rejetto forum

How about SSL support

Guest · 136 · 130448

0 Members and 2 Guests are viewing this topic.

Offline raffdich

  • Occasional poster
  • *
    • Posts: 10
    • View Profile
to run hfs on port 80 and 443 with stunnel i have this settings.

hfs run on port 8082

stunnel forward port 80 to 8082
stunnel forward port 443 to 8082

your router forward 80 to 80
your router forward 443 to 443


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1298
  • ....... chut ! shh!
    • View Profile
About...   Display of Log Stunnel in HFS...

http://www.rejetto.com/forum/index.php?topic=3083.msg1040736#msg1040736

I updated this message with the new syntax recommended.


Namely:

Script edited 01-18-2010

[connected]
{.set|#log|{.load|stunnel.log|from={.^#stunnel.last.}.}.}
{.set|#stunnel.last|{.filesize|stunnel.log.}.}
{.if|{.^#log.}|{:
{.add to log|.
Stunnel log :
{.^#log.}|Clblue.}
:}.}

[+start]
{.set|#stunnel.last|{.filesize|stunnel.log.}.}



Edit:  January 07, 2010

Reminder:


- In stunnel.conf file of the folder of stunnel.exe , specify the path of HFS folder where the stunnel.log file will be created.
(Debug = 6 gives a correct result)

; Some debugging stuff useful for troubleshooting
debug = 6
output = C:\path\of hfs folder\stunnel.log

« Last Edit: January 18, 2010, 09:22:53 PM by SilentPliz »


Offline r][m

  • Tireless poster
  • ****
    • Posts: 347
    • View Profile
About...   Display of Log Stunnel in HFS...

http://www.rejetto.com/forum/index.php?topic=3083.msg1040736#msg1040736

I updated this message with the new syntax recommended.

Namely:

[connected]
{.set|#log|{.load|stunnel.log|from={.^#stunnel.last.}.}{.set|#stunnel.last|{.filesize|stunnel.log.}.}.}
{.if|{.^#log.}|{:
{.add to log|.
Stunnel log :
{.^#log.}|Clblue.}
:}.}

[+start]
{.set|#stunnel.last|{.filesize|stunnel.log.}.}



I can't get this to work as posted, in HFS 248?
Is there some change needed? Wouldn't the stunnel.log file location on the hard disk
need to be part of the script?


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1298
  • ....... chut ! shh!
    • View Profile
Hi!

No, there is no change in the script.
Since I posted it always works for me.

Perhaps you have sections in your hfs.events wich interfering (logical order or other) (?)

Or just you have not modified the output path for your stunnel.log file in the stunnel.conf file of stunnel folder.

stunnel.log must be created in the hfs.exe folder for this script to work.
« Last Edit: January 07, 2010, 07:18:10 PM by SilentPliz »


Offline r][m

  • Tireless poster
  • ****
    • Posts: 347
    • View Profile
stunnel.log must be created in the hfs.exe folder for this script to work.

That was the problem :)  I had it in a folder in the HFS.exe directory. When I moved it
out, now it works. Many thanks for your reply.
I have SSL up and running, but still got a lot more to do.


Offline r][m

  • Tireless poster
  • ****
    • Posts: 347
    • View Profile
Stunnel log generates a large amount of info very quickly, but most of it
doesn't appear to be of any real value to audit server traffic.
Even though I just got it added to HFS log,  I've turned it off.

Stunnel works well, but I see Stunnel at best as only a "work around".
It appears bans no longer work on address as https:// ??
I think a work around may be possible though.
I've had to remove the events macros that use ip address.
Looks like I'll lose a lot of the Limits settings as well, since HFS
will only see one ip for everyone now?
Think I see now why there have been questions about running two instances of HFS,
but I really don't see that as good solution.

Has anyone found a way to ban, etc., by user?

Someone please enlighten me if I'm wrong about all this?

I think the # 1 most desirable feature HFS could have would be SSL (encryption),
possibly, with dual hosting.


Offline SilentPliz

  • Operator
  • Tireless poster
  • *****
    • Posts: 1298
  • ....... chut ! shh!
    • View Profile
Hi r][m  ;)

Stunnel log generates a large amount of info very quickly, but most of it
doesn't appear to be of any real value to audit server traffic.
Even though I just got it added to HFS log,  I've turned it off.

