Hi r][m

Stunnel log generates a large amount of info very quickly, but most of it
doesn't appear to be of any real value to audit server traffic.
Even though I just got it added to HFS log, I've turned it off.
The Stunnel log displayed in HFS is not essential.
It was possible to do it with a script ... so it was interesting to do it.
Otherwise, you can try this value :
debug = 5 it displays less informations "useless".
sample: blue and black are the Stunnel log, green is the HFS log (both displayed simultaneously in HFS)

> Stunnel log :
> 2010.01.12 16:32:22 LOG5[3008:2976]: connect_blocking: connected 127.0.0.1:44300
> 2010.01.12 16:32:22 LOG5[3008:980]: connect_blocking: connected 127.0.0.1:44300
> 2010.01.12 16:32:22 LOG5[3008:2976]: https connected remote server from 192.168.1.3:2248
> 2010.01.12 16:32:22 LOG5[3008:980]: https accepted connection from 88.199.13.181:32993
> 2010.01.12 16:32:22 LOG5[3008:2364]: connect_blocking: connected 127.0.0.1:44300
> 2010.01.12 16:32:22 LOG5[3008:2364]: https connected remote server from 192.168.1.3:2378
12/01/2010 16:32:22 192.168.1.3:2372 {Stunnel} Connecté
12/01/2010 16:32:22 192.168.1.3:2370 {Stunnel} 381 Octets reçus
12/01/2010 16:32:22 toto@192.168.1.3:2366 {Stunnel} 226 Octets envoyés
12/01/2010 16:32:22 toto@192.168.1.3:2361 {Stunnel} 783 Octets reçus
12/01/2010 16:32:22 toto@192.168.1.3:2361 {Stunnel} Requête GET /~img92
12/01/2010 16:32:22 toto@192.168.1.3:2361 {Stunnel} Requête traitée
so we have ip address and user :
toto / 88.199.13.181Stunnel works well, but I see Stunnel at best as only a "work around".
It appears bans no longer work on address as https:// ??
I think a work around may be possible though.
I've had to remove the events macros that use ip address.
Looks like I'll lose a lot of the Limits settings as well, since HFS
Indeed, it is a "workaround", but until that HFS supports SSL, Stunnel is the only lightweight and robust solution for who needs to use HFS to "https"
The limitations that you listed are reals, It's at every one to determine the value of using Stunnel with the requirements of its "server configuration", or to find a balance.
(It is possible to add "IP Mask" in stunnel.conf)
For my part, these limitations are not a problem, I only serves users with accounts, and therefore identified.
will only see one ip for everyone now?
If you use the stunnel log in hfs ... You will see all ip of your users in hfs
+
Two with HFS if you add your internal ip

stunnel.conf eg:
[https]
accept = 0.0.0.0:443
connect = 127.0.0.1:44300
local = 192.168.1.6 *TIMEOUTclose = 0* IP exampleThen you add in HFS:
Menu > Limits > Bans\127.0.0.1;192.168.1.6Then in Adress2name:
Name IP Mask
Local 127.0.0.1
Stunnel 192.168.1.6This will differentiate in the log, the local connections (http), and the distant connections from
Stunnel (https).
Has anyone found a way to ban, etc., by user?
Not me!

I think the # 1 most desirable feature HFS could have would be SSL (encryption),
possibly, with dual hosting.
Yes, the integration of SSL in an "multiport/multiprotocol" HFS will be welcome.