rejetto forum

Routing system, or several roots for several websites ?

Rom_1983 · 30 · 26248

0 Members and 1 Guest are viewing this topic.

Offline NaitLee

  • Tireless poster
  • ****
    • Posts: 203
  • Computer-brain boy
    • View Profile
Right, one can make several domain names point to the same address but just differ the port.

The drawbacks are a) need to share the port along with address, b) maybe extra work to manage HFS instances & all VFS files

btw HFS url config make no use at how the server works -- it is used only for URL building :)
"Computation is not forbidden magic."
Takeback Template | PHFS


Offline Rom_1983

  • Occasional poster
  • *
    • Posts: 28
    • View Profile
About @Naitlee's Python script

- I've had a long discussion with him, because I've been the target of distant hacking attempts everyday since the use of the script a few days ago. Attacks by injection ike : "192.241.214.230 - - [25/Apr/2022 12:02:33] "GET /actuator/health HTTP/1.1" 404 - or "205.210.31.151 - - [29/Apr/2022 14:33:41] code 400, message Bad request version ('À(À$À\x14À')
↨♣>3¢Æ'M←·1♥¸♥»ù~ Úr–£:ë„>♠  h̶Ì‼À/À+À0À,À◄ÀÀ'À#À‼À    À(À$À¶À" 400 -"

- I don't know if these are worldwide bots or a solo hacker, and I don't know if the requests are made by using my IP with the standard 80 port, or my DYNDNS addresses.
- Naitlee helped to improve the script, but it still isn't enough because I'm constantly hearing Windows10 ERROR sounds (several times per day), and those attackers even managed to trigger my antivirus by trying to use a EK-Mozi threat and 127.0.0.1:8000 hacks. See :


- They also try to make my PC to connect to distant servers like "CONNECT google.com:443 HTTP/1.1" 501"

I want to say that to my eyes, the script isn't safe WHATEVER Naitlee will say. He seems too confident and overestimating his capabilities to understand that Python is a dynamic language with a potential impact on the filesystem and operating system, as PHP or any other dynamic language, wich is very suspicious to me. Saying me that "Python is compiled and can't be modified at runtime" and that "I don't understand that all the attack are benign and Python is bullet-proof", is to me the last thing that made me to decide to write this comment. Python is used for many things including writing files, connecting to websites, etc, so any injection and abuse can make a language unstable and propitious to being diverted. I'm not a Python user, but it seems very unrealistic to say that the core-language could never be reached by any breach opened from the original script, and that all methods from the languages aren't accessible just because of "the compilation process".

(...part removed by rejetto...)

I considere that the escalation of attempts, especially the EK-Mozi threat, give me the right to do such a temporary conclusion.
Consequently, I prefer to wait for an official solution by rejetto for now.

Officiel HFS solution

Speaking of wich :

what if i told you i just finished a 15-lines plugin that gives you this.

...HFS 3 of course

@rejetto : very happy to see that you finally did it !
The script developped by Naitlee routes incomming requests by specifiying the IP and port we want. And I'm not sure your plugin allows such a precision.
Moreover, I'm not sure that your plugin allow to use several "hosts", you only give a single example.
But I'll try HFS 3 asap to be sure. THANKS A LOT <3 !

About security

I'm asking right now, due to my experience with the routing of Naitlee's script, some fure improvment(s) that seem to me necessary to avoid bad surprises :

- A way to whitelist URLs incomming in HFS. If a distant user try to reach a URL that isn't corresponding to any URLs parent node, thus he'll been blocked.
- Adding all URL of all nodes corresponding to the tree of folders in HFS being tedious, of course the feature must be friendly and allow to accept any sub-url typed (ex : by using a metacharacter like /stuffs/thing/*).

If you feel I'm not very accurate in my suggestion, please understand that I'm not an advance programmer. I just use my basics to communicate here to help to improve things intelligently (as by "trapping" any malicious user when he types unexpected URLs, without being forcefully exhaustive and bullet-proof ; but we rather do something simple for now than do nothing, and we can count on hackers being stupid by trying to type injection right on the root of URLs we publicly share).
« Last Edit: April 30, 2022, 09:46:02 AM by rejetto »


Offline LeoNeeson

  • Tireless poster
  • ****
    • Posts: 859
  • Status: On hiatus       (sporadically here)
    • View Profile
    • twitter.com/LeoNeeson
I'm not defending Naitlee, but I bet this was caused by using Python as 'middleware' server, since you can't trust ANY modern platform nowadays (like Python, Nodejs, React, etc). I'm almost sure Python 'phones-home' your server's IP, and then you get all those unknown attacks (from hackers or some intelligence companies that try to break in your PC). This is a new normal behavior of many modern software (just because most people don't know or care about privacy anymore). The same goes with Windows 10 (which is a BIG security risk, unless you disable all the privacy vulnerabilities that come enabled by default).

