How about SSL support

[raffdich]

to run hfs on port 80 and 443 with stunnel i have this settings.

hfs run on port 8082

stunnel forward port 80 to 8082
stunnel forward port 443 to 8082

your router forward 80 to 80
your router forward 443 to 443

[SilentPliz]

About...   Display of Log Stunnel in HFS...

http://www.rejetto.com/forum/index.php?topic=3083.msg1040736#msg1040736

I updated this message with the new syntax recommended.


Namely:

Script edited 01-18-2010

[connected]
{.set|#log|{.load|stunnel.log|from={.^#stunnel.last.}.}.}
{.set|#stunnel.last|{.filesize|stunnel.log.}.}
{.if|{.^#log.}|{:
{.add to log|.
Stunnel log :
{.^#log.}|Clblue.}
:}.}

[+start]
{.set|#stunnel.last|{.filesize|stunnel.log.}.}


Edit:  January 07, 2010

Reminder:

- In stunnel.conf file of the folder of stunnel.exe , specify the path of HFS folder where the stunnel.log file will be created.
(Debug = 6 gives a correct result)

; Some debugging stuff useful for troubleshooting
debug = 6
output = C:\path\of hfs folder\stunnel.log

[r][m]

About...   Display of Log Stunnel in HFS...

http://www.rejetto.com/forum/index.php?topic=3083.msg1040736#msg1040736

I updated this message with the new syntax recommended.

Namely:

[connected]
{.set|#log|{.load|stunnel.log|from={.^#stunnel.last.}.}{.set|#stunnel.last|{.filesize|stunnel.log.}.}.}
{.if|{.^#log.}|{:
{.add to log|.
Stunnel log :
{.^#log.}|Clblue.}
:}.}

[+start]
{.set|#stunnel.last|{.filesize|stunnel.log.}.}

I can't get this to work as posted, in HFS 248?
Is there some change needed? Wouldn't the stunnel.log file location on the hard disk
need to be part of the script?

[SilentPliz]

Hi!

No, there is no change in the script.
Since I posted it always works for me.

Perhaps you have sections in your hfs.events wich interfering (logical order or other) (?)

Or just you have not modified the output path for your stunnel.log file in the stunnel.conf file of stunnel folder.

stunnel.log must be created in the hfs.exe folder for this script to work.

[r][m]

stunnel.log must be created in the hfs.exe folder for this script to work.

That was the problem   I had it in a folder in the HFS.exe directory. When I moved it
out, now it works. Many thanks for your reply.
I have SSL up and running, but still got a lot more to do.

[r][m]

Stunnel log generates a large amount of info very quickly, but most of it
doesn't appear to be of any real value to audit server traffic.
Even though I just got it added to HFS log,  I've turned it off.

Stunnel works well, but I see Stunnel at best as only a "work around".
It appears bans no longer work on address as https:// ??
I think a work around may be possible though.
I've had to remove the events macros that use ip address.
Looks like I'll lose a lot of the Limits settings as well, since HFS
will only see one ip for everyone now?
Think I see now why there have been questions about running two instances of HFS,
but I really don't see that as good solution.

Has anyone found a way to ban, etc., by user?

Someone please enlighten me if I'm wrong about all this?

I think the # 1 most desirable feature HFS could have would be SSL (encryption),
possibly, with dual hosting.

[SilentPliz]

Hi r][m  

Stunnel log generates a large amount of info very quickly, but most of it
doesn't appear to be of any real value to audit server traffic.
Even though I just got it added to HFS log,  I've turned it off.

The Stunnel log displayed in HFS is not essential.
It was possible to do it with a script ... so it was interesting to do it.

Otherwise, you can try this value : debug = 5 it displays less informations "useless".

sample: blue and black are the Stunnel log, green is the HFS log (both displayed simultaneously in HFS)

> Stunnel log :
> 2010.01.12 16:32:22 LOG5[3008:2976]: connect_blocking: connected 127.0.0.1:44300
> 2010.01.12 16:32:22 LOG5[3008:980]: connect_blocking: connected 127.0.0.1:44300
> 2010.01.12 16:32:22 LOG5[3008:2976]: https connected remote server from 192.168.1.3:2248
> 2010.01.12 16:32:22 LOG5[3008:980]: https accepted connection from 88.199.13.181:32993
> 2010.01.12 16:32:22 LOG5[3008:2364]: connect_blocking: connected 127.0.0.1:44300
> 2010.01.12 16:32:22 LOG5[3008:2364]: https connected remote server from 192.168.1.3:2378
12/01/2010 16:32:22 192.168.1.3:2372 {Stunnel} Connecté
12/01/2010 16:32:22 192.168.1.3:2370 {Stunnel} 381 Octets reçus
12/01/2010 16:32:22 toto@192.168.1.3:2366 {Stunnel} 226 Octets envoyés
12/01/2010 16:32:22 toto@192.168.1.3:2361 {Stunnel} 783 Octets reçus
12/01/2010 16:32:22 toto@192.168.1.3:2361 {Stunnel} Requête GET /~img92
12/01/2010 16:32:22 toto@192.168.1.3:2361 {Stunnel} Requête traitée

so we have ip address and user : toto / 88.199.13.181

Stunnel works well, but I see Stunnel at best as only a "work around".
It appears bans no longer work on address as https:// ??
I think a work around may be possible though.
I've had to remove the events macros that use ip address.
Looks like I'll lose a lot of the Limits settings as well, since HFS

Indeed, it is a "workaround", but until that HFS supports SSL, Stunnel is the only lightweight and robust solution for who needs to use HFS to "https"

The limitations that you listed are reals, It's at every one to determine the value of using Stunnel with the requirements of its "server configuration", or to find a balance.
(It is possible to add "IP Mask" in stunnel.conf)

For my part, these limitations are not a problem, I only serves users with accounts, and therefore identified.

will only see one ip for everyone now?

