I've successfully deployed stunnel4 to wrap rsync for transferring data between remote sites and a central repository. The issue I'm running into, is that some of these sites mandate use of a proxy (HTTP or SOCKS5 usually) for outbound network connections. It seems like there is some proxy support in stunnel with the protocol{Host,Authentication,etc} configuration options, but I have had zero luck getting them to work. For example, I've tried making a simple SOCKS5 proxy using ssh, that I'm successfully able to send HTTP traffic over:
ssh -g -D1080 proxy-host # create the proxy, open port 1080 on a public interface
then in the client stunnel.conf:
[rsync] protocol = connect protocolHost = proxy-host:1080 accept = 127.0.0.1:873 connect = rsync-destination:443
Keep in mind this is an already-working stunnel - the only difference is the addition of the protocol and protocolHost lines above. When I run stunnel in the foreground with that configuration change, I get the following error trying to run rsync:
$ rsync -v dev.inst.kvpdata rsync://localhost/putdata/ rsync: read error: Connection reset by peer (104) rsync error: error in rsync protocol data stream (code 12) at io.c(605) [sender=2.6.9]
And no log messages appear in stunnel's stderr whatsoever.
What am I doing wrong? I get identical results using an HTTP proxy with squid, instead of the socks5 proxy.
Thanks, please let me know if there's any more information I should include to help with figuring this out.
Alex Gottschalk
Alex Gottschalk wrote:
I've successfully deployed stunnel4 to wrap rsync for transferring data between remote sites and a central repository. The issue I'm running into, is that some of these sites mandate use of a proxy (HTTP or SOCKS5 usually) for outbound network connections. It seems like there is some proxy support in stunnel with the protocol{Host,Authentication,etc} configuration options, but I have had zero luck getting them to work. For example, I've tried making a simple SOCKS5 proxy using ssh, that I'm successfully able to send HTTP traffic over:
ssh -g -D1080 proxy-host # create the proxy, open port 1080 on a public interface
There is no SOCKS proxy support in stunnel.
[rsync] protocol = connect protocolHost = proxy-host:1080 accept = 127.0.0.1:873 connect = rsync-destination:443
You have reversed "protocolHost" and "connect" values. "connect" is the host *stunnel* connects to while "protocolHost" is the final destination requested from this host. It may be unintuitive compared to other services (like web browsers), but for stunnel proxy support is a part of SSL protocol negotiations rather than a separate feature.
From the fine manual of stunnel:
connect = address
connect to a remote address
If no host is specified, the host defaults to localhost.
Multiple connect options are allowed in a single service section.
If host resolves to multiple addresses and/or if multiple connect options are specified, then the remote address is chosen using a round-robin algorithm.
protocolHost = host:port
destination address for protocol negotiations
Mike
-----Original Message----- From: stunnel-users-bounces@stunnel.org [mailto:stunnel-users- bounces@stunnel.org] On Behalf Of Michal Trojnara Sent: Friday, February 08, 2013 2:25 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Stunnel over a separate proxy?
Alex Gottschalk wrote:
I've successfully deployed stunnel4 to wrap rsync for transferring data between remote sites and a central repository. The issue I'm running into, is that some of these sites mandate use of a proxy
(HTTP
or SOCKS5 usually) for outbound network connections. It seems like there is some proxy support in stunnel with the protocol{Host,Authentication,etc} configuration options, but I have had zero luck getting them to work. For example, I've tried making a simple SOCKS5 proxy using ssh, that I'm successfully able to send
HTTP
traffic over:
ssh -g -D1080 proxy-host # create the proxy, open port 1080 on a public interface
There is no SOCKS proxy support in stunnel.
You can send stunnel over socks proxy using socat easily enough, and this works on both Windows and Linux.
[rsync] protocol = connect protocolHost = proxy-host:1080 accept = 127.0.0.1:873 connect = rsync-destination:443
You have reversed "protocolHost" and "connect" values. "connect" is the host *stunnel* connects to while "protocolHost" is the final destination requested from this host. It may be unintuitive compared to other services (like web browsers), but for stunnel proxy support is a part of SSL protocol negotiations rather than a separate feature.
From the fine manual of stunnel:
connect = address
connect to a remote address If no host is specified, the host defaults to