Offtopic: On my personal side (not related to this issue), since I'm tired of all those crazy things, I prefer to use old software with old hardware, than using anything modern (for example: an old device with a hardware firewall, along with an old operating system which has a firewall software, adding another layer of security). I haven't tested, but Naitlee's Python script looks clean (at least after doing a fast review), but Python could be the security risk by itself. You can never be paranoid enough in this world...

Marvin was right: "How many times have I told you? They switch the flip and you're done". ;D

» See here: https://youtu.be/6HXgPGZcXe4?t=120

@NaitLee: I've read your comment on the other thread, and please don't feel offended (do what you want, but don't leave the forum just for this). Since you are young, you should know that those situations happens from time to time. Some years ago, a user named 'Danny', freaked out because something similar happened to him, but then he find out that he was mistaken, and everything was solved. Running an internet server is not for everyone (it's not a easy task as it seems), at least unless you know the inherited risks of having a PC open to the internet. Peace to everyone... :)

Cheers,
Leo.-
HFS in Spanish (HFS en Español) / How to compile HFS (Tutorial)
» Currently taking a break, until HFS v2.4 get his stable version.


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
hi guys,
I don't like to be the moderator here, but I'll take some precautions to lessen unnecessary sufferings.
My personal opinion here is that both Rom and NaitLee are in good faith.

All the reports Rom is making are extremely common given the circumstances, it's just what happens if you open a web server on the internet, and using ports on common numbers makes it just much worse/frequent.
It's just like diving into the open sea and getting wet: it can be unpleasant especially if you weren't ready for that, but it's not really harmful per-se, nonetheless there are real threats out there and you should keep all precautions.
It's like emails and spam/phishing, a never-ending fight where software can't easily tell goods from bads.
As a side comments, it's basically why HFS 3 is by default having different logs for errors, to not be overwhelmed in the main log with the huge number of bad requests you normally get. But I hope to be able to do more than that. I hope we'll have a way to filter out most "spam", maybe a plugin, maybe someone else will help and take care of that.

I've read Rom's message, I think he is not a bad person and he acted in good faith.
And yet, some of his comments are not welcome here, so I'll remove few lines.
I don't enjoy doing that and I don't want to force him to think differently, but I don't want to give space to such generalizations and personal attacks.
To be honest, I hate to be the judge here, I'm probably not good at that and I'd rather focus on programming, but I don't feel ok with doing nothing either.

I don't know NaitLee personally, but after the years I've made my opinion of the soul, based on posts and acts, and it's of the kind type.
« Last Edit: April 30, 2022, 10:48:39 AM by rejetto »


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
Regarding the statements about python, javascript, etc, my 2 cents are: I'm not expert in the security field, yet my profession requires me to know more than the average person. I consider true the statement that some languages/technologies pay their flexibility with some extra risks. And yet, these risks heavily depend on what the programmer does. There are organizations "risking" millions of dollars on stuff built with such technologies. Everybody decides his own level of paranoia, but remember there's a price to pay for paranoia too.
Attacks and remote executions have always existed with and without newer technologies.
Also, remember that python, node, etc, are open source and watched closely by the whole world. You decide.

I've asked a friend who's in IT security to give me a hand ensuring HFS 3 is good enough. It's not an easy task, and it's even harder doing it in my time off, after I'm tired because of my job. But, hey, it's open source, everyone who can contribute to make it more secure is welcome to give a hand.
« Last Edit: April 30, 2022, 09:54:31 AM by rejetto »


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
Moreover, I'm not sure that your plugin allow to use several "hosts", you only give a single example.

I was in a hurry and didn't communicate it in the best of ways, but that's what the "+" button in the picture is for, to add more.

Quote
- A way to whitelist URLs incomming in HFS. If a distant user try to reach a URL that isn't corresponding to any URLs parent node, thus he'll been blocked.

