rejetto forum

How about SSL support

Guest · 136 · 130450

0 Members and 1 Guest are viewing this topic.

Offline securityguard123

  • Occasional poster
  • *
    • Posts: 3
    • View Profile
    • Local Security Guard
I also like this small tool!

if this will be incorporated it will be a good thing. :)


Offline phoque

  • Occasional poster
  • *
    • Posts: 1
    • View Profile
To improve support for HTTPS with Stunnel it would be nice to have a limit "max downloads per user" and to add a "add custom ip"-feature that can contain the protocol (to create something like "https://my.hostname.com/").

Apart from that: awesome work! I am really enjoying HFS and enjoying it even more with Stunnel :-)


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13310
    • View Profile

Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1298
  • ....... chut ! shh!
    • View Profile
Display of Log Stunnel in HFS. (v2.3 since build #239)

Ref: http://www.rejetto.com/forum/index.php?topic=6651.msg1040731#msg1040731

1)

- Paste the following section in a file hfs.events that you will put in the folder of hfs.exe:


Script edited 01-18-2010

[connected]
{.set|#log|{.load|stunnel.log|from={.^#stunnel.last.}.}.}
{.set|#stunnel.last|{.filesize|stunnel.log.}.}
{.if|{.^#log.}|{:
{.add to log|.
Stunnel log :
{.^#log.}|Clblue.}
:}.}

[+start]
{.set|#stunnel.last|{.filesize|stunnel.log.}.}


2)

- In file stunnel.conf of the folder of stunnel.exe , specify the path of HFS where the file stunnel.log will be created.
(Debug = 6 gives a correct result)

; Some debugging stuff useful for troubleshooting
debug = 6
output = C:\path\of\hfs folder\stunnel.log


3)

- Enjoy HFS and Stunnel !  :)

----------------------------------------------------------------------------
Independently, you can add to the section [https] of stunnel.conf, the internal IP of your PC:

[https]
accept  = 0.0.0.0:443
connect = 127.0.0.1:44300

local =
192.168.1.6 *
TIMEOUTclose = 0

* IP example

Then you add in HFS:

Menu > Limits > Bans

\127.0.0.1;192.168.1.6

Then in Adress2name:

Name       IP Mask
Local        127.0.0.1
Stunnel
  192.168.1.6

This will differentiate in the log, the local connections (http), and the distant connections from Stunnel (https).
« Last Edit: January 18, 2010, 09:24:14 PM by SilentPliz »


Offline Dev

  • Occasional poster
  • *
    • Posts: 4
    • View Profile
I hate to ask this question since i am not very knowledgeable with http. I have HFS working without stunnel, i downloaded and set up stunnel following these directions http://www.rejetto.com/wiki/index.php/HFS:_Secure_your_server , I can connect through HFS by clicking open in browser button but whenever i try to test it fails. I put in 44300 in the port field, i tried to connect by putting https://myipaddress:44300 and i get an error in firefox saying the site may be valid but it can't establish connection. It may be my certificate? not sure what the hostname should be,,what would the address look like that would go into the browser? HFS worked great using http but the address was my ip:port# that i had forwarded in the router, now that obviously won't work using https. i have port 443 currently forwarded. I am hoping i might just be not understanding something simple. Here is stunnel log file

2009.02.17 20:06:04 LOG6[3556:2668]: Compression enabled using zlib method
2009.02.17 20:06:04 LOG7[3556:2668]: Snagged 64 random bytes from C:/.rnd
2009.02.17 20:06:04 LOG7[3556:2668]: Wrote 1024 new random bytes to C:/.rnd
2009.02.17 20:06:04 LOG7[3556:2668]: RAND_status claims sufficient entropy for the PRNG
2009.02.17 20:06:04 LOG7[3556:2668]: PRNG seeded successfully
2009.02.17 20:06:04 LOG7[3556:2668]: Configuration SSL options: 0x01000FFF
2009.02.17 20:06:04 LOG7[3556:2668]: SSL options set: 0x01000FFF
2009.02.17 20:06:04 LOG7[3556:2668]: Certificate: stunnel.pem
2009.02.17 20:06:04 LOG7[3556:2668]: Certificate loaded
2009.02.17 20:06:04 LOG7[3556:2668]: Key file: stunnel.pem
2009.02.17 20:06:04 LOG7[3556:2668]: Private key loaded
2009.02.17 20:06:04 LOG7[3556:2668]: SSL context initialized for service https
2009.02.17 20:06:04 LOG5[3556:2668]: stunnel 4.26 on x86-pc-mingw32-gnu with OpenSSL 0.9.8i 15 Sep 2008
2009.02.17 20:06:04 LOG5[3556:2668]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2009.02.17 20:06:04 LOG5[3556:1516]: No limit detected for the number of clients
2009.02.17 20:06:04 LOG7[3556:1516]: FD 184 in non-blocking mode
2009.02.17 20:06:04 LOG7[3556:1516]: SO_REUSEADDR option set on accept socket
2009.02.17 20:06:04 LOG7[3556:1516]: https bound to 0.0.0.0:443

Thanks alot for any help,
Dev


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1298
  • ....... chut ! shh!
    • View Profile
Your configuration of Stunnel seems correct.
The SSL connections (https) are based on connections request provided from outside on port 443 (Stunnel), these connections are then redirected to the local port listened by HFS (44300) .
The responses of HFS following the path around.

