Michal,
Thanks for your reply. I've been using Stunnel for client/server database connection encryption, outgoing gmail and https connections from within the Oracle database. Stunnel is working so well and the program is actively maintained, so this is one program I trust.
I really, really, really want to pull SSL out of Apache for performance reasons and also for maintenance issues. I am running Oracle's Http Server which is really just Apache with Oracle's modifications. So the way Oracle implements SSL is through their Wallet mechanism. Anytime I upgrade the DB or renew an SSL cert, it's cumbersome and I always feel like I will drop the website for a lengthily period of time or have so much trouble it won't come back on line.
Putting the SSL in Stunnel, is so much cleaner. It is faster (as I've already tested it), the management and maintenance issues go away. It's a win-win situation.
I like the idea so much, I am counting the costs associated with Apache not knowing the IP address. I'm not sure if I can do it as the data is somewhat sensitive and the IP log is pretty necessary.
I am also considering running Nginx to offload SSL. I'm not sure how nicely Windows plays with Nginx.
Can Stunnel create a cgi environment variable or modify the request header so the client ip address could be known inside Apache?
Brian
-----Original Message----- From: Michal Trojnara [mailto:Michal.Trojnara@mirt.net] Sent: Wednesday, October 10, 2012 2:08 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] SSL proxy in Windows - IP Address Issue
On 2012-10-10 17:04, Brian McGinity wrote:
Thank you so much for stunnel. This program is amazing!!!!
Thank you.
- In Windows, "transparent" mode is unavailable
Correct. Transparent mode requires kernel-mode support.
- "xforwardedfor" is for smtp and not https connections
It's currently not supported. AFAIK there are 3rd party patches for https.
- "protocol = proxy" is for Haproxy only?
I don't think it's currently implemented outside HAProxy/stunnel. https://www.varnish-cache.org/trac/wiki/Future_Protocols
It should be fairly easy to add proxy protocol support to Apache.
Why don't you just use mod_ssl? A dedicated solution will most likely be more suitable for HTTP than universal stunnel.
Mike