewed the earlier description of HFS with Stunnel, applied some changes for convenience and added some more thoughts. Here we go:

Easy & secure data sharing on Windoze with HFS & Stunnel for free ... an essay

The opportunity:
Today’s widespread cable- and ADSL internet access offers a permanent connection to the worldwide web for home users. External hosting to serve private web pages or to share files is not necessary anymore.   
HFS is a free, opensource http-file/web server for the win32 platform (windoze), it's very easy to use and runs "right out-of-the box" for down- and uploading files as well as for serving web pages directly from a PC at home. It can even travel on a disk or pendrive to serve from any PC at hand and addressable from the Net (keyword: portforwarding) or within a network.

The risk:
All web servers (not only HFS), which use HTTP, have a common weakness:
HTTP-traffic is transmitted in plain text and every bit of data travelling between a web server and a client (browser) can be intercepted and read by everyone who is in the chain passing data to the final destination. Even encoded usernames and passwords, which should protect web servers against unauthorized access, are easy to reveal. Only encrypted traffic (HTTPS) between server and client can protect precious private data against sniffing.
By encrypting the traffic between a server and its clients, a sniffer still is able to see which client IP is exchanging data with a certain web server at a certain time, but it is practically impossible (as long as the sniffer does not have the randomly generated private key) to decrypt the transmitted data.
While most modern browsers can handle encrypted traffic, the HFS server only supports insecure HTTP.

The solution:
Stunnel - a free, opensource multiplatform SSL tunneling proxyprogram- "is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. Stunnel uses OpenSSL or SSLeay libraries for cryptography ..."
This just means, that Stunnel will be used to accept the client requests and establish an encrypted (HTTPS) connection, while Stunnel and the HFS server are exchanging non-encrypted data (HTTP).
A typical configuration of a PC with an https-enabled HFS server:
- Stunnel accepts requests from any IP on port 443, the HTTPS default port.
- Stunnel connects to HFS on an arbitrary chosen free port (e.g. 44300).
- HFS accepts requests on the chosen port, in this example 44300.
- Direct requests from clients to HFS on port 44300 have been blocked, except from 127.0.0.1 (localhost), where Stunnel resides.
- The PC and drives where HFS, Stunnel and the data reside are secured against unauthorized access.

How-to setup Stunnel for a SSL-secured HFS server, create a privatekey and self-signed server certificate:

1. Stunnel is available from http://stunnel.mirt.net as a precompiled binary for windoze: “stunnel-4.20-installer.exe” at the time of writing. Install it and you will end up with:
- stunnel.exe  (= the Stunnel program)
- stunnel.html (= the Stunnel manual)
- stunnel.conf (= the Stunnel configuration file)
- zlib1.dll, libssl32.dll and libeay32.dll (= openssl library files)
- stunnel.pem (= the default privatekey/certificate file)

Note: to get rid of the registry entries made by the installer, save the above files and deinstall Stunnel.

2. Run “stunnel.exe” and open the log. Find the version of openssl used for compiling with stunnel: “0.9.8d” at the time of writing.
Extract this version of “openssl.exe” from “openssl.zip” or download it directly to your Stunnel directory from http://www.openssl.org or http://stunnel.mirt.net (.../openssl/binary-0.9.8d-zdll/openssl.exe).

3. Open a text editor (e.g. notepad) and copy/paste the following entries:
Quote
[req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type

[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default  = XX
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
0.commonName = Common Name (FQDN of your server)

[ cert_type ]
nsCertType = server
Save this file as “pem.conf” in the stunnel directory.

4. Delete the “stunnel.pem”, which contains a default server certificate and privatekey.
It is a bad idea to use the stunnel.pem file shipped with stunnel except for testing!
In order to produce pem-file with a unique secure private key / server certificate, open a text editor (e.g. notepad) and copy/paste the following entries:
Quote
openssl.exe req -new -x509 -days 3650 -nodes -config pem.conf -out stunnel.pem -keyout stunnel.pem
Save this file as “create_pem.bat” in the stunnel directory. Run “create_pem.bat”,
answer the questions in the dialog and enter whatever you like.

Note: The Common Name (FQDN) is required and should be the hostname of the machine running stunnel e.g. www.myhomeserver.net.
If you can access the machine by more than one hostname some SSL clients will warn you that the certificate is being used on the wrong host, so it's best to have this match the hostname users will be accessing.


Each time you run “create_pem.bat”, a new “stunnel.pem” file with a unique random private key and self assigned server certificate with 10 years validity will be created.
It is extremely important to keep this stunnel.pem file secret! It contains your private key for the encrypted traffic! Do not back-up, but create a new one if necessary.

5. Edit “stunnel.conf” with a text editor and to obtain the following content:
Quote
; Lines preceded with a “;” are comments
; Empty lines are ignored
; For more options and details: see the manual (stunnel.html)
 
; File with certificate and private key
cert = stunnel.pem
key = stunnel.pem

; Log (1= minimal, 5=recommended, 7=all) and log file)
; Preceed with a “;” to disable logging
debug = 5
output = stunnel.log

; Some performance tuning
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Data compression algorithm: zlib or rle
 compression = zlib

; SSL bug options / NO SSL:v2 (SSLv3 and TLSv1 is enabled)
options = ALL
options = NO_SSLv2

; Service-level configuration
; Stunnel listens to port 443 (HTTPS) to any IP
; and connects to port 44300 (HFS) on localhost
[https]
accept  = 0.0.0.0:443
connect = 127.0.0.1:44300
TIMEOUTclose = 0
Save the edited “stunnel.conf”.

6. Stunnel is now configured to accept HTTPS requests from any IP on port 443 of your PC and connects with HTTP to port 44300 on the same PC (127.0.0.1).
Do not forget: Port 443 and 44300 on this PC have to be opened in a firewall and routers have to forward port 443 to your PC. Do not forward port 44300 on your router.

7. Start HFS (2.1d at the time of writing) to listen on port 44300.
In Menu/Limits/Bans…, enter “\127.0.0.1” without the quotation marks and check “Disconnect with no reply”  in order to ban every IP except 127.0.0.1 to block direct http access to HFS with a “Host not found” message.
Within a “friendly” network you could consider to add e.g. “\192.168.*” to allow direct HTTP access to HFS from all machines in your network.

8. Test your configuration carefully. You might to want to change the debug mode to debug = 7 in the stunnel.conf file for more log details.

9. Additionally, you might want  also to have an HTTP welcome page, which links to your HTTPS enabled pages and contains instructions for your visitors how to handle a self signed server certificate and the related error messages of some browsers with it: Run a second, independent instance of HFS on port 80, modify the template and link from there to your secure Stunnel-HFS server.
 
10. Optionally, you can put your data, Stunnel and HFS on a pendrive with e.g.  ./Myserver/Stunnel/stunnel.exe…, ./Myserver/HFS443/hfs443.exe…, ./Myserver/HFS44300/hfs44300.exe…, ./Myserver/Filesystem/… (renamed the two “hfs.exe” for convenience).
Configure HFS to save on file and the registry will kept clean. No admin rights are required. Run stunnel.exe, hfs443.exe and hfs44300.exe on any PC in a network for secure data exchange from PC to PC.
Note: Works fine, even in “hostile” networks. You could even rename the executables to some “innocent” names like “excel.exe”, “powerpnt.exe” or “winword.exe” to obfuscate the running processes. Windoze will not complain running different processes with the same name. Use your imagination and be aware of the risks!

11. Visit also http://stunnel.mirt.net, http://www.stunnel.org , http://www.openssl.org and http://www.rejetto.com for further readings.
 
Some important notes:

Because Stunnel connects from 127.0.0.1 (localhost) to HFS, functions of HFS which deal with IP numbers will be influenced.

# Logs will will only show one client:127.0.0.1 (Stunnel on localhost). Use the Stunnel logs additionally to find out the requesting IP addresses.

# Limits (bans, speed, number of simultaneous downloads …) will have influence on one IP only: 127.0.0.1 (Stunnel on localhost). Keep that in mind!

# The ~progress window will show the actual total transfers of all clients (again: 127.0.01) Nice new feature, but also a privacy risk: the filenames of your data will be revealed. Either disable the progress-template (any decent browser has already a comparable window) or protect the server with a password to inhibit the use of the ~progress command for unauthorized clients.

# Do not link parts of your pages to external, insecure (HTTP) servers. It is annoying and makes your site less trustful.

# Data transfer will be somewhat slower, due to the de- and encryption of the data, but evidently the bandwith of the connection will be in most cases the limiting factor.

# Finally, never ever share your Stunnel or HFS directories and take special care to protect them against unauthorized access … and keep your private key private.

So, enjoy secure serving and exchanging data. The more you give, the more you get

~GeeS~ Copyleft 4/2007 Share if you like.

