-----Original Message----- From: stunnel-users-bounces@stunnel.org [mailto:stunnel-users- bounces@stunnel.org] On Behalf Of Michal Trojnara Sent: Friday, February 08, 2013 2:25 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Stunnel over a separate proxy?
Alex Gottschalk wrote:
I've successfully deployed stunnel4 to wrap rsync for transferring data between remote sites and a central repository. The issue I'm running into, is that some of these sites mandate use of a proxy
(HTTP
or SOCKS5 usually) for outbound network connections. It seems like there is some proxy support in stunnel with the protocol{Host,Authentication,etc} configuration options, but I have had zero luck getting them to work. For example, I've tried making a simple SOCKS5 proxy using ssh, that I'm successfully able to send
HTTP
traffic over:
ssh -g -D1080 proxy-host # create the proxy, open port 1080 on a public interface
There is no SOCKS proxy support in stunnel.
You can send stunnel over socks proxy using socat easily enough, and this works on both Windows and Linux.
[rsync] protocol = connect protocolHost = proxy-host:1080 accept = 127.0.0.1:873 connect = rsync-destination:443
You have reversed "protocolHost" and "connect" values. "connect" is the host *stunnel* connects to while "protocolHost" is the final destination requested from this host. It may be unintuitive compared to other services (like web browsers), but for stunnel proxy support is a part of SSL protocol negotiations rather than a separate feature.
From the fine manual of stunnel:
connect = address
connect to a remote address If no host is specified, the host defaults to localhost. Multiple connect options are allowed in a single service section. If host resolves to multiple addresses and/or if multiple connectoptions are specified, then the remote address is chosen using a round- robin algorithm.
protocolHost = host:port
destination address for protocol negotiationsMike