I'm not totally sure what you meant by that, but it's giving me a huge hint on how to tell unwanted traffic. Surely a lot of people have come to this eons ago, but me? just now.
I've been paying little attention to the "domain" thing at this stage of the project, for good reasons, but most of the unwanted traffic will come to you just with your IP, randomly.
Rejecting all traffic not using the domain is a piece of cake. I could easily make a feature for that. I'm not sure if as a plugin. I'm trying to make plugins to both show people what they can do, and also to let people customize them to better suite their needs, possibly by making a new plugin out of them.

Problem is: a lot of people don't have a domain, and I'm not sure I want to force them, limiting possible usages of the server. Also because it would rely on external services, I'm trying to not bind the project to external services.


Offline Rom_1983

  • Occasional poster
  • *
    • Posts: 28
    • View Profile
Quote
but I'll take some precautions to lessen unnecessary sufferings.

By reacting like that, you're doing the exact opposite. Just IMAGINE that the botnet would have passed my antivirus protection, and my PC was infected to a point I could not talk here anymore. Just imagine the big "THANK YOU" echoing in my head, and how I would feel about your moral. Attack are real, and botnet are a real shit. You don't protect people by avoiding them to show the facts.

Politeness should never overpass common sense. I see that positive racism still reshape the politically correct everyday, even with all the precautions (I specifically said "don't take this as racism" and "this is not a definitive accusation"). I find dangerous to not be authorized to say that a [put a nation here] botnet attacked me (and no, that's not "normal") neither that a [put the same nation here] user, acting like a pro, try to underestimate the constant threat of the attacks, or that the origin of both the user and the bot converge and is a sign. Especially if the attacks are made on one of my DYNDNS addresses and not the basic :80 port, suggesting that this is not a hasardous coincidence.

Moreover, I find very worrying to see an admin keeping the same speech than the aforementioned user, maybe based on a "de-escalation" psychological effect, and saying me that those error messages are "normal" and "benign". Sorry, but constant injections are dangerous, Python in HTTP-serving context is dangerous, windows error SOUNDS are not a good sign, and antivirus triggered and now alerting from a botnet activity on my computer is definitively a new step indicating that all the previous ones has paid off.

Don't considere that just because a forum user "has a nice avatar", "acts nicely", and "have a lot of message", that would never be a foreign hacker hooked on a technology and having a main interest to wait and see victims coming in his "generous" hands. Scams, since the begining of humanity, always proceed on the basis of empathy. And if you add geopolitical knowledge to that (a country that I won't name, given that violence has such power that we are muted by hypocrisy), well you have an idea of what CAN be (not what IS forcefully). If we can't talk and share our clues anymore, that's more than ever dangerous. Paranoia has nothing to do with it (botnet + antivirus triggered).

If error messages + sounds + antivirus reaction + general escalation of alerts was normal, I think simply launching  servers like CADDY or HFS would lead to such common patterns. However, I never experienced such things before. Finally, I considere that if the author of a script doesn't react normally and doesn't keep adding security (I asked him to add URL filters, as I suggested you to implement it in HFS v3), I find this very suspicious.

About HFS v3 and VHOST

The vHost works like a charm. It's set on port 80 by default, so it's perfect for my use because I don't want additional port used in URLs.

Suggestions

- We cannot move entries (up, down) with the mouse. It would have been cool, to sort things. For now if we're not satisfied after a few moment of what we have done, we have to delete the entries and recreate them.

- There's not EXE staying in the systray, like the V2. Now we launch a CLI, and that populates our taskbar, and I don't want that. I'm sure there's a workaround with softwares allowing to minimize any window in the systray, but the ideal would be to have a native solution.

- Popups hovering when we finished an action don't disappear by themselves. We have to click in the void around, and that may disturb people not used to.

- Network drives aren't detected if we don't launch HFS v3 in admin mode. That's normal with most of softwares, and know this since a long time ^^,  but I suggest to put a line in the UI to inform users.

_______________

Now I want to say congratulations for this new version of HFS. The UI is amazing, there's many options. That's a damn good HTTP solution. The upgrade since v2 is stunning. Keep the good work !
« Last Edit: April 30, 2022, 12:05:27 PM by Rom_1983 »


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
i quickly considered the evidence you brought, and i determined that it was not enough for the statements you made against NaitLee. You may disagree, and I may be wrong, but that's the best i can do for the moment.
I'm not asking you to trust the guy. Don't, if you feel like it. I don't say he cannot be evil, I said you went a bit too far with words for this place.

I didn't say "benign" to any attack. I can't say if you had any damage or if you had any real threat on you.
I know most web attacks are automatic (= cheap), hoping to find something very specific behind the "door", but without really knowing, and thus most of them are ineffective.