Some small print:
Unfortunately in some countries encryption or the discussion of encryption is still considered illegal.
In some countries the free exchange of data is still considered illegal under certain conditions.
I’m not a lawyer; in case of doubt get professional advice.
These publication is based on my today’s best knowledge and reflect only a small part of the plenty more options of Openssl, Stunnel and HFS. No guarantees or whatsoever.



Title: Re: How about SSL support
Post by: rejetto on April 03, 2007, 07:27:53 PM
why don't publish this thing also on the wiki?
on the forum it may get lost in the future.
Title: Re: How about SSL support
Post by: maverick on April 03, 2007, 07:58:13 PM
Good job ~GeeS~

The only thing I would add is that the latest version of openSSL is 0.9.8e (dated Feb 23, 2007).  I installed it yesterday.  ( http://www.openssl.org/ )

In the config you show:
; SSL bug options / NO SSL:v2 (SSLv3 and TLSv1 is enabled)
options = ALL
options = NO_SSLv2
I don't have this entry.  Is it necessary?

Also, I don't use compression.  Maybe I should.  Does it speed things up a bit?
Title: Re: How about SSL support
Post by: ~GeeS~ on April 03, 2007, 08:45:10 PM
why don't publish this thing also on the wiki?
on the forum it may get lost in the future.
I tried, but formatting the code and lay-out is horrifying. Tools? Help?

The only thing I would add is that the latest version of openSSL is 0.9.8e (dated Feb 23, 2007).  I installed it yesterday.  ( http://www.openssl.org/ )
The Stunnel 4.20 binaries were compiled with the older version of openssl. Did not want to take any risk with openssl.exe from a newer version.
In the config you show:
; SSL bug options / NO SSL:v2 (SSLv3 and TLSv1 is enabled)
options = ALL
options = NO_SSLv2
I don't have this entry.  Is it necessary?
Got this entries from the openssl manual http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html# and discussions on the stunnel mailarchive:
options = all is a collection of workarounds for bugs in several older browsers
NO_SSLv2 disables SSL version2 options are:ALL|NO_SSLv2|NO_SSLv3|TLSv1
Also, I don't use compression.  Maybe I should.  Does it speed things up a bit?
It should, i measured DL of 3500KB/s on localhost on xp sp2 centrino 1.6Mhz. Seems enough.
It's very difficult to find good info about all the options, but it works flawlessly.  :)

Title: Re: How about SSL support
Post by: maverick on April 03, 2007, 09:12:53 PM
The only thing I would add is that the latest version of openSSL is 0.9.8e (dated Feb 23, 2007).  I installed it yesterday.  ( http://www.openssl.org/ )
The Stunnel 4.20 binaries were compiled with the older version of openssl. Did not want to take any risk with openssl.exe from a newer version.

Yes, I noticed that too when I first installed stunnel v4.20.  No problem upgrading openSSL.  The newest version includes important bugfixes.    Works perfectly here.

I'll also include the SSL Bug options and turn on compression in the config.

Thanks

Title: Re: How about SSL support
Post by: ~GeeS~ on April 03, 2007, 09:25:50 PM
I'll also include the SSL Bug options and turn on compression in the config.
As i said: No guarantees whatsoever!  ;)
Title: Re: How about SSL support
Post by: maverick on April 03, 2007, 09:28:13 PM
As i said: No guarantees whatsoever!  ;)

I know.  I'll monitor.  So far I don't see anything out of the ordinary.
Title: Re: How about SSL support
Post by: ~GeeS~ on April 04, 2007, 05:46:06 PM
why don't publish this thing also on the wiki?
on the forum it may get lost in the future.
I tried, but formatting the code and lay-out is horrifying. Tools? Help?
Has already been done. HTML!
Title: Re: How about SSL support
Post by: T1m on April 08, 2007, 12:45:19 AM
An SSH server and PUTTY is a great combo for secure access. Its not as convinient as an HFS that supports HTTPS , but it will give you a secure connection over the internet. I use it all the time for secure access to my home network including a windows HFS server, a Squid Proxy Server, and a couple of VNC sessions. I use OpenSSH and Cygwin on XP and BearDrop on Unbunu as my SSH servers, and PUTTY is available on Windows, Linux , and probably OS10.x Macs.
Title: Re: How about SSL support
Post by: GapeApe on April 12, 2007, 11:34:12 PM
Everything is running fine but I noticed  My lock icon(Firefox) has a slash through it. It says warning contains unauthenticated content.When I double click on it I get the page info and all the links are https.That was the only step I could think of on my own.I remember seeing a post on this (possibly in this thread) but I havnt been able to find it.
Thx
Title: Re: How about SSL support
Post by: Todd on May 21, 2007, 03:13:58 PM
First off, let me say thanks for this great forum!  I have done a lot of reading and searching for answers to using HFS, and have been trying for a couple of weeks now attempting to get STunnel to work with HFS. I have followed to the letter the instructions by GeeS, and am having fits trying to get it to work.  When I attempt to connect to my server via port 443, I get the page with the server certificate, and after I click on that, I get a IE 'Page cannot be displayed'.

Here is a log of Stunnel when doing this...

