0.4.4 - Web interface through SSL using stunnel.

[HaveBlue]

Hi,

I'm trying to get the webinterface to work through stunnel as to secure it with SSL. Reason is I want to use it when I'm away from home. The thing is: I got it to work with the following stunnnel config:

Code: Select all

; cherrypy https entry for SABnzbd
; disabled because of missing trailing slash option in cherrypy
[cherrypy]
accept  = 0.0.0.0:<portnumber>
connect = <internal IP>:8080
TIMEOUTclose = 0

As you may have guessed from the comments however, I had to disable it because it does not work flawlessly. Problem is that when you navigate from the 'home' tab to, let's say, the 'queue' it falls back to unencrypted HTTP, which for security reasons is not let through by my router. Reason is that the trailing slash in the hyperlinks of all pages except the 'home' tab is missing. The browser (FF 3.1 on OSX and Windows Vista) comes up with a 'Connection refused' error.

I know that one possibility is to 'hide' SABnzbd behind Apache 2. However, this is to be used as a last resort because I don't want to install Apache solely for this purpose.

I know of the existence of a 'module' or builtin tool called 'tools.trailing_slash' in Cherrypy (http://www.cherrypy.org/wiki/BuiltinToo ... ling_slash) which could solve this problem. However, I can not find anything in the SABnzbd or underlying directories which lets me configure this option in Cherrypy.

Is there anyone out there who got the web interface to work with stunnel properly? Any help would be greatly appreciated.

[switch]

I don't think that cherrypy tool/filter exists in the version of cherrypy we use (version 2). The issue with no trailing spaces in the default theme can be changed, I'll file a ticket to fix it for the next version.

Try using another skin such as smpl/plush (select in config>general).

[shoo]

I think you could edit your inc_top.tmpl file to put those slashes where you need them. I just tested that on mine and it seems to work just fine over the lan. Im afraid I dont use stunnel (yet) so I can't say for sure it work over ssl.

[shypike]

Fixed for the coming 0.4.5 and 0.5.0, in the sense that I added trailing slashes to all 's.

I find it very curious that it fails without the slashes.
Sounds like a browser problem to me.

[shoo]

Although only slightly related there is a description of whats happening here, hope it feeds your curiosity 

http://www.nabble.com/Using-stunnel-%2B ... 99711.html

[shypike]

I still don't understand it, and I'm not sure I'm that curious 

But if this little fix solves the stunnel problem, I'm happy!

[HaveBlue]

Fixed for the coming 0.4.5 and 0.5.0, in the sense that I added trailing slashes to all 's.

I find it very curious that it fails without the slashes.
Sounds like a browser problem to me.

Thanks a million, shypike. If it works I'll contribute with a multi platform howto on how to use SABnzbd along with stunnel/SSL.

[switch]

I want to test that all the required changes were made, how do I setup stunnel?

Tried:

Code: Select all

[cherrypy]
accept  = localhost:8182
connect = localhost:8080
TIMEOUTclose = 0

And connecting to https://localhost:8182/sabnzbd/

Code: Select all

[cherrypy]
accept  = 0.0.0.0:8182
connect = 192.168.1.40:8080
TIMEOUTclose = 0

And connecting to https://localhost:8182/sabnzbd/ and https://192.168.1.40:8182/sabnzbd/

Code: Select all

[cherrypy]
accept  = 8182
connect = 8080
TIMEOUTclose = 0

And connecting to https://localhost:8182/sabnzbd/ and https://192.168.1.40:8182/sabnzbd/

However I just get this message:

Code: Select all

Connection Interrupted

The document contains no data        

The network link was interrupted while negotiating a connection. Please try again.

[shoo]

If that is the stunnel conf file, i think you might need to change your [cherrypy] header to [https].

Code: Select all

[https]
accept  = 443
connect = 8080
TIMEOUTclose = 0

Mine looks like this and seems to work fine with https://myserver/sabnzbd/, haven't tested it from the net yet but will try from work tomorrow.

Edit, just tested renaming the header, makes no difference...

[switch]

Same thing Not sure what is happening, but I give up on this pc, will try on another:

Code: Select all

2008.09.23 23:01:52 LOG5[6264:524]: https accepted connection from 127.0.0.1:2890
2008.09.23 23:01:52 LOG5[6264:524]: https connected remote server from 127.0.0.1:2891
2008.09.23 23:01:52 LOG3[6264:524]: SSL_connect: Peer suddenly disconnected
2008.09.23 23:01:52 LOG5[6264:524]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

EDIT: A full re-install seems to have fixed things.

[switch]

It's going to need some further work it seems.

When navigating to https://billspc/sabnzbd/queue/resume/ we do an internal redirect back to https://billspc/sabnzbd/queue/ which breaks things when tunnelling over SSL. This practise is used a lot over sabnzbd, and I'm not sure if it will be easily changeable.

[HaveBlue]

I want to test that all the required changes were made, how do I setup stunnel?

Strange. Adding 0.0.0.0 to the accept parameter fixed the "Connection Interrupted" error for me. Do you by any chance have a build which fixes the trailing slash? I'd be happy to test it for you.

[switch]

Looking into it a bit further, the cherrypy version we uses uses a hard-coded 'http' in it's redirect system which will turn the https address into a http address anytime a redirect is done. Since we use the redirect quite a bit internally in sabnzbd there is no easy way to get past this.

In short, you will either have to use Apache, or wait until we upgrade to a higher cherrypy version that supports https.

[HaveBlue]

Looking into it a bit further, the cherrypy version we uses uses a hard-coded 'http' in it's redirect system which will turn the https address into a http address anytime a redirect is done. Since we use the redirect quite a bit internally in sabnzbd there is no easy way to get past this.

In short, you will either have to use Apache, or wait until we upgrade to a higher cherrypy version that supports https.

Bummer, but thanks for the effort. I'll use the proven method of dropping the NZB in the watch folder over SFTP until then. As far as I can recall, Cherrypy 3 has native support for SSL/https. Is Cherrypy 3 going to be part of the featurelist for 0.5.0? Yes it is

Edit: To all whom it may concern: the SMPL skin does not seem to redirect to different pages, thus it does not break the SSL connection. I got SABnzbd to work quite decently with SSL with this skin. Only major thing is that when you add an NZB through 'home'>'add file' it still breaks the SSL connection. If you use another transport mechanism such as an email filter or SFTP to drop the NZB in the watch folder it is quite a feasable solution until 0.5.0 is released.