So this address will be used only for connections from the outside:

https://myexternalipaddress:443/

If you can not test from outside your server... Test it with the following link per eg (see enclosed picture]:

http://www.internetvista.com/fr/tester-serveur-web.htm

You enter your link:

https://myexternalipaddress:443/

If you see something appear in the log of HFS ... YOU WON !

-------------------------------------------------------------------------------------------------------------
REMINDER

To you connect locally (http) (via the browse button of HFS per eg):

Set HFS (permanent settings):

Port 44300

Menu> Limits> bans:
\127.0.0.1

Menu > IP Address> 127.0.0.1
Menu > Accept connections on> 127.0.01

The correct address to connect locally on HFS will be:

http://127.0.0.1:44300/
« Last Edit: February 18, 2009, 07:30:45 AM by SilentPliz »


Offline Dev

  • Occasional poster
  • *
    • Posts: 4
    • View Profile
That did it, Thanks a bunch SilentPliz. After reading the security issues i really wanted to have stunnel running.


Offline Ranger

  • Tireless poster
  • ****
    • Posts: 115
    • View Profile
I got this all set up and it now works. However my hosted images won't work anymore on websites (even when changing the link to HTTPS). Any way around this or will this not work using HTTPS?


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1298
  • ....... chut ! shh!
    • View Profile
@Dev
Cool! I'm glad that everything works for you.  ;)

@DNic41
Excuse me, but I do not understand your worries... These are the pictures on your HFS which do more accessible?

Visitors can not access them?

Attempt to explain exactly what you would done and who does not work... I am a little stupid sometimes.  :-\


Offline Ranger

  • Tireless poster
  • ****
    • Posts: 115
    • View Profile
@DNic41
Excuse me, but I do not understand your worries... These are the pictures on your HFS which do more accessible?

Visitors can not access them?

Attempt to explain exactly what you would done and who does not work... I am a little stupid sometimes.  :-\

I host images on my HFS just like you would with imageshack, photobucket,etc. When I use SSL the images won't come up on other websites anymore (of course I changed the URL to HTTPS:// from HTTP://)


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1298
  • ....... chut ! shh!
    • View Profile
Arrrgh ! Sorry, I have been slow to understand.  :-[

You should not have problems with your pictures... if the correct links are in https.

If possible, post a link here... it may be possible to see what is wrong.

An problem with Stunnel can occur with the automatics operations ... Yes! We need someone at the other end for accept the SSL certificate.  :D

PS: you can also work with a second hfs.exe in http.
« Last Edit: February 18, 2009, 10:39:55 PM by SilentPliz »


Offline Ranger

  • Tireless poster
  • ****
    • Posts: 115
    • View Profile
Arrrgh ! Sorry, I have been slow to understand.  :-[

You should not have problems with your pictures... if the correct links are in https.

The only problems that may arise with Stunnel  occur with automatics operations ... He oui! We need someone at the other end to accept the SSL certificate.  :D

PS: you can also work with a second hfs.exe in http.

Yea I might do the second HFS in plain HTTP for images, but I'm sure yet on how to link the 2 together.


Offline Ranger

  • Tireless poster
  • ****
    • Posts: 115
    • View Profile
Ok I was able create a second instance of HFS (HTTP) for just my image hosting. Now how or what is the best way to get it to point to the HFS (HTTPS) server?

I'd like to link it up as smoothly as possible, but not sure how to go about this.


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1298
  • ....... chut ! shh!
    • View Profile

For the HTTP server (eg: port 80)


You put hfs.exe in a independent directory.
You keep the setup you had before, in HTTP.
You authorize HFS to work with multiple instances open.
You put in your VFS all the resources that will be allowed in HTTP.
--------------------------------------------------

For the HTTPS server (eg: port 44300)

I think now you know how setup it.  ;)

You put in your VFS all the resources that will be allowed in HTTPS.

Both servers can contain the same accounts.
Both VFS are independent
--------------------------------------------------

To link the two servers HTTP > HTTPS

Several solutions are possible, I give in you two very simple:

1)

You create new links in the directories of the users of the HTTP server that can access the HTTPS server

VFS > right click > New link

https://yourdomain:443/

2)

You create an menu in the template of the HTTP server

Eg with the default template:

{.if| {.get|can upload.}  | <li><a href="~upload"><center><img src="/~img32"> {.!Upload.}</center></a></li> .}
{.if| {.and | {.get|can archive.} | {.not|{.?search.}.} .}
    | <li><a href="~folder.tar?recursive"><center>{.!Folder archive.}</center></a></li>
   <li><a href="https://yourdomain:443/"><center>HFS SSL</center></a></li>
.}


You can combine this line with macros to require of conditions for the display of the menu.

Of course other ways to do this are possible:
eg: Using a home page, all settings included  in the same template, make a button ... etc ...

« Last Edit: February 19, 2009, 08:28:20 AM by SilentPliz »


Offline Ranger

  • Tireless poster
  • ****
    • Posts: 115
    • View Profile
Thanks! I just added a link on the HTTP to the HTTPS.

Also I tried to add the log, the first 2 steps, but all I get in my HTTPS HFS folder is a stunnel.last file with a number 0 in it.