2007.05.21 10:05:09 LOG6[3680:3044]: Compression enabled using zlib method
2007.05.21 10:05:09 LOG7[3680:3044]: Snagged 64 random bytes from C:/.rnd
2007.05.21 10:05:09 LOG7[3680:3044]: Wrote 1024 new random bytes to C:/.rnd
2007.05.21 10:05:09 LOG7[3680:3044]: RAND_status claims sufficient entropy for the PRNG
2007.05.21 10:05:09 LOG7[3680:3044]: PRNG seeded successfully
2007.05.21 10:05:09 LOG7[3680:3044]: Configuration SSL options: 0x01000FFF
2007.05.21 10:05:09 LOG7[3680:3044]: SSL options set: 0x01000FFF
2007.05.21 10:05:09 LOG7[3680:3044]: Certificate: stunnel.pem
2007.05.21 10:05:09 LOG7[3680:3044]: Certificate loaded
2007.05.21 10:05:09 LOG7[3680:3044]: Key file: stunnel.pem
2007.05.21 10:05:09 LOG7[3680:3044]: Private key loaded
2007.05.21 10:05:09 LOG7[3680:3044]: SSL context initialized for service https
2007.05.21 10:05:09 LOG5[3680:3044]: stunnel 4.20 on x86-pc-mingw32-gnu with OpenSSL 0.9.8d 28 Sep 2006
2007.05.21 10:05:09 LOG5[3680:3044]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2007.05.21 10:05:09 LOG5[3680:3980]: No limit detected for the number of clients
2007.05.21 10:05:09 LOG7[3680:3980]: FD 188 in non-blocking mode
2007.05.21 10:05:09 LOG7[3680:3980]: SO_REUSEADDR option set on accept socket
2007.05.21 10:05:09 LOG7[3680:3980]: https bound to 0.0.0.0:443
2007.05.21 10:05:47 LOG7[3680:3980]: https accepted FD=232 from 192.168.1.1:1492
2007.05.21 10:05:47 LOG7[3680:3980]: Creating a new thread
2007.05.21 10:05:47 LOG7[3680:3980]: New thread created
2007.05.21 10:05:47 LOG7[3680:2936]: https started
2007.05.21 10:05:47 LOG7[3680:2936]: FD 232 in non-blocking mode
2007.05.21 10:05:47 LOG7[3680:2936]: TCP_NODELAY option set on local socket
2007.05.21 10:05:47 LOG5[3680:2936]: https accepted connection from 192.168.1.1:1492
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): before/accept initialization
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 read client hello A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 write server hello A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 write certificate A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 write server done A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 flush data
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 read client key exchange A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 read finished A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 write change cipher spec A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 write finished A
2007.05.21 10:05:47 LOG7[3680:2936]: SSL state (accept): SSLv3 flush data
2007.05.21 10:05:47 LOG7[3680:2936]:    1 items in the session cache
2007.05.21 10:05:47 LOG7[3680:2936]:    0 client connects (SSL_connect())
2007.05.21 10:05:47 LOG7[3680:2936]:    0 client connects that finished
2007.05.21 10:05:47 LOG7[3680:2936]:    0 client renegotiations requested
2007.05.21 10:05:47 LOG7[3680:2936]:    1 server connects (SSL_accept())
2007.05.21 10:05:47 LOG7[3680:2936]:    1 server connects that finished
2007.05.21 10:05:47 LOG7[3680:2936]:    0 server renegotiations requested
2007.05.21 10:05:47 LOG7[3680:2936]:    0 session cache hits
2007.05.21 10:05:47 LOG7[3680:2936]:    0 session cache misses
2007.05.21 10:05:47 LOG7[3680:2936]:    0 session cache timeouts
2007.05.21 10:05:47 LOG6[3680:2936]: SSL accepted: new session negotiated
2007.05.21 10:05:47 LOG6[3680:2936]: Negotiated ciphers: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
2007.05.21 10:05:47 LOG7[3680:2936]: FD 260 in non-blocking mode
2007.05.21 10:05:47 LOG7[3680:2936]: https connecting 127.0.0.1:44300
2007.05.21 10:05:47 LOG7[3680:2936]: connect_wait: waiting 10 seconds
2007.05.21 10:05:47 LOG7[3680:2936]: connect_wait: connected
2007.05.21 10:05:47 LOG5[3680:2936]: https connected remote server from 127.0.0.1:1645
2007.05.21 10:05:47 LOG7[3680:2936]: Remote FD=260 initialized
2007.05.21 10:05:47 LOG7[3680:2936]: TCP_NODELAY option set on remote socket
2007.05.21 10:05:47 LOG7[3680:2936]: Socket closed on read
2007.05.21 10:05:47 LOG7[3680:2936]: SSL write shutdown
2007.05.21 10:05:47 LOG7[3680:2936]: SSL alert (write): warning: close notify
2007.05.21 10:05:47 LOG6[3680:2936]: SSL socket closed on SSL_shutdown
2007.05.21 10:05:47 LOG7[3680:2936]: Socket write shutdown
2007.05.21 10:05:47 LOG5[3680:2936]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket
2007.05.21 10:05:47 LOG7[3680:2936]: https finished (0 left)
2007.05.21 10:05:50 LOG7[3680:3980]: https accepted FD=208 from 192.168.1.1:1493
2007.05.21 10:05:50 LOG7[3680:3980]: Creating a new thread
2007.05.21 10:05:50 LOG7[3680:3980]: New thread created
2007.05.21 10:05:50 LOG7[3680:2996]: https started
2007.05.21 10:05:50 LOG7[3680:2996]: FD 208 in non-blocking mode
2007.05.21 10:05:50 LOG7[3680:2996]: TCP_NODELAY option set on local socket
2007.05.21 10:05:50 LOG5[3680:2996]: https accepted connection from 192.168.1.1:1493
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): before/accept initialization
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 read client hello A
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 write server hello A
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 write change cipher spec A
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 write finished A
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 flush data
2007.05.21 10:05:50 LOG7[3680:2996]: SSL state (accept): SSLv3 read finished A
2007.05.21 10:05:50 LOG7[3680:2996]:    1 items in the session cache
2007.05.21 10:05:50 LOG7[3680:2996]:    0 client connects (SSL_connect())
2007.05.21 10:05:50 LOG7[3680:2996]:    0 client connects that finished
2007.05.21 10:05:50 LOG7[3680:2996]:    0 client renegotiations requested
2007.05.21 10:05:50 LOG7[3680:3980]: https accepted FD=260 from 192.168.1.1:1494
2007.05.21 10:05:50 LOG7[3680:2996]:    2 server connects (SSL_accept())
2007.05.21 10:05:50 LOG7[3680:3980]: Creating a new thread
2007.05.21 10:05:50 LOG7[3680:2996]:    2 server connects that finished
2007.05.21 10:05:50 LOG7[3680:3980]: New thread created
2007.05.21 10:05:50 LOG7[3680:2996]:    0 server renegotiations requested
2007.05.21 10:05:50 LOG7[3680:2996]:    1 session cache hits
2007.05.21 10:05:50 LOG7[3680:2996]:    0 session cache misses
2007.05.21 10:05:50 LOG7[3680:2996]:    0 session cache timeouts
2007.05.21 10:05:50 LOG6[3680:2996]: SSL accepted: previous session reused
2007.05.21 10:05:50 LOG7[3680:2996]: FD 288 in non-blocking mode
2007.05.21 10:05:50 LOG7[3680:2996]: https connecting 127.0.0.1:44300
2007.05.21 10:05:50 LOG7[3680:2996]: connect_wait: waiting 10 seconds
2007.05.21 10:05:50 LOG7[3680:2996]: connect_wait: connected
2007.05.21 10:05:50 LOG7[3680:4008]: https started
2007.05.21 10:05:50 LOG5[3680:2996]: https connected remote server from 127.0.0.1:1646
2007.05.21 10:05:50 LOG7[3680:2996]: Remote FD=288 initialized
2007.05.21 10:05:50 LOG7[3680:2996]: TCP_NODELAY option set on remote socket
2007.05.21 10:05:50 LOG7[3680:2996]: Socket closed on read
2007.05.21 10:05:50 LOG7[3680:2996]: SSL socket closed on SSL_read
2007.05.21 10:05:50 LOG7[3680:2996]: Socket write shutdown
2007.05.21 10:05:50 LOG5[3680:2996]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket
2007.05.21 10:05:50 LOG7[3680:2996]: https finished (1 left)
2007.05.21 10:05:50 LOG7[3680:4008]: FD 260 in non-blocking mode
2007.05.21 10:05:50 LOG7[3680:4008]: TCP_NODELAY option set on local socket
2007.05.21 10:05:50 LOG5[3680:4008]: https accepted connection from 192.168.1.1:1494
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): before/accept initialization
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 read client hello A
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 write server hello A
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 write change cipher spec A
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 write finished A
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 flush data
2007.05.21 10:05:50 LOG7[3680:4008]: SSL state (accept): SSLv3 read finished A
2007.05.21 10:05:50 LOG7[3680:4008]:    1 items in the session cache
2007.05.21 10:05:50 LOG7[3680:4008]:    0 client connects (SSL_connect())
2007.05.21 10:05:50 LOG7[3680:4008]:    0 client connects that finished
2007.05.21 10:05:50 LOG7[3680:4008]:    0 client renegotiations requested
2007.05.21 10:05:50 LOG7[3680:4008]:    3 server connects (SSL_accept())
2007.05.21 10:05:50 LOG7[3680:4008]:    3 server connects that finished
2007.05.21 10:05:50 LOG7[3680:4008]:    0 server renegotiations requested
2007.05.21 10:05:50 LOG7[3680:4008]:    2 session cache hits
2007.05.21 10:05:50 LOG7[3680:4008]:    0 session cache misses
2007.05.21 10:05:50 LOG7[3680:4008]:    0 session cache timeouts
2007.05.21 10:05:50 LOG6[3680:4008]: SSL accepted: previous session reused
2007.05.21 10:05:50 LOG7[3680:4008]: FD 216 in non-blocking mode
2007.05.21 10:05:50 LOG7[3680:4008]: https connecting 127.0.0.1:44300
2007.05.21 10:05:50 LOG7[3680:4008]: connect_wait: waiting 10 seconds
2007.05.21 10:05:50 LOG7[3680:4008]: connect_wait: connected
2007.05.21 10:05:50 LOG5[3680:4008]: https connected remote server from 127.0.0.1:1647
2007.05.21 10:05:50 LOG7[3680:4008]: Remote FD=216 initialized
2007.05.21 10:05:50 LOG7[3680:4008]: TCP_NODELAY option set on remote socket
2007.05.21 10:05:50 LOG7[3680:4008]: Socket closed on read
2007.05.21 10:05:50 LOG7[3680:4008]: SSL write shutdown
2007.05.21 10:05:50 LOG7[3680:4008]: SSL alert (write): warning: close notify
2007.05.21 10:05:50 LOG6[3680:4008]: SSL socket closed on SSL_shutdown
2007.05.21 10:05:50 LOG7[3680:4008]: Socket write shutdown
2007.05.21 10:05:50 LOG5[3680:4008]: Connection closed: 0 bytes sent to SSL, 540 bytes sent to socket
2007.05.21 10:05:50 LOG7[3680:4008]: https finished (0 left)

I have HFS set up to listen to port 44300, and have everything set up EXACTLY as described in this forum by GeeS (his update) and I can not get it to allow me to get to the server after activating STunnel.  I can access it all day long without STunnel via port 81 (ISP blocks 80), but when I go through the steps to set up STunnel, I can not access it via HTTPS, but can HTTP.

Does anyone have any thoughts on why this wouldn't be working in my case?

Thanks, in advance, for any help!
Title: Re: SSL
Post by: Todd on May 21, 2007, 05:58:36 PM
I am able to get this way to work, but not using the method in my previous post.  What would keep the other way from working, but this method works?   ???

Hi

I originally used STunnel with Abyss webserver.

Go to http://www.stunnel.org/pem/ (http://www.stunnel.org/pem/) and create a free SSL Certificate. Copy this to the STunnel main folder, This certificate should be called STunnel.pem.

Then edit the STunnel config, and find these lines. If they are not there, then simply create this section. If they are there, they may be remarked out by default, so remove the remarks. It should read exactly as below

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0

Change the connect line to match your server port, and change the accept port to whatever port your URL connects to. It is best to leave it at the default though.
Next, I recommend loading HFS first, then STunnel last.

Then either connect to your PC, by using your IP with :443 on the end, or do as I did, and create a DynDNS account.
If you are not aware, you can create a normal Dynamic domain, and have this re-direct to another DynDNS webhop.

