version 2.4

[danny]

...

...auto-ban not achievable, so Security Feature Request:  Need a menu/limits  option to limit bad login flooding/attack/volume to 5 per hour (or "x number per hour).

this request is in to-do since forever and will likely be addressed soon. Anyway i don't see why you say "not achievable".

New for 2.4: auto-ban not achievable in a template, because any page anywhere can post a form. 
It doesn't have to be a template--you can make a different page or script to post a form.
So, the best place to prevent/interrupt a form input, is the .exe

[rejetto]

yes, and that's why i told you that you need to use the [unauthorized] event, that's in "events", not in the tpl.
If i'll find the time i will do it for you.

[danny]

yes, and that's why i told you that you need to use the [unauthorized] event, that's in "events", not in the tpl.
If i'll find the time i will do it for you.

I found some posts about it:  https://rejetto.com/forum/index.php?topic=6757.msg1043503;topicseen#msg1043503
But, I couldn't get [+unauthorized] to work in the events file. 

[rejetto]

sorry, i've just found that the new login system is not using the 'unauthorized'.
I'll see to have this fixed for next release.

[danny]

Without functional [unauthorized], users/clients can be lost on a mostly white page that says bad password.  Sometimes (not often).

Another form-related hijink is:
menu > other options > user accounts
After login redirect to: 
doesn't work like 2.3

In both cases, redirection to usable content, is missing (doesn't deliver).

The white page problem is rare; but, there is errata, sometimes.

[rejetto]

In both cases, redirection to usable content, is missing (doesn't deliver).

i don't understand what you mean by usable content. Please tell me what you do, what's the expected behavior, and what happens instead.
I'm working to make a script to limit login failures in time. It's good because I find other bugs and fix them.

[danny]

i don't understand what you mean by usable content.

A list of files to download. 

Please tell me what you do, what's the expected behavior, and what happens instead.  I'm working to make a script to limit login failures in time. It's good because I find other bugs and fix them.

I log in, and it usually works.  What was expected was one of these:  [unauth], or [unauthorized], or successful login, or 'after login redirect' as specified in the Users menu.  There is a little more variety than just those.

Sometimes there's a white screen message or didn't end up at the right folder.  I thought to fix the landing spot by using HFS menu > Users > 'after login redirect' But that doesn't do it. 

[rejetto]

A list of files to download. 

...a folder? you are saying that you specify the path to a folder in the 'after login redirect' account field and you are not taken there?
you give too few details. You don't specify the path you entered, you talk about a "white screen message" but don't report what it says.
I'm tested this right now. I started hfs, clean, no options, no tpl. Add a folder "upload". Create an account. Set the redirect for it to "/upload". I access the home with the browser, log in, and i'm taken to the upload folder.
I try again and set a path to a file that's inside the folder, a txt. Logout, login again, i'm take to the file and see the file content.
Let me know if you have clear directions on how i should change what i just did to run into the same problem as you, otherwise it's hard for me to help.

[rejetto]

if you get a different behavior you want to show me sharing your screen on google hangout if you want

[danny]

if you get a different behavior you want to show me sharing your screen on google hangout if you want

I tested again.  The first time, I got a white screen that said ok.  But, the next time I tested, it went to /upload perfectly fine. 
And, I tested several more times.  It worked fine all of those times as well. 

[rejetto]

https://github.com/rejetto/hfs2/releases/tag/v2.4-rc05

guys, with this release we switch to the 'public' flag in place of the 'private'.
Please update your tpl.

[danny]

There was some missing parts until I cleared the browser's cache.  After that it worked nicely. 

P.S. Post#1 link (this same thread) links to RC4.

[danny]

I'm working to make a script to limit login failures in time.

However, on the phone browser, there could be a white screen with ok (too small to read--it just looks blank) or or white screen with bad password or white screen that said something about username (too small to read but I think it meant the username was typed wrong). 

The 'lost on a white screen' problem is a little more frequent for the phone than the PC.
The user may be confused or believe the server is broken/offline.

Feature request:
I'd like a 1 second (maybe 1.5s) redirect on those 3 white screens, such as:
if ok, wait 1s then redirect to ../ (if accidentally at server response screen)
if bad password, wait 1s then redirect to /~login (if password typo)
if bad username, wait 1s then redirect to /~unauth (if can't type own name)

The suggestion is a 'fallback' just to let the users escape from the white screens.  I think that problem is raw server-response screens (like white underwear), not developed web pages.  But actually redirecting to any page with links is fine--Just really anything other than the mostly blank white screens. 

P.S.  I did not test with the inbuilt template.  This is a basic usability difference between 2.3 vs 2.4:  While 2.3 would always reach a web page with clickable links or [section], 2.4 sometimes doesn't.  That needs some server-side validation redirect-to-section added.

P.P.S.  For me, this is the only impasse between rc versus production release--it is why I can't use 2.4 on my own home server.

[rejetto]

i don't know how to reproduce your problem, i get no white screen. I tested with default tpl.
This is the wrong place to discuss this, as there is a dedicated topic for that script.

[MarkV]

I did experiment a bit with nginx, as there were a few quirks (such as DualStack not working).

Found out the fix is actually simple: Change the line

listen 443 ssl;

to

listen [::]:443 ssl;


Done, works for me.

_____

One question: The reverse proxy usage of course cloaks the true identities of the connecting machines. Can HFS be configured to show the IP from the X-Forwarded-For (or X-Real-IP) headers, if they exist?