If you use the stunnel log in hfs ... You will see all ip of your users in hfs
+
Two with HFS if you add your internal ip  

stunnel.conf eg:

[https]
accept  = 0.0.0.0:443
connect = 127.0.0.1:44300
local = 192.168.1.6 *
TIMEOUTclose = 0

* IP example

Then you add in HFS:

Menu > Limits > Bans

\127.0.0.1;192.168.1.6

Then in Adress2name:

Name       IP Mask
Local        127.0.0.1
Stunnel   192.168.1.6

This will differentiate in the log, the local connections (http), and the distant connections from Stunnel (https).

Has anyone found a way to ban, etc., by user?

Not me!

I think the # 1 most desirable feature HFS could have would be SSL (encryption),
possibly, with dual hosting.

Yes, the integration of SSL in an "multiport/multiprotocol" HFS will be welcome.

[r][m]

SilentPliz
Many thanks for the help and encouragement 

sample: blue and black are the Stunnel log, green is the HFS log (both displayed simultaneously in HFS)

I'm getting much more than that with debug=5. For every 20 hfs lines I get at least 20 stunnel lines.
debug = 0 stops stunnel log. ; debug = 5 doesn't turn it off here.
Nothing below 5 works here.

(It is possible to add "IP Mask" in stunnel.conf) This might help?

local = 192.168.1.6 doesn't work here. I get a stunnel error and it will not work untill I remove
local = my lan address.
Using stunnel 4.29
I am working on a "work around" for some of this, and it works on LAN, but testing from WAN
so far, hasn't. Slow going. If it tests out I'll post the concept here.

[rejetto]

1. just for readability matters, i would change this
{.set|#log|{.load|stunnel.log|from={.^#stunnel.last.}.}{.set|#stunnel.last|{.filesize|stunnel.log.}.}.}

in this
{.set|#log|{.load|stunnel.log|from={.^#stunnel.last.}.}.}
{.set|#stunnel.last|{.filesize|stunnel.log.}.}


2. we don't have banning "by user", but you can disable an account.
or even you can put an event like
[+connected]
{.if user is john then disconnect.}
(just a mock)

3. i guess you can filter the stunnel log by using some smart {.commands.} since the content is put in a variable before it's put in the log.
i know it's not straightforward.

4. i'm having an idea that may be very good if it works.
i have the way to make {.command.} to set a different address that HFS should consider for the current connection.
so, if YOU can extract this address from the log, we may get all the usual stuff (like per-address limits) to work with stunnel!
hey, this requires a very smart guy
the main problem is to pair HFS connections with stunnel ones.
it's useless to have 3 addresses by stunnel but knowing not which local connections are paired in HFS.
you can distinguish local connections by port numbers.

[r][m]

4. i'm having an idea that may be very good if it works.

I'm using a unsecured index.html page which has a http://my address:port1 with a link to https://my address:port2.
In this way users address is logged and ip bans will work. Of course, most limits are still local host - not useful.
 I use a modified breadcrumbs to send the user back to http://index.html:port1 as "Home".
Remote tests indicate this work around works.
I'm going to try a trick in my router when I get time that may help.

[rejetto]

the ports i'm talking about are not the ones HFS and stunnel are configured for accepting connections.

sample: blue and black are the Stunnel log, green is the HFS log (both displayed simultaneously in HFS)
...
so we have ip address and user : toto / 88.199.13.181

you say that by the sequence of events, https accepted connection, and then the request to HFS.
but what if you get 2 connections on stunnel, and then 2 requests on HFS.
what is what, which is which. how can you pair correctly?
if we solve this dilemma, maybe we can work it out.
you get toto@192.168.1.3:2361 on HFS log.
so there's a connection between HFS and stunnel, and the connection is identifier by that "2361".
if you find the same number in the stunnel log, then it's done. can you?

[r][m]

2. we don't have banning "by user", but you can disable an account.
or even you can put an event like
[+connected]
{.if user is john then disconnect.}
(just a mock)

Are you saying this is possible? or yet to be added?  I don't see %user% working in events here.

[Mars]

to verify if %user% works ..

[+connected]
{.add to log| user %user% is connected.}

Having to verify, it is confirmed, that does not work.

Nevertheless the solution is simple and is enough a line of code in more with an new event ...

 if urlCmd = '~login' then
    if conn.request.user = '' then
      begin // issue a login dialog
      getPage('unauthorized', data);
      if loginRealm > '' then conn.reply.realm:=loginRealm;
      exit;
      end
    else
      begin
      runEventScript('logged');   //mars 2010
      conn.reply.mode:=HRM_REDIRECT;
      conn.reply.url:=first(getAccountRedirect(), url);
      exit;
      end;

used as follows:

[+logged]
{.add to log| user %user% is %event%.}
{.if|{.=|%user%|rejetto.}|{:{.disconnect.}:}.}

when using the url http://......./~login   , the user can login , but he is immediately disconnected and has to change browser to re-connect him, because the name and the password are stored by the browser and reused for the login page.

[Mars]

After one good night of rest and more pushed tries, it is possible with the current versions, to add simply one line in the event to obtain the action proposed by rejetto

[+request]
{.add to log| user %user% is request.}
{.if|{.=|%user%|rejetto.}|{:{.disconnect.}:}.}

[rejetto]

Are you saying this is possible? or yet to be added?  I don't see %user% working in events here.

oh, you are right. the user is provided with the request, so HFS doesn't know user at connection-time.
that will be [+request] instead of [+connected]

the event script suggested by mars should be ok.
having several usernames would be easy by using {.switch.} instead of {.=.}