I would send you a screen grab, but my mate who normally connects to my server is on his hols. And I can't because I am behind a Router Firtewall. So all I get is my Router logon.

Anyway, here is my address. See if you can connect to it.
It will be pasword protected, but at least you can see the server login, with a bit of luck.
Hope this helps you. http://blueeagle.webhop.org (http://blueeagle.webhop.org)
Title: Re: How about SSL support
Post by: Todd on May 22, 2007, 12:42:24 AM
In messing around with this more, I am able to connect using the GeeS method upon removing the \127.0.0.1 entry from the Ban list.  I can connect to the server via HTTPS, and only HTTPS, when \127.0.0.1 is not in the Ban list.

Did I do something wrong?  I put it in the list without the quotes, and everything locks me out.  Upon removing it, it works fine.   ???

I will leave it like this as it works fine without it, but not sure why circumventing it works...
Title: Re: How about SSL support
Post by: traxxus on May 22, 2007, 06:51:16 AM
Yes, REMOVE 127.0.0.1 (its the localhost) from the ban list.
Its not possible to connect via SSL if localhost is banned:

Reason:
In the HFS log is an entry like this, if you log in via HTTPS (Stunnel):
username@127.0.0.1:4181 Served 2.18 KB

Title: Re: How about SSL support
Post by: Todd on May 22, 2007, 11:31:43 AM
Yes, REMOVE 127.0.0.1 (its the localhost) from the ban list.
Its not possible to connect via SSL if localhost is banned:

Reason:
In the HFS log is an entry like this, if you log in via HTTPS (Stunnel):
username@127.0.0.1:4181 Served 2.18 KB



Agreed. 

However, the '\' in front of the address is supposed to block everything except 127.0.0.1 per the HFS guide, as wel as the "How Do I Invert Logic" (or words to that effect) button in the Limits/Ban screen. 

Quote

7. Start HFS (2.1d at the time of writing) to listen on port 44300.
In Menu/Limits/Bans…, enter “\127.0.0.1” without the quotation marks and check “Disconnect with no reply”  in order to ban every IP except 127.0.0.1 to block direct http access to HFS with a “Host not found” message.
Within a “friendly” network you could consider to add e.g. “\192.168.*” to allow direct HTTP access to HFS from all machines in your network.


This is what's throwing me off in trying to get the specific instructions by GeeS to work where the instructions state to use the "\127.0.0.1" sans quotations and check the "Disconnect with no reply" box to get it to work.
Title: Re: How about SSL support
Post by: Todd on May 24, 2007, 11:09:21 AM
I finally figured it out.  I was putting the \192.168.* on a separate line as the \127.0.0.1.  After combining them on one line (\127.0.0.1;192.168.*), all works fine now.
Title: Re: How about SSL support
Post by: ersecchio on April 09, 2008, 08:55:42 PM
Salve, siccome non ho ben capito questo post su come implementare STUNNEL con un hfs
qualcuno mi saprebbe dire(in italiano) cosa modificare nel file .conf di stunnel sul mio server per far si che chi scarica il materiale dal mio server hfs sia protetto (quindi in https) .
inoltre il client deve solo accettare il certificato?
grazie mille
Fabrizio
Title: Re: How about SSL support
Post by: rejetto on April 11, 2008, 05:51:59 PM
ho cercato per te "stunnel" sul forum italiano e mi è uscito questo thread
www.rejetto.com/forum/?topic=5031
io non ho mai usato stunnel perciò non so aiutarti diversamente
Title: Re: How about SSL support
Post by: Fysack on April 15, 2008, 12:03:32 PM
OpenSSL for 64 bit Windows here:

http://www.deanlee.cn/programming/openssl-for-windows/

Tested on Windows Vista Ultimate 64 bit. WORKS!  :-*
Title: Re: How about SSL support
Post by: chrZ on May 23, 2008, 12:12:03 PM
the only thing i miss is ssl ... then hfs would be perfect in my eyes ... don`t want to use stunnel or anything else ... ssl should work simply in hfs

greetz
chrZ
Title: Re: How about SSL support
Post by: ElDiablo1985 on November 20, 2008, 12:16:25 AM
Kann bitte mal jemand in Deutsch erklären wie man das mit den Stunnel macht ?

Ich habe die Software installiert und auch den Generierten Code bei Stunnel.pem eingefügt.

Bei der stunnel.conf habe ich bei accept mein Port eingetragen dich ich immer verwende.
Was ich bei Connect eintragen mus weis ich gerade nicht.

Wenn ich jetzt den Normalen Link aufrufe ändert sich nicht, es scheint auch nichts mit einer verschlüsselung verwendet zu werden. Mit https kommt seite nicht gefunden.

Zuerst habe ich den Server gestartet und dann das Stunnel Programm.

mfg
Title: Re: SSL
Post by: zekexz on January 07, 2009, 07:49:45 PM
Hi

I originally used STunnel with Abyss webserver.

Go to http://www.stunnel.org/pem/ (http://www.stunnel.org/pem/) and create a free SSL Certificate. Copy this to the STunnel main folder, This certificate should be called STunnel.pem.

Then edit the STunnel config, and find these lines. If they are not there, then simply create this section. If they are there, they may be remarked out by default, so remove the remarks. It should read exactly as below

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0

Change the connect line to match your server port, and change the accept port to whatever port your URL connects to. It is best to leave it at the default though.
Next, I recommend loading HFS first, then STunnel last.

Then either connect to your PC, by using your IP with :443 on the end, or do as I did, and create a DynDNS account.
If you are not aware, you can create a normal Dynamic domain, and have this re-direct to another DynDNS webhop.

I would send you a screen grab, but my mate who normally connects to my server is on his hols. And I can't because I am behind a Router Firtewall. So all I get is my Router logon.

Anyway, here is my address. See if you can connect to it.
It will be pasword protected, but at least you can see the server login, with a bit of luck.
Hope this helps you. http://blueeagle.webhop.org (http://blueeagle.webhop.org)

Is there any ports to forward needed??
Should i add in my portforwarding   443 incoming to 1245?   (1245 is my hfs listening port)
Ive done everything hes done except its not working for me.
when i go to https://havokxz.podzone.net  i get my router... lol.
Title: Re: How about SSL support
Post by: securityguard123 on January 12, 2009, 03:31:53 PM
I also like this small tool!

if this will be incorporated it will be a good thing. :)
Title: Re: How about SSL support
Post by: phoque on February 10, 2009, 09:56:33 AM
To improve support for HTTPS with Stunnel it would be nice to have a limit "max downloads per user" and to add a "add custom ip"-feature that can contain the protocol (to create something like "https://my.hostname.com/").

Apart from that: awesome work! I am really enjoying HFS and enjoying it even more with Stunnel :-)
Title: Re: How about SSL support
Post by: rejetto on February 11, 2009, 04:18:50 PM
both are possible in version 2.3 beta
Title: Re: How about SSL support
Post by: SilentPliz on February 12, 2009, 09:41:06 AM
Display of Log Stunnel in HFS. (v2.3 since build #239)

Ref: http://www.rejetto.com/forum/index.php?topic=6651.msg1040731#msg1040731

1)

- Paste the following section in a file hfs.events that you will put in the folder of hfs.exe:


Script edited 01-18-2010

[connected]
{.set|#log|{.load|stunnel.log|from={.^#stunnel.last.}.}.}
{.set|#stunnel.last|{.filesize|stunnel.log.}.}
{.if|{.^#log.}|{:
{.add to log|.
Stunnel log :
{.^#log.}|Clblue.}
:}.}

[+start]
{.set|#stunnel.last|{.filesize|stunnel.log.}.}


2)

- In file stunnel.conf of the folder of stunnel.exe , specify the path of HFS where the file stunnel.log will be created.
(Debug = 6 gives a correct result)

; Some debugging stuff useful for troubleshooting
debug = 6
output = C:\path\of\hfs folder\stunnel.log


3)

- Enjoy HFS and Stunnel !  :)

----------------------------------------------------------------------------
Independently, you can add to the section [https] of stunnel.conf, the internal IP of your PC:

[https]
accept  = 0.0.0.0:443
connect = 127.0.0.1:44300

local = 192.168.1.6 *
TIMEOUTclose = 0

* IP example

Then you add in HFS:

Menu > Limits > Bans

\127.0.0.1;192.168.1.6

Then in Adress2name:

Name       IP Mask
Local        127.0.0.1
Stunnel
  192.168.1.6

This will differentiate in the log, the local connections (http), and the distant connections from Stunnel (https).
Title: Re: How about SSL support
Post by: Dev on February 18, 2009, 02:48:19 AM
I hate to ask this question since i am not very knowledgeable with http. I have HFS working without stunnel, i downloaded and set up stunnel following these directions http://www.rejetto.com/wiki/index.php/HFS:_Secure_your_server , I can connect through HFS by clicking open in browser button but whenever i try to test it fails. I put in 44300 in the port field, i tried to connect by putting https://myipaddress:44300 and i get an error in firefox saying the site may be valid but it can't establish connection. It may be my certificate? not sure what the hostname should be,,what would the address look like that would go into the browser? HFS worked great using http but the address was my ip:port# that i had forwarded in the router, now that obviously won't work using https. i have port 443 currently forwarded. I am hoping i might just be not understanding something simple. Here is stunnel log file

2009.02.17 20:06:04 LOG6[3556:2668]: Compression enabled using zlib method
2009.02.17 20:06:04 LOG7[3556:2668]: Snagged 64 random bytes from C:/.rnd
2009.02.17 20:06:04 LOG7[3556:2668]: Wrote 1024 new random bytes to C:/.rnd
2009.02.17 20:06:04 LOG7[3556:2668]: RAND_status claims sufficient entropy for the PRNG
2009.02.17 20:06:04 LOG7[3556:2668]: PRNG seeded successfully
2009.02.17 20:06:04 LOG7[3556:2668]: Configuration SSL options: 0x01000FFF
2009.02.17 20:06:04 LOG7[3556:2668]: SSL options set: 0x01000FFF
2009.02.17 20:06:04 LOG7[3556:2668]: Certificate: stunnel.pem
2009.02.17 20:06:04 LOG7[3556:2668]: Certificate loaded
2009.02.17 20:06:04 LOG7[3556:2668]: Key file: stunnel.pem
2009.02.17 20:06:04 LOG7[3556:2668]: Private key loaded
2009.02.17 20:06:04 LOG7[3556:2668]: SSL context initialized for service https
2009.02.17 20:06:04 LOG5[3556:2668]: stunnel 4.26 on x86-pc-mingw32-gnu with OpenSSL 0.9.8i 15 Sep 2008
2009.02.17 20:06:04 LOG5[3556:2668]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2009.02.17 20:06:04 LOG5[3556:1516]: No limit detected for the number of clients
2009.02.17 20:06:04 LOG7[3556:1516]: FD 184 in non-blocking mode
2009.02.17 20:06:04 LOG7[3556:1516]: SO_REUSEADDR option set on accept socket
2009.02.17 20:06:04 LOG7[3556:1516]: https bound to 0.0.0.0:443

Thanks alot for any help,
Dev
Title: Re: How about SSL support
Post by: SilentPliz on February 18, 2009, 04:14:21 AM
Your configuration of Stunnel seems correct.
The SSL connections (https) are based on connections request provided from outside on port 443 (Stunnel), these connections are then redirected to the local port listened by HFS (44300) .
The responses of HFS following the path around.

So this address will be used only for connections from the outside:

https://myexternalipaddress:443/

If you can not test from outside your server... Test it with the following link per eg (see enclosed picture]:

http://www.internetvista.com/fr/tester-serveur-web.htm

You enter your link:

https://myexternalipaddress:443/

If you see something appear in the log of HFS ... YOU WON !

-------------------------------------------------------------------------------------------------------------
REMINDER

To you connect locally (http) (via the browse button of HFS per eg):

Set HFS (permanent settings):

Port 44300

Menu> Limits> bans:
\127.0.0.1

Menu > IP Address> 127.0.0.1
Menu > Accept connections on> 127.0.01

The correct address to connect locally on HFS will be:

http://127.0.0.1:44300/
Title: Re: How about SSL support
Post by: Dev on February 18, 2009, 01:05:38 PM
That did it, Thanks a bunch SilentPliz. After reading the security issues i really wanted to have stunnel running.
Title: Re: How about SSL support
Post by: Ranger on February 18, 2009, 03:19:08 PM
I got this all set up and it now works. However my hosted images won't work anymore on websites (even when changing the link to HTTPS). Any way around this or will this not work using HTTPS?
Title: Re: How about SSL support
Post by: SilentPliz on February 18, 2009, 06:23:29 PM
@Dev
Cool! I'm glad that everything works for you.  ;)

@DNic41
Excuse me, but I do not understand your worries... These are the pictures on your HFS which do more accessible?

Visitors can not access them?

Attempt to explain exactly what you would done and who does not work... I am a little stupid sometimes.  :-\
Title: Re: How about SSL support
Post by: Ranger on February 18, 2009, 07:28:25 PM
@DNic41
Excuse me, but I do not understand your worries... These are the pictures on your HFS which do more accessible?

Visitors can not access them?

Attempt to explain exactly what you would done and who does not work... I am a little stupid sometimes.  :-\

I host images on my HFS just like you would with imageshack, photobucket,etc. When I use SSL the images won't come up on other websites anymore (of course I changed the URL to HTTPS:// from HTTP://)
Title: Re: How about SSL support
Post by: SilentPliz on February 18, 2009, 10:24:17 PM
Arrrgh ! Sorry, I have been slow to understand.  :-[

You should not have problems with your pictures... if the correct links are in https.

If possible, post a link here... it may be possible to see what is wrong.

An problem with Stunnel can occur with the automatics operations ... Yes! We need someone at the other end for accept the SSL certificate.  :D

PS: you can also work with a second hfs.exe in http.
Title: Re: How about SSL support
Post by: Ranger on February 18, 2009, 10:32:57 PM
Arrrgh ! Sorry, I have been slow to understand.  :-[

You should not have problems with your pictures... if the correct links are in https.

The only problems that may arise with Stunnel  occur with automatics operations ... He oui! We need someone at the other end to accept the SSL certificate.  :D

PS: you can also work with a second hfs.exe in http.

Yea I might do the second HFS in plain HTTP for images, but I'm sure yet on how to link the 2 together.
Title: Re: How about SSL support
Post by: Ranger on February 19, 2009, 02:46:42 AM
Ok I was able create a second instance of HFS (HTTP) for just my image hosting. Now how or what is the best way to get it to point to the HFS (HTTPS) server?

I'd like to link it up as smoothly as possible, but not sure how to go about this.
Title: Re: How about SSL support
Post by: SilentPliz on February 19, 2009, 08:09:14 AM

For the HTTP server (eg: port 80)


You put hfs.exe in a independent directory.
You keep the setup you had before, in HTTP.
You authorize HFS to work with multiple instances open.
You put in your VFS all the resources that will be allowed in HTTP.
--------------------------------------------------

For the HTTPS server (eg: port 44300)

I think now you know how setup it.  ;)

You put in your VFS all the resources that will be allowed in HTTPS.

Both servers can contain the same accounts.
Both VFS are independent
--------------------------------------------------

To link the two servers HTTP > HTTPS

Several solutions are possible, I give in you two very simple:

1)

You create new links in the directories of the users of the HTTP server that can access the HTTPS server

VFS > right click > New link

https://yourdomain:443/

2)

You create an menu in the template of the HTTP server

Eg with the default template:

{.if| {.get|can upload.}  | <li><a href="~upload"><center><img src="/~img32"> {.!Upload.}</center></a></li> .}
{.if| {.and | {.get|can archive.} | {.not|{.?search.}.} .}
    | <li><a href="~folder.tar?recursive"><center>{.!Folder archive.}</center></a></li>
   <li><a href="https://yourdomain:443/"><center>HFS SSL</center></a></li>
.}


You can combine this line with macros to require of conditions for the display of the menu.

Of course other ways to do this are possible:
eg: Using a home page, all settings included  in the same template, make a button ... etc ...

Title: Re: How about SSL support
Post by: Ranger on February 19, 2009, 02:37:01 PM
Thanks! I just added a link on the HTTP to the HTTPS.

Also I tried to add the log, the first 2 steps, but all I get in my HTTPS HFS folder is a stunnel.last file with a number 0 in it.
Title: Re: How about SSL support
Post by: SilentPliz on February 19, 2009, 03:28:26 PM
If everything is configured properly, you will see the Stunnel log when an user will be logged on your server.
The .Last file is a good sign.  ;)

To be continued...
Title: Re: How about SSL support
Post by: SilentPliz on February 19, 2009, 03:51:57 PM
 ???
You do not have a file stunnel.log in your HFS folder ?
Title: Re: How about SSL support
Post by: Ranger on February 19, 2009, 08:32:16 PM
No just a stunnel.last file that appeared.
Title: Re: How about SSL support
Post by: SilentPliz on February 19, 2009, 08:50:17 PM
- In file stunnel.conf of the folder of stunnel.exe , specify the path of HFS where the file stunnel.log will be created.
(Debug = 6 gives a correct result)

; Some debugging stuff useful for troubleshooting
debug = 6
output = C:\path\of\hfs folder\stunnel.log
Title: Re: How about SSL support
Post by: Ranger on February 19, 2009, 10:31:04 PM
- In file stunnel.conf of the folder of stunnel.exe , specify the path of HFS where the file stunnel.log will be created.
(Debug = 6 gives a correct result)

; Some debugging stuff useful for troubleshooting
debug = 6
output = C:\path\of\hfs folder\stunnel.log


Yup added exactly that.