I don't want to prevent your "free speech" in general, just here. In a way I'm responsible for this forum, but I don't have time and will to investigate this further, and I have to make a few decisions anyway.  I'm not here to lecture people how to live.
 
Answering the rest in a following post.


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
- We cannot move entries (up, down) with the mouse. It would have been cool, to sort things. For now if we're not satisfied after a few moment of what we have done, we have to delete the entries and recreate them.

i will likely add the up/down at some point because that "editor" is meant to be generic, and other plugins may be sensible to the order of data.
Anyway, this is not true for vhosting plugin, the way it is right now at least. So you should be ok without the order, but if you really really want to change the order you can still open config.yaml file with notepad and you may find it's easy to make it.

Quote
- There's not EXE staying in the systray, like the V2. Now we launch a CLI, and that populates our taskbar, and I don't want that. I'm sure there's a workaround with softwares allowing to minimize any window in the systray, but the ideal would be to have a native solution.

i hope at some point we'll have hfs install as a service, and be controlled with a tray application like you say.
It's not high priority for me, and it would be cool if someone else would work on it, as the tray icon would probably be a separate program.
I added it to the to-do list.

Quote
- Popups hovering when we finished an action don't disappear by themselves. We have to click in the void around, and that may disturb people not used to.

in some cases this is good, because i need to know the user acknowledge to the content of the popup.
I'm sure some cases would be better with the behaviour you just suggested. Feel free to point at some of them you care about, and I'll consider which ones to transform.

Quote
- Network drives aren't detected if we don't launch HFS v3 in admin mode. That's normal with most of softwares, and know this since a long time ^^,  but I suggest to put a line in the UI to inform users.

thanks for the suggestion, but I'm not able to confirm it yet: i have a couple of networked drive here and HFS sees'em even if I don't get the "User Access Control" warning of windows when i launch it. When you say "admin mode" are you referring to the UAC ?


Quote
Now I want to say congratulations for this new version of HFS. The UI is amazing, there's many options. That's a damn good HTTP solution. The upgrade since v2 is stunning. Keep the good work !

thanks, it was not an easy decision because making it will take about 1 year of my time just for the first version. It's not easy to start a project this big. That's why I delayed it for 8 years.


Offline LeoNeeson

  • Tireless poster
  • ****
    • Posts: 859
  • Status: On hiatus       (sporadically here)
    • View Profile
    • twitter.com/LeoNeeson
I don't like to sound like a 'bootlicker' of Rejetto, but I congratulate him, for his decision to keep the peace in this forum (not only this time, but over many years), and this time, for setting-aside (removing) discriminatory comments. This is what sets this forum apart of the rest: tolerance and respect for others.

» About my personal life (you don't need to read this, if you don't care): I'm Argentine, and for many years in many English-speaking forums I was discriminated for the simple fact of being Argentine (and for living in a country of the so-called 'third world'). That, added other bad experiences, like having suffered bullying at school when I was a kid, and then having several unrequited love for some women, led me to have (throughout all my life) a marked personality with a notorious inferiority complex and low self-esteem, from which I'm always trying to recover (and believe it or not, I'm not fat, neither bad looking). That's why I know firsthand how ugly it feels to be discriminated, for whatever reason. I always wanted to tell you this, but I never found the opportunity (sorry for being offtopic).

Back to this thread, I'm not defending anyone, but just saying that discrimination harms people (it hurts), and should always be avoided at all costs (and the best is to keep a conversation as technical as possible, when for example someone reports that some code or script is not working as expected or has some unwanted effect).

Have a nice Sunday people, enjoy the weekend. :)
Leo.-
HFS in Spanish (HFS en Español) / How to compile HFS (Tutorial)
» Currently taking a break, until HFS v2.4 get his stable version.


Offline Rom_1983

  • Occasional poster
  • *
    • Posts: 28
    • View Profile
Let's move on to HFS ;)

I have a major problem : it's been a few time that when relaunching HFS v3, it ends being amnesic and all my settings are gone (folders shared, etc).

I spent a few hours yesterday setting it, and I'm desperate. Can you help me ? I won't retry anything before a solution.

One thing that bother me and maybe related to that amnesia : to close HFS, there's no "close" button or feature. So I close the CLI (I even try CTRL+C sometimes in it, to cleanly close the program). Is it the way to close it ? How do it save things ? I always push "SAVE" putton in the admin panels.

