rejetto forum

version 2.4

rejetto · 474 · 415322

0 Members and 2 Guests are viewing this topic.

Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
i've found some time and experimenting with nginx.
I'm already connecting to HFS through https.
Now i just need to find how to enable the IP forwarding.


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
https://drive.google.com/file/d/1n2Th-Os_CYNhL7p-JCWQCkFEliJd_VqE/view?usp=sharing

unzip and use "run.bat"

this nginx is configured to give you HTTPS without losing the original address.
It is configured to connect to HFS on port 80.
A certificate is provided, of course it's not a valid one, but the user can decide to accept it anyway.

(optional) You can generate your own certificate at https://www.selfsignedcertificate.com/

we should investigate this now
https://certbot.eff.org/lets-encrypt/windows-nginx
« Last Edit: June 09, 2020, 10:20:00 PM by rejetto »


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
i successfully used certbot and just had to edit nginx.conf to point to the new certificate files.
now my home HFS is perfectly working with https and i see real IPs. Happy :)


Offline MarkV

  • Tireless poster
  • ****
    • Posts: 764
    • View Profile
It seems to work fine. I just changed the ports (my HFS runs on 8080) and used my own self-signed cert (Let's Encrypt only works for Internet-accessible servers, due to the verification process).

I'm using OpenSSL to create my certs, though, so I don't have to rely on a random server in the Internet.

Code: [Select]
openssl.exe req -new -config openssl.cfg -outform PEM -newkey rsa:2048 -x509 -sha384 -days 730 -nodes -verbose -out "cert.crt" -keyout "cert.key"
-new - create new cert
-config openssl.cfg is the name of the OpenSSL config file (you can have many)
-outform PEM - output format PEM
-newkey rsa:2048 - RSA key with 2048 bits strength
-x509 - don't do a certificate request (for CA)
-sha384 - hash used for cert
-days 730 - validity period
 -out "cert.crt" -keyout "cert.key" - names of the created cert and key.

Get OpenSSL for Win here: https://slproweb.com/products/Win32OpenSSL.html
http://worldipv6launch.org - The world is different now.


Offline LeoNeeson

  • Tireless poster
  • ****
    • Posts: 859
  • Status: On hiatus       (sporadically here)
    • View Profile
    • twitter.com/LeoNeeson
as i just said, if we find that's necessary to have an option we'll have an option.
OK, I already knew you will not like my suggestion... :-[ ::) But hey, you did a great job with Nginx! :) (you can be happy about it). Rejetto: from now on, you can breathe relieved when you see a message from me, since I will not be reporting new more things about v2.4.x, because I don't want to be the guy who always 'break the balls' with small details (non voglio essere il che 'rompe le palle' sempre con piccoli dettagli :D). I officially leave the "reporting things" task for the rest of you (beside that, my free time is much more limited now).

@MarkV: thanks for the command line explanation of generating a cert with OpenSSL. It's always nice not having to rely on some external service. I will try it as soon I have some free time. (It's nice to have you on-board :))

Cheers,
Leo.-
HFS in Spanish (HFS en Español) / How to compile HFS (Tutorial)
» Currently taking a break, until HFS v2.4 get his stable version.


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
OK, I already knew you will not like my suggestion... :-[ ::)

:) actually the rule i learnt in time is that you should not put an option (on the screen) until it is necessary.
This IF you can make an automatic behavior that's always good. And sometimes even beyond that.
It's a general rule that I want to apply.

Quote
since I will not be reporting new more things about v2.4.x, because I don't want to be the guy who always 'break the balls' with small details

i don't understand why you say that, but you are very wrong. Reporting problems is very important.
Don't do it if you don't want, but don't see it as breaking balls.
« Last Edit: June 10, 2020, 08:39:37 AM by rejetto »


Offline MarkV

  • Tireless poster
  • ****
    • Posts: 764
    • View Profile
When I find some time, I'll also document my changes in openssl.cfg, which will greatly ease the creation process, and will allow "Subject Alternate Names (SANs)".
« Last Edit: June 10, 2020, 05:42:57 PM by MarkV »
http://worldipv6launch.org - The world is different now.


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2063
    • View Profile
Me not happy, rejetto forget sugar in coffee  :'(

Missing  macro 'sha256' in rc2

Waiting quickly rc3
« Last Edit: June 10, 2020, 05:21:28 PM by SilentPliz »


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile

Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2063
    • View Profile

could you add this macro in scriptlib.pas during the new release of hfs
it is to allow an intercation with the function sha256(s) that you placed in the template

sure, next release

because,
first: you promised
secondly: failing  to be able to use rsa client-server encryption, this is useful for validating an exchange of encrypted passwords

I thought of inserting the data to be transmitted in a zip protected by a sha256 based on the connection pass, but it requires too many resources to add in javascript and in hfs


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
first: you promised

calm down mars, i asked what, not why :D
if you look on github you'll see the command is ready. I'll publish asap.


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2063
    • View Profile
 ;D ;D

here is what to test its use in the password change by "form"

old password
new password
confirm password

Passing over the eyes with the mouse the passwords are displayed in clear


positioning the mouse at eye level the passwords are displayed in clear



the old password is not sent in clear but its sha256 is combined with the new and sha256 of the confirmation to check the validity at the server level by macros

everything takes place in the template and only requires the existence of the macro sha256

it's not the best we can do, but it's better than a clear password, and it allows accidental password change if we don't know the old one, the rest will come later when RSA becomes available jointly using the certificate for HTTPS
« Last Edit: June 10, 2020, 10:05:37 PM by Mars »


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13523
    • View Profile
it's nice and it's worth making a plugin out of it.
for the default tpl i'll wait to have encryption.
i understand that the https certificate would be ok to be used, if available, but i guess that it would be nice to have a solution that works even if you are not using https and probably have no cert.


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2063
    • View Profile
in the version of silentpliz using stunnel, he introduced a tab on the main page to manage the creation of such a certificate,

one solution would be to integrate it as a tab in the options or as an additional module, we could easily create his own certificate, and use it either to configure stunnel.conf or nginx.conf without using an external program.

 for the transmission of change password you should consider a solution like my encryption in the absence of a certificate, and abandon sending it by your old method

I think that with the help of silentpliz we could manage to offer you a module that would be easily integrated into hfs
« Last Edit: June 10, 2020, 11:42:30 PM by Mars »


Offline LeoNeeson

  • Tireless poster
  • ****
    • Posts: 859
  • Status: On hiatus       (sporadically here)
    • View Profile
    • twitter.com/LeoNeeson
I think that with the help of silentpliz we could manage to offer you a module that would be easily integrated into hfs
I vote to have this by default (even if we don't have HTTPS yet). It's better to have some security, than no security at all. I like the work Mars has done. :)
HFS in Spanish (HFS en Español) / How to compile HFS (Tutorial)
» Currently taking a break, until HFS v2.4 get his stable version.