Code: [Select]
; Some debugging stuff useful for troubleshooting
debug = 6
output = C:\Program Files\HFS\stunnel.log
Title: Re: How about SSL support
Post by: SilentPliz on February 21, 2009, 04:54:57 AM
Test to see if the stunnel.log is really created in the stunnel folder, or elsewhere on your hard drive.
Title: Re: How about SSL support
Post by: Ranger on February 23, 2009, 03:06:08 PM
Test to see if the stunnel.log is really created in the stunnel folder, or elsewhere on your hard drive.

Yea, stunnel.log exists in the Stunnel folder.
Title: Re: How about SSL support
Post by: SilentPliz on February 23, 2009, 03:31:56 PM
So is that something is misconfigured in your stunnel.conf

The file Stunnel.log should be created in the folder of hfs.exe

stunnel.conf eg:

cert = stunnel.pem
key = stunnel.pem

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

compression = zlib

options = ALL
options = NO_SSLv2

debug = 6
output = C:\HFS\stunnel.log

[https]
accept = 0.0.0.0:58620
connect = 127.0.0.1:44300
local = 192.168.1.3
TIMEOUTclose = 0
Title: Re: How about SSL support
Post by: Ranger on February 23, 2009, 04:00:22 PM
Ah got it now, I put a ; in front of the original debug but not the old path. I just overwrote it with the new path.

Thanks for all the help.
Title: Re: How about SSL support
Post by: SilentPliz on February 23, 2009, 04:03:42 PM
 ;D

Your welcome !
Title: Re: How about SSL support
Post by: Mars on February 23, 2009, 09:40:51 PM
;D

Your welcome !

You are finally going to be able to sleep at night  :D
Title: Re: How about SSL support
Post by: SilentPliz on February 23, 2009, 09:44:34 PM
J'y vais tout de suite. zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
Title: Re: How about SSL support
Post by: jaron840 on March 15, 2009, 09:18:30 AM
hello i need major help.. I hate askin so i spend 2 days to no avail lol.. router port https: 443.. HFS domain name and have it looking for port 80.. I read everything i could about this :(.. the other guy had proxy issues i don't.. firefox and ie = no proxy.. i have to put "client = yes" in my conf.file or it will bring up an error on ssl accept.. HFS Ban List = \127.0.0.1;192.168.2.*.. here it is.. oh and everything works without stunnel untill i changed the ports for stunnel.

2009.03.15 04:07:02 LOG6[3316:4076]: Compression enabled using zlib method
2009.03.15 04:07:02 LOG7[3316:4076]: RAND_status claims sufficient entropy for the PRNG
2009.03.15 04:07:02 LOG7[3316:4076]: PRNG seeded successfully
2009.03.15 04:07:02 LOG7[3316:4076]: Configuration SSL options: 0x01000FFF
2009.03.15 04:07:02 LOG7[3316:4076]: SSL options set: 0x01000FFF
2009.03.15 04:07:02 LOG7[3316:4076]: Certificate: stunnel.pem
2009.03.15 04:07:02 LOG7[3316:4076]: Certificate loaded
2009.03.15 04:07:02 LOG7[3316:4076]: Key file: stunnel.pem
2009.03.15 04:07:02 LOG7[3316:4076]: Private key loaded
2009.03.15 04:07:02 LOG7[3316:4076]: SSL context initialized for service https
2009.03.15 04:07:02 LOG5[3316:4076]: stunnel 4.26 on x86-pc-mingw32-gnu with OpenSSL 0.9.8i 15 Sep 2008
2009.03.15 04:07:02 LOG5[3316:4076]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2009.03.15 04:07:02 LOG5[3316:4092]: No limit detected for the number of clients
2009.03.15 04:07:02 LOG7[3316:4092]: FD 204 in non-blocking mode
2009.03.15 04:07:02 LOG7[3316:4092]: SO_REUSEADDR option set on accept socket
2009.03.15 04:07:02 LOG7[3316:4092]: https bound to 0.0.0.0:443
2009.03.15 04:08:12 LOG7[3316:4092]: https accepted FD=236 from 74.196.173.16:4757
2009.03.15 04:08:12 LOG7[3316:4092]: Creating a new thread
2009.03.15 04:08:12 LOG7[3316:4092]: New thread created
2009.03.15 04:08:12 LOG7[3316:3748]: https started
2009.03.15 04:08:12 LOG7[3316:3748]: FD 236 in non-blocking mode
2009.03.15 04:08:12 LOG7[3316:3748]: TCP_NODELAY option set on local socket
2009.03.15 04:08:12 LOG5[3316:3748]: https accepted connection from 74.196.173.16:4757
2009.03.15 04:08:12 LOG7[3316:3748]: FD 268 in non-blocking mode
2009.03.15 04:08:12 LOG7[3316:3748]: https connecting 127.0.0.1:80
2009.03.15 04:08:12 LOG7[3316:3748]: connect_wait: waiting 10 seconds
2009.03.15 04:08:12 LOG7[3316:3748]: connect_wait: connected
2009.03.15 04:08:12 LOG5[3316:3748]: https connected remote server from 192.168.2.76:4758
2009.03.15 04:08:12 LOG7[3316:3748]: Remote FD=268 initialized
2009.03.15 04:08:12 LOG7[3316:3748]: TCP_NODELAY option set on remote socket
2009.03.15 04:08:12 LOG7[3316:3748]: SSL state (connect): before/connect initialization
2009.03.15 04:08:12 LOG7[3316:3748]: SSL state (connect): SSLv3 write client hello A
2009.03.15 04:08:12 LOG3[3316:3748]: SSL_connect: Peer suddenly disconnected
2009.03.15 04:08:12 LOG5[3316:3748]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2009.03.15 04:08:12 LOG7[3316:3748]: https finished (0 left)

-----------------------------------------------------------------------------------------------------------

cert = stunnel.pem
key = stunnel.pem

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

compression = zlib

options = ALL
options = NO_SSLv2

debug = 7
output = stunnel.log

client = yes

[https]
accept = 0.0.0.0:443
connect = 127.0.0.1:80
local = 192.168.2.76
TIMEOUTclose = 0
Title: Re: How about SSL support
Post by: jaron840 on March 16, 2009, 11:13:13 PM
Also, when i try to access stunnel in IE it doesn't register.. just says page can't be displayed.. and in firefox it reaches stunnel and hfs recieves connection for like a split second.. can see it on the hfs server.. but then disconnects.. anyone have any idea?
Title: Re: How about SSL support
Post by: jaron840 on March 18, 2009, 02:34:20 AM
Woot got it working if anyone else has this problem.. it is because the server you created doesn't have an authorized SSL certification.. and you have to pay big bucks for them.. firefox wasn't even giving me info that said it was because of this.. i finally went crazy in the firefox config options... firefox -> tools -> options -> advanced -> server.. add your cite to firefox.. downside you have to do this on most of the computers you access the server from.. some older browsers might ask you to confirm but i didn't want an older browser
Title: Re: How about SSL support
Post by: rejetto on March 18, 2009, 12:34:51 PM
thanks for sharing jaron :)
Title: Re: How about SSL support
Post by: Teekay on April 27, 2009, 08:23:14 PM
Hiho!

I use hfs for about 1 year without bigger problems! Read a lot in this forum and found a lot of answers.
But now I need an advice.

A few days ago I installed stunnel. I used the explanation of Gees and the wiki, everything worked out well!
...exepct the forwarding from hfs:80 to hfs:443(stunnel).

To use hfs:80 for linking to hfs:443 I need to open 2 different instances of hfs, as I've learned.
So I've unchecked menu>start/exit>'Only 1 instance' and then tried two different ways for opening a second instance:
- just opened the same hfs.exe once again
- made a copy of the hfs-folder: C:\Programme\hfs\... and C:\Programme\copy of hfs\...

Even with the second way I ended with the same problem:
If I change something in one of the VFS it is changing in the other instance either. Same for the template...

