On Fri, Dec 21, 2018 at 02:46:29AM +0100, Javier wrote:
On Fri, 21 Dec 2018 00:01:08 +0100 kovacs janos kovacsjanosfasz@gmail.com wrote:
okay, so that means i should be able to connect to a website's server with only stunnel, and only its client side, even if i have to specify the destination IP of the server? i tried that and didnt seem to work either. i wrote the website's IP address after 'connect', tried to open the website in browser, and it wasnt working. but maybe i just did something wrong, thank you for the explanation though
Hi,
Stunnel is not for web browsing through it.
We already gave you reasons and explanations why that won't work. Read them again.
Hm, there's no reason why stunnel would not work like that for a predetermined set of hosts with known addresses. I just set it up with a configuration section like this - but see below about me NOT recommending this way for servers that are not under your control:
[fbsd-www] client = yes accept = 127.0.0.1:80 connect = 96.47.72.84:443 verifyChain = yes CApath = /etc/ssl/certs checkHost = wfe0.nyi.freebsd.org
...and I added "www.freebsd.org" to the list of hostnames for the 127.0.0.1 address in the system's hosts file (/etc/hosts on Unix-like operating systems, windows\System32\Drivers\etc\hosts on Windows). Then, when I ask for "http://www.freebsd.org/" (without HTTPS) in a browser or cURL or whatever, it gets the 127.0.0.1 address from the hosts file, connects to 127.0.0.1:80, then stunnel establishes a tunnel to the FreeBSD webserver's IP address, verifies its certificate, and lets the browser send its plaintext HTTP request there.
Of course, as I noted in the previous message, this will only let browsers connect through stunnel to hosts that have previously been defined in the stunnel configuration and in the hosts file. Also, since the hosts file takes over the resolving of the host name to IP address, it is your responsibility now to check whether www.freebsd.org changed its IP address; it is also your responsibility now to check whether the Common Name of the actual server also changed (wfe0.nyi.freebsd.org in this case) - chasing down DNS CNAME records can be... interesting sometimes.
All in all, I would have to say that I really do not recommend going down this road, especially for websites that are not under your control; this here was done merely as a proof of concept.
G'luck, Peter