Elodie,
With this kind of issues, tcpdump is your best friend.
Make sure your stunnel machine is configured as the default router for your webserver machine!
Mike
On Mon, 01 Aug 2011 13:00:23 +0200, Elodie BOSSIER wrote:
I have exactly this same error : http://comments.gmane.org/gmane.network.stunnel.user/5019 but with Apache
Le 31/07/2011 21:01, Elodie BOSSIER a écrit :
Again me ...
I don't find my problem and i start to despair alone ...
My stunnel works correctly with this config file :
pid = /stunnel.pid debug = 7 output = /var/log/stunnel.log options = NO_SSLv2
#transparent = source
[virtual] accept = 443 cert = /usr/local/openssl/etc/CERTIFICATES/www.franceserv.fr_cert.cert key = /usr/local/openssl/etc/PRIVATE_KEYS/www.franceserv.fr_key.pem connect = www.franceserv.fr:80 [sni1] sni = virtual:elodie.franceserv.com cert = /etc/ssl-fsh/cert-elodie.franceserv.com.pem key = /etc/ssl-fsh/key-franceserv.key connect = elodie.franceserv.com:80 [sni2] sni = virtual:befun.franceserv.com cert = /etc/ssl-fsh/cert-befun.franceserv.com.pem key = /etc/ssl-fsh/key-franceserv.key connect = befun.franceserv.com:80
But the IP transmited to my serveur is the stunnel IP and not the visitor behind her navigator and it's don't work anymore when i take off the # to enable the transparent mode.
and this is my iptables tules :
iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward
as it's said in the manual but nothing more ...
A friend have tested in her side and he have the same problem.
Someone could tell me my error please ?
Le 29/07/2011 03:25, Elodie BOSSIER a écrit :
Back ...
I don't find the problem,
This is the log without transparent when it's working : http://pastebin.com/mjReyE8a with transparent and not working : http://pastebin.com/ZGqRVXzF
Thanks so much ...
Le 28/07/2011 12:25, Elodie BOSSIER a écrit :
Greetings again,
Thanks so much to have updated the manual about SNI, my stunel works correctly.
But i have a tiny problem, when i visit my webserver, the SERVER['REMOTE_ADDR'] with PHP isn't the ip adress of the visitor but the IP of the stunnel. I have read the manual about this transparent proxy and i don't sucess with the configuration.
This is my config file :
pid = /stunnel.pid options = NO_SSLv2 transparent = source [virtual] accept = 443 cert = /usr/local/openssl/etc/CERTIFICATES/www.franceserv.fr_cert.cert key = /usr/local/openssl/etc/PRIVATE_KEYS/www.franceserv.fr_key.pem connect = www.franceserv.fr:80 [sni1] sni = virtual:elodie.franceserv.com cert = /etc/ssl-fsh/cert-elodie.franceserv.com.pem key = /etc/ssl-fsh/key-franceserv.key connect = elodie.franceserv.com:80 [sni2] sni = virtual:befun.franceserv.com cert = /etc/ssl-fsh/cert-befun.franceserv.com.pem key = /etc/ssl-fsh/key-franceserv.key connect = befun.franceserv.com:80
It's don't work, i have a timeout with my browser.
With iptables, i have set this :
iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward
My stunnel is on the server 192.168.0.20 and the webserver on 192.168.0.2
I try to follow the help of http://www.stunnel.org/static/stunnel.html#service_level_options with : transparent = none | source | destination | both (Unix only)
Could you tell me what i make wrong please ?
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users