Both instances are obviously not independent.
But isn't it necessary if i want to have two different hfs-contents (hfs:80 -> only a link to https; hfs:443 -> my files)?
What is my error in reasoning?
Can someone give me an advise for that?
Thank you!  ;)
Title: Re: How about SSL support
Post by: rejetto on April 27, 2009, 08:54:41 PM
i think there's something strange in what you are asking.
i don't see why :80 should "link" :443
if you need to have 2 different contents, and having 2 folders is not feasible, then you need 2 instances, yes.
although, you may be wrong about it not being feasible ;)
Title: Re: How about SSL support
Post by: Teekay on April 27, 2009, 09:09:35 PM
Well I just wanted to have http://myserver:80/ as a "start page" without any content but a link to my https://myserver:443/

Am I wrong with my question?
Title: Re: How about SSL support
Post by: rejetto on April 28, 2009, 01:37:36 AM
does the available guide cover this?
AFAIremember, most people using stunnel is just not accepting connections on 80.

what you want is possible, but maybe just not explained anywhere.
not very easy, to be honest.

so you should have something like this in the diff template (requires HFS 2.3 #236)

{.if|{.%ip% != 127.0.0.1.}|{:{.add header|Location: http://youraddress:443.}:}|{:{.section||back=1.}:}/if.}


not tested!
Title: Re: How about SSL support
Post by: Teekay on April 28, 2009, 01:51:12 PM
I haven’t found any explanations for this but I thought it would be such a simple question no one else has needed to ask for ;)

Surly I’m not the expert to solve this ‘problem’ if it’s necessary to create new code or stuff like that.
Maybe there will be a solution in the near future. I'll keep it in mind.

Thank u for your attention so far :D
Title: Re: How about SSL support
Post by: rejetto on April 28, 2009, 06:00:46 PM
err... i just told you the solution, and made the code for you :)
Title: Re: How about SSL support
Post by: Teekay on April 28, 2009, 07:05:08 PM
 ;D Hrhrhrrhr! OK, I've understood I would require hfs2.3 #236...

I've read your text again but still don't see what to do.

What does the code mean? (okok not urgently needed to know - if it works, hrhrhr)
Where do I have to put the code? In the template of the hfs:443 because it has something to do with the header of the stunnel/hfs?
And when I've added the code at the right place I can run two different hfs instaces (in seperated folders) with two different VFS ...that's it?

Still full of questions...I fear it will take us some time  ;)
Title: Re: How about SSL support
Post by: rejetto on April 29, 2009, 03:28:25 PM
run hfs
right click on home/root
properties
diff template
paste the code there

Quote
And when I've added the code at the right place I can run two different hfs instaces (in seperated folders) with two different VFS ...that's it?

no. that's not what you asked. you said you want to use stunnel. it's stunnel on 443, and there's only 1 hfs, port 80.
stunnel is a bridge, that will tunnel the connection between 443 and 80.
Title: Re: How about SSL support
Post by: Teekay on April 29, 2009, 05:21:59 PM
I think we talk at cross-purposes. Maybe I have not made clear what I have already got and what's my problem. Sorry.

What I have got:
- a running stunnel connection
- a running hfs instance on port 44300 reached by https://mydynIP/

What I want to have:
- an additional instance of hfs which listens to port 80 and can be reached by http://mydynIP. This additional hfs:80 should only act as a start page with a link to my https://mydynIP/ for those people who forget to type the extra s in https. No other content should be accessible. Actual a simple html-page would be enough.

My poblem when I run two instances of hfs:
- if I change the VFS in one instance, it automatically changes the VFS of the other instance
- the same with the template. I cant run two different templates on the two hfs instances

I hope I could make it clear now.
Title: Re: How about SSL support
Post by: maverick on April 29, 2009, 05:53:03 PM
Maybe put HFS, the vfs, and the template you want to use in 2 different folders.  Then run them both from two different locations from your hard drive.  All files should then stay seperate.  Might work.
Title: Re: How about SSL support
Post by: Teekay on April 29, 2009, 06:48:24 PM
I had one hfs (+ SavedOptions.vfs + template_xyz.tpl + hfs.ini) in
C:\Programme\hfs_443\hfs443.exe

and the other (w/o other files) in
C:\Programme\hfs_80\hfs80.exe

(Did not work)

I can try with additional files in the second folder. But w/o the hfs.ini, right?
Or do I have to modify the .ini manually?
Title: Re: How about SSL support
Post by: Teekay on April 29, 2009, 09:30:25 PM
I modified hfs.ini in the hfs_80 folder.
Works for the moment...still testing.  :)
Title: Re: How about SSL support
Post by: maverick on April 29, 2009, 11:26:37 PM
Good to hear it's working.  Yes you would need the hfs.ini in there too and configured correctly for the folder.  HFS has to be able to find the files it uses.
Title: Re: How about SSL support
Post by: rejetto on April 30, 2009, 09:39:19 AM
What I want to have:
- an additional instance of hfs which listens to port 80 and can be reached by http://mydynIP. This additional hfs:80 should only act as a start page with a link to my https://mydynIP/ for those people who forget to type the extra s in https. No other content should be accessible. Actual a simple html-page would be enough.

you DON'T need to have 2 hfs to do this.
to apply my solution you only need first to change HFS to port 80, configure your router to forward port 80, change stunnel configuration from port 44300 to 80.
after this, you can apply my solution with 1 HFS.
Title: Re: How about SSL support
Post by: raffdich on May 09, 2009, 03:14:27 PM
to run hfs on port 80 and 443 with stunnel i have this settings.

hfs run on port 8082

stunnel forward port 80 to 8082
stunnel forward port 443 to 8082

your router forward 80 to 80
your router forward 443 to 443
Title: Re: Display of Log Stunnel in HFS
Post by: SilentPliz on June 12, 2009, 10:11:53 AM
About...   Display of Log Stunnel in HFS...

http://www.rejetto.com/forum/index.php?topic=3083.msg1040736#msg1040736

I updated this message with the new syntax recommended.


Namely:

Script edited 01-18-2010

[connected]
{.set|#log|{.load|stunnel.log|from={.^#stunnel.last.}.}.}
{.set|#stunnel.last|{.filesize|stunnel.log.}.}
{.if|{.^#log.}|{:
{.add to log|.
Stunnel log :
{.^#log.}|Clblue.}
:}.}

[+start]
{.set|#stunnel.last|{.filesize|stunnel.log.}.}



Edit:  January 07, 2010

Reminder:


- In stunnel.conf file of the folder of stunnel.exe , specify the path of HFS folder where the stunnel.log file will be created.
(Debug = 6 gives a correct result)

; Some debugging stuff useful for troubleshooting
debug = 6
output = C:\path\of hfs folder\stunnel.log

Title: Re: Display of Log Stunnel in HFS
Post by: r][m on January 07, 2010, 06:09:10 PM
About...   Display of Log Stunnel in HFS...

http://www.rejetto.com/forum/index.php?topic=3083.msg1040736#msg1040736

I updated this message with the new syntax recommended.

Namely:

[connected]
{.set|#log|{.load|stunnel.log|from={.^#stunnel.last.}.}{.set|#stunnel.last|{.filesize|stunnel.log.}.}.}
{.if|{.^#log.}|{:
{.add to log|.
Stunnel log :
{.^#log.}|Clblue.}
:}.}

[+start]
{.set|#stunnel.last|{.filesize|stunnel.log.}.}



I can't get this to work as posted, in HFS 248?
Is there some change needed? Wouldn't the stunnel.log file location on the hard disk
need to be part of the script?
Title: Re: How about SSL support
Post by: SilentPliz on January 07, 2010, 06:45:32 PM
Hi!

No, there is no change in the script.
Since I posted it always works for me.

Perhaps you have sections in your hfs.events wich interfering (logical order or other) (?)

Or just you have not modified the output path for your stunnel.log file in the stunnel.conf file of stunnel folder.

stunnel.log must be created in the hfs.exe folder for this script to work.
Title: Re: How about SSL support
Post by: r][m on January 08, 2010, 06:48:45 AM
stunnel.log must be created in the hfs.exe folder for this script to work.

That was the problem :)  I had it in a folder in the HFS.exe directory. When I moved it
out, now it works. Many thanks for your reply.
I have SSL up and running, but still got a lot more to do.
Title: Re: How about SSL support
Post by: r][m on January 11, 2010, 05:47:20 PM
Stunnel log generates a large amount of info very quickly, but most of it
doesn't appear to be of any real value to audit server traffic.
Even though I just got it added to HFS log,  I've turned it off.

Stunnel works well, but I see Stunnel at best as only a "work around".
It appears bans no longer work on address as https:// ??
I think a work around may be possible though.
I've had to remove the events macros that use ip address.
Looks like I'll lose a lot of the Limits settings as well, since HFS
will only see one ip for everyone now?
Think I see now why there have been questions about running two instances of HFS,
but I really don't see that as good solution.

Has anyone found a way to ban, etc., by user?

Someone please enlighten me if I'm wrong about all this?

I think the # 1 most desirable feature HFS could have would be SSL (encryption),
possibly, with dual hosting.
Title: Re: How about SSL support
Post by: SilentPliz on January 12, 2010, 02:56:43 PM
Hi r][m  ;)

Stunnel log generates a large amount of info very quickly, but most of it
doesn't appear to be of any real value to audit server traffic.
Even though I just got it added to HFS log,  I've turned it off.

The Stunnel log displayed in HFS is not essential.
It was possible to do it with a script ... so it was interesting to do it.