Quote
i need to know the user acknowledge to the content of the popup
Solution : add a button with "OK" text.

Quote
When you say "admin mode" are you referring to the UAC ?
No : I refer to right-click -> launch as administrator (or make a shortcut, go in its properties, advanced, and check the bock "always launch as admin").
Without that, it doesn't detects my network drives.
Btw I have disabled UAC competly (this is a nightmare and I'm not the only one th think it).
« Last Edit: May 01, 2022, 12:06:27 PM by Rom_1983 »


Offline Rom_1983

  • Occasional poster
  • *
    • Posts: 28
    • View Profile
Oh, woops, that's really really weird : I've relaunched HFS with the same shortcut, and now it remember things (in the meantime, I've gone in the folder of HFS to check any config file and I gound the "config.yaml" and saw my settings in it). I'm gonna reboot to see if it's related to the short period of time after a reboot where all the environment isn't fully loaded. I'll edit this post to give the answer.

Edit : yeah, it seems that placing a shortcut of HFS in my "Startup" folder leads to HFS running erratically and not launching properly. After two reboots, it launched access.log and error.log but HFS.exe is not found in procresses list (last time when I post my previous message, it has launched but with amnesia). If I launch it manually with the aforementioned shortcut, it launches correctly.

Similar problems :
https://stackoverflow.com/questions/52561921/batch-file-not-working-correctly-at-startup
https://www.tenforums.com/tutorials/57690-create-elevated-shortcut-without-uac-prompt-windows-10-a.html

Edit : this is an issue related to Windows operating system. Feel free to ignore it  ;)
« Last Edit: May 01, 2022, 12:59:50 PM by Rom_1983 »


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
Quote
One thing that bother me and maybe related to that amnesia : to close HFS, there's no "close" button or feature. So I close the CLI (I even try CTRL+C sometimes in it, to cleanly close the program). Is it the way to close it ?

this isn't a part where i put much attention yet, but apparently the good way of closing it is CTRL+C. This isn't ideal of course, on Windows at least.
I say rare because most stuff is done within 1-2 seconds, so that's for sure not the cause of your problems.
Next version will detect also closing of the window, to ensure final procedures are done

Quote
How do it save things ? I always push "SAVE" putton in the admin panels.

and that's enough

Quote
Solution : add a button with "OK" text.

will do, but i already opted for "auto-dismissing" notification on a couple of cases. In vext version.

Quote
No : I refer to right-click -> launch as administrator (or make a shortcut, go in its properties, advanced, and check the bock "always launch as admin").

i guess it's basically the same thing, presented differently.
I don't run it that way, and still I get the net-drives.
Some programs, when not run "as admin", will present a dialog for admin permissions, you surely know, and that's basically UAC.
I also get no UAC dialog.

Quote
Btw I have disabled UAC competly (this is a nightmare and I'm not the only one th think it).

i'm no expert with this kind of stuff in Windows, but since win10 i didn't have to disable anything, and the annoying UAC interactions introduced with Vista (i think) are simply not there.
Since my account is part of "adminitrators" I'm not sure what triggers the UAC dialog for some softwares, if it's just bumping into a priviledged instruction or an explicit declaration of the exe file at its start. Fact is, some programs present this dialog "later", but I cannot exclude it's because they are launching another program, behind the scenes.

I'm happy to see you managed to solve your problem.
Anyway, I think it has something to do with the "working directory". When you create a shortcut you have a "start in" field, that's basically it. HFS will save files there. You can confirm where it is working when the CLI opens, there's a line starting with "cwd".
« Last Edit: May 01, 2022, 02:27:16 PM by rejetto »


Offline Rom_1983

  • Occasional poster
  • *
    • Posts: 28
    • View Profile
👍 Thumbs up for such a patient and devoted programmer ! The vHost plugin is an awesome feature.


Offline vladimirov70

  • Occasional poster
  • *
    • Posts: 29
    • View Profile
    • Honest news about a special military operation in Ukraine.
Right, one can make several domain names point to the same address but just differ the port.

The drawbacks are a) need to share the port along with address, b) maybe extra work to manage HFS instances & all VFS files

btw HFS url config make no use at how the server works -- it is used only for URL building :)
Right. And also the provider's restrictions matter. My provider has a limited number of open user ports.
Ukraine has been killing thousands civilians in Donbass for eight years. Ukraine killed 152 children and wounded 146. Russia does not start wars - it ends them.http://www.picshare.ru/uploads/220501/9d838wOcqM.jpg