The Stunnel log displayed in HFS is not essential.
It was possible to do it with a script ... so it was interesting to do it.

Otherwise, you can try this value : debug = 5 it displays less informations "useless".

sample: blue and black are the Stunnel log, green is the HFS log (both displayed simultaneously in HFS):)

Quote
> Stunnel log :
> 2010.01.12 16:32:22 LOG5[3008:2976]: connect_blocking: connected 127.0.0.1:44300
> 2010.01.12 16:32:22 LOG5[3008:980]: connect_blocking: connected 127.0.0.1:44300
> 2010.01.12 16:32:22 LOG5[3008:2976]: https connected remote server from 192.168.1.3:2248
> 2010.01.12 16:32:22 LOG5[3008:980]: https accepted connection from 88.199.13.181:32993
> 2010.01.12 16:32:22 LOG5[3008:2364]: connect_blocking: connected 127.0.0.1:44300
> 2010.01.12 16:32:22 LOG5[3008:2364]: https connected remote server from 192.168.1.3:2378

12/01/2010 16:32:22 192.168.1.3:2372 {Stunnel} Connecté
12/01/2010 16:32:22 192.168.1.3:2370 {Stunnel} 381 Octets reçus
12/01/2010 16:32:22 toto@192.168.1.3:2366 {Stunnel} 226 Octets envoyés
12/01/2010 16:32:22 toto@192.168.1.3:2361 {Stunnel} 783 Octets reçus
12/01/2010 16:32:22 toto@192.168.1.3:2361 {Stunnel} Requête GET /~img92
12/01/2010 16:32:22 toto@192.168.1.3:2361 {Stunnel} Requête traitée

so we have ip address and user : toto / 88.199.13.181


Quote
Stunnel works well, but I see Stunnel at best as only a "work around".
It appears bans no longer work on address as https:// ??
I think a work around may be possible though.
I've had to remove the events macros that use ip address.
Looks like I'll lose a lot of the Limits settings as well, since HFS

Indeed, it is a "workaround", but until that HFS supports SSL, Stunnel is the only lightweight and robust solution for who needs to use HFS to "https"

The limitations that you listed are reals, It's at every one to determine the value of using Stunnel with the requirements of its "server configuration", or to find a balance.
(It is possible to add "IP Mask" in stunnel.conf)

For my part, these limitations are not a problem, I only serves users with accounts, and therefore identified.

Quote
will only see one ip for everyone now?

If you use the stunnel log in hfs ... You will see all ip of your users in hfs
+
Two with HFS if you add your internal ip   :D

stunnel.conf eg:

[https]
accept  = 0.0.0.0:443
connect = 127.0.0.1:44300

local =
192.168.1.6 *
TIMEOUTclose = 0

* IP example

Then you add in HFS:

Menu > Limits > Bans

\127.0.0.1;192.168.1.6

Then in Adress2name:

Name       IP Mask
Local        127.0.0.1
Stunnel
  192.168.1.6

This will differentiate in the log, the local connections (http), and the distant connections from Stunnel (https).

Quote
Has anyone found a way to ban, etc., by user?

Not me! :D

Quote
I think the # 1 most desirable feature HFS could have would be SSL (encryption),
possibly, with dual hosting.

Yes, the integration of SSL in an "multiport/multiprotocol" HFS will be welcome.


« Last Edit: January 12, 2010, 04:34:08 PM by SilentPliz »


Offline r][m

  • Tireless poster
  • ****
    • Posts: 347
    • View Profile
SilentPliz
Many thanks for the help and encouragement  :)


sample: blue and black are the Stunnel log, green is the HFS log (both displayed simultaneously in HFS):)

I'm getting much more than that with debug=5. For every 20 hfs lines I get at least 20 stunnel lines.
debug = 0 stops stunnel log. ; debug = 5 doesn't turn it off here.
Nothing below 5 works here.

(It is possible to add "IP Mask" in stunnel.conf) This might help?

local = 192.168.1.6 doesn't work here. I get a stunnel error and it will not work untill I remove
local = my lan address.
Using stunnel 4.29
I am working on a "work around" for some of this, and it works on LAN, but testing from WAN
so far, hasn't. Slow going. If it tests out I'll post the concept here.



Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13310
    • View Profile
1. just for readability matters, i would change this
{.set|#log|{.load|stunnel.log|from={.^#stunnel.last.}.}{.set|#stunnel.last|{.filesize|stunnel.log.}.}.}

in this
{.set|#log|{.load|stunnel.log|from={.^#stunnel.last.}.}.}
{.set|#stunnel.last|{.filesize|stunnel.log.}.}


2. we don't have banning "by user", but you can disable an account.
or even you can put an event like
[+connected]
{.if user is john then disconnect.}
(just a mock)

3. i guess you can filter the stunnel log by using some smart {.commands.} since the content is put in a variable before it's put in the log.
i know it's not straightforward.

4. i'm having an idea that may be very good if it works.
i have the way to make {.command.} to set a different address that HFS should consider for the current connection.
so, if YOU can extract this address from the log, we may get all the usual stuff (like per-address limits) to work with stunnel!
hey, this requires a very smart guy :P
the main problem is to pair HFS connections with stunnel ones.
it's useless to have 3 addresses by stunnel but knowing not which local connections are paired in HFS.
you can distinguish local connections by port numbers.



Offline r][m

  • Tireless poster
  • ****
    • Posts: 347
    • View Profile
4. i'm having an idea that may be very good if it works.
I'm using a unsecured index.html page which has a http://my address:port1 with a link to https://my address:port2.
In this way users address is logged and ip bans will work. Of course, most limits are still local host - not useful.
 I use a modified breadcrumbs to send the user back to http://index.html:port1 as "Home".
Remote tests indicate this work around works.
I'm going to try a trick in my router when I get time that may help.


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13310
    • View Profile
the ports i'm talking about are not the ones HFS and stunnel are configured for accepting connections.

sample: blue and black are the Stunnel log, green is the HFS log (both displayed simultaneously in HFS):)
...
so we have ip address and user : toto / 88.199.13.181

you say that by the sequence of events, https accepted connection, and then the request to HFS.
but what if you get 2 connections on stunnel, and then 2 requests on HFS.
what is what, which is which. how can you pair correctly?
if we solve this dilemma, maybe we can work it out.
you get toto@192.168.1.3:2361 on HFS log.
so there's a connection between HFS and stunnel, and the connection is identifier by that "2361".
if you find the same number in the stunnel log, then it's done. can you?


Offline r][m

  • Tireless poster
  • ****
    • Posts: 347
    • View Profile
2. we don't have banning "by user", but you can disable an account.
or even you can put an event like
[+connected]
{.if user is john then disconnect.}
(just a mock)
Are you saying this is possible? or yet to be added?  I don't see %user% working in events here.


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2043
    • View Profile
to verify if %user% works ..

[+connected]
{.add to log| user %user% is connected.}

Having to verify, it is confirmed, that does not work.

Nevertheless the solution is simple and is enough a line of code in more with an new event ...

Quote
 if urlCmd = '~login' then
    if conn.request.user = '' then
      begin // issue a login dialog
      getPage('unauthorized', data);
      if loginRealm > '' then conn.reply.realm:=loginRealm;
      exit;
      end
    else
      begin
      runEventScript('logged');   //mars 2010
      conn.reply.mode:=HRM_REDIRECT;
      conn.reply.url:=first(getAccountRedirect(), url);
      exit;
      end;

used as follows:
Quote
[+logged]
{.add to log| user %user% is %event%.}
{.if|{.=|%user%|rejetto.}|{:{.disconnect.}:}.}

when using the url http://......./~login   , the user can login , but he is immediately disconnected and has to change browser to re-connect him, because the name and the password are stored by the browser and reused for the login page. ;D
« Last Edit: January 21, 2010, 01:46:34 PM by Mars »


Offline Mars

  • Operator
  • Tireless poster
  • *****
    • Posts: 2043
    • View Profile
After one good night of rest and more pushed tries, it is possible with the current versions, to add simply one line in the event to obtain the action proposed by rejetto

Quote
[+request]
{.add to log| user %user% is request.}
{.if|{.=|%user%|rejetto.}|{:{.disconnect.}:}.}







Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13310
    • View Profile
Are you saying this is possible? or yet to be added?  I don't see %user% working in events here.

oh, you are right. the user is provided with the request, so HFS doesn't know user at connection-time.
that will be [+request] instead of [+connected]

the event script suggested by mars should be ok.
having several usernames would be easy by using {.switch.} instead of {.=.}