Otherwise, you can try this value : debug = 5 it displays less informations "useless".

sample: blue and black are the Stunnel log, green is the HFS log (both displayed simultaneously in HFS):)

Quote
> Stunnel log :
> 2010.01.12 16:32:22 LOG5[3008:2976]: connect_blocking: connected 127.0.0.1:44300
> 2010.01.12 16:32:22 LOG5[3008:980]: connect_blocking: connected 127.0.0.1:44300
> 2010.01.12 16:32:22 LOG5[3008:2976]: https connected remote server from 192.168.1.3:2248
> 2010.01.12 16:32:22 LOG5[3008:980]: https accepted connection from 88.199.13.181:32993
> 2010.01.12 16:32:22 LOG5[3008:2364]: connect_blocking: connected 127.0.0.1:44300
> 2010.01.12 16:32:22 LOG5[3008:2364]: https connected remote server from 192.168.1.3:2378

12/01/2010 16:32:22 192.168.1.3:2372 {Stunnel} Connecté
12/01/2010 16:32:22 192.168.1.3:2370 {Stunnel} 381 Octets reçus
12/01/2010 16:32:22 toto@192.168.1.3:2366 {Stunnel} 226 Octets envoyés
12/01/2010 16:32:22 toto@192.168.1.3:2361 {Stunnel} 783 Octets reçus
12/01/2010 16:32:22 toto@192.168.1.3:2361 {Stunnel} Requête GET /~img92
12/01/2010 16:32:22 toto@192.168.1.3:2361 {Stunnel} Requête traitée

so we have ip address and user : toto / 88.199.13.181


Quote
Stunnel works well, but I see Stunnel at best as only a "work around".
It appears bans no longer work on address as https:// ??
I think a work around may be possible though.
I've had to remove the events macros that use ip address.
Looks like I'll lose a lot of the Limits settings as well, since HFS

Indeed, it is a "workaround", but until that HFS supports SSL, Stunnel is the only lightweight and robust solution for who needs to use HFS to "https"

The limitations that you listed are reals, It's at every one to determine the value of using Stunnel with the requirements of its "server configuration", or to find a balance.
(It is possible to add "IP Mask" in stunnel.conf)

For my part, these limitations are not a problem, I only serves users with accounts, and therefore identified.

Quote
will only see one ip for everyone now?

If you use the stunnel log in hfs ... You will see all ip of your users in hfs
+
Two with HFS if you add your internal ip   :D

stunnel.conf eg:

[https]
accept  = 0.0.0.0:443
connect = 127.0.0.1:44300

local = 192.168.1.6 *
TIMEOUTclose = 0

* IP example

Then you add in HFS:

Menu > Limits > Bans

\127.0.0.1;192.168.1.6

Then in Adress2name:

Name       IP Mask
Local        127.0.0.1
Stunnel
  192.168.1.6

This will differentiate in the log, the local connections (http), and the distant connections from Stunnel (https).

Quote
Has anyone found a way to ban, etc., by user?

Not me! :D

Quote
I think the # 1 most desirable feature HFS could have would be SSL (encryption),
possibly, with dual hosting.

Yes, the integration of SSL in an "multiport/multiprotocol" HFS will be welcome.


Title: Re: How about SSL support
Post by: r][m on January 14, 2010, 06:43:40 PM
SilentPliz
Many thanks for the help and encouragement  :)


sample: blue and black are the Stunnel log, green is the HFS log (both displayed simultaneously in HFS):)

I'm getting much more than that with debug=5. For every 20 hfs lines I get at least 20 stunnel lines.
debug = 0 stops stunnel log. ; debug = 5 doesn't turn it off here.
Nothing below 5 works here.

(It is possible to add "IP Mask" in stunnel.conf) This might help?

local = 192.168.1.6 doesn't work here. I get a stunnel error and it will not work untill I remove
local = my lan address.
Using stunnel 4.29
I am working on a "work around" for some of this, and it works on LAN, but testing from WAN
so far, hasn't. Slow going. If it tests out I'll post the concept here.

Title: Re: How about SSL support
Post by: rejetto on January 18, 2010, 07:52:39 PM
1. just for readability matters, i would change this
{.set|#log|{.load|stunnel.log|from={.^#stunnel.last.}.}{.set|#stunnel.last|{.filesize|stunnel.log.}.}.}

in this
{.set|#log|{.load|stunnel.log|from={.^#stunnel.last.}.}.}
{.set|#stunnel.last|{.filesize|stunnel.log.}.}


2. we don't have banning "by user", but you can disable an account.
or even you can put an event like
[+connected]
{.if user is john then disconnect.}
(just a mock)

3. i guess you can filter the stunnel log by using some smart {.commands.} since the content is put in a variable before it's put in the log.
i know it's not straightforward.

4. i'm having an idea that may be very good if it works.
i have the way to make {.command.} to set a different address that HFS should consider for the current connection.
so, if YOU can extract this address from the log, we may get all the usual stuff (like per-address limits) to work with stunnel!
hey, this requires a very smart guy :P
the main problem is to pair HFS connections with stunnel ones.
it's useless to have 3 addresses by stunnel but knowing not which local connections are paired in HFS.
you can distinguish local connections by port numbers.

Title: Re: How about SSL support
Post by: r][m on January 19, 2010, 06:20:51 PM
4. i'm having an idea that may be very good if it works.
I'm using a unsecured index.html page which has a http://my address:port1 with a link to https://my address:port2.
In this way users address is logged and ip bans will work. Of course, most limits are still local host - not useful.
 I use a modified breadcrumbs to send the user back to http://index.html:port1 as "Home".
Remote tests indicate this work around works.
I'm going to try a trick in my router when I get time that may help.
Title: Re: How about SSL support
Post by: rejetto on January 19, 2010, 07:51:17 PM
the ports i'm talking about are not the ones HFS and stunnel are configured for accepting connections.

sample: blue and black are the Stunnel log, green is the HFS log (both displayed simultaneously in HFS):)
...
so we have ip address and user : toto / 88.199.13.181

you say that by the sequence of events, https accepted connection, and then the request to HFS.
but what if you get 2 connections on stunnel, and then 2 requests on HFS.
what is what, which is which. how can you pair correctly?
if we solve this dilemma, maybe we can work it out.
you get toto@192.168.1.3:2361 on HFS log.
so there's a connection between HFS and stunnel, and the connection is identifier by that "2361".
if you find the same number in the stunnel log, then it's done. can you?
Title: Re: How about SSL support
Post by: r][m on January 20, 2010, 03:14:47 PM
2. we don't have banning "by user", but you can disable an account.
or even you can put an event like
[+connected]
{.if user is john then disconnect.}
(just a mock)
Are you saying this is possible? or yet to be added?  I don't see %user% working in events here.
Title: Re: How about SSL support
Post by: Mars on January 20, 2010, 10:04:25 PM
to verify if %user% works ..

[+connected]
{.add to log| user %user% is connected.}

Having to verify, it is confirmed, that does not work.

Nevertheless the solution is simple and is enough a line of code in more with an new event ...

Quote
 if urlCmd = '~login' then
    if conn.request.user = '' then
      begin // issue a login dialog
      getPage('unauthorized', data);
      if loginRealm > '' then conn.reply.realm:=loginRealm;
      exit;
      end
    else
      begin
      runEventScript('logged');   //mars 2010
      conn.reply.mode:=HRM_REDIRECT;
      conn.reply.url:=first(getAccountRedirect(), url);
      exit;
      end;

used as follows:
Quote
[+logged]
{.add to log| user %user% is %event%.}
{.if|{.=|%user%|rejetto.}|{:{.disconnect.}:}.}

when using the url http://......./~login   , the user can login , but he is immediately disconnected and has to change browser to re-connect him, because the name and the password are stored by the browser and reused for the login page. ;D
Title: Re: How about SSL support
Post by: Mars on January 21, 2010, 02:23:01 PM
After one good night of rest and more pushed tries, it is possible with the current versions, to add simply one line in the event to obtain the action proposed by rejetto

Quote
[+request]
{.add to log| user %user% is request.}
{.if|{.=|%user%|rejetto.}|{:{.disconnect.}:}.}





Title: Re: How about SSL support
Post by: rejetto on January 21, 2010, 03:15:15 PM
Are you saying this is possible? or yet to be added?  I don't see %user% working in events here.

oh, you are right. the user is provided with the request, so HFS doesn't know user at connection-time.
that will be [+request] instead of [+connected]

the event script suggested by mars should be ok.
having several usernames would be easy by using {.switch.} instead of {.=.}
Title: Re: How about SSL support
Post by: r][m on January 22, 2010, 07:20:23 AM
[+request]
{.add to log| user %user% is request.}
{.if|{.=|%user%|rejetto.}|{:{.disconnect.}:}.}

Thanks Mars, and Rejetto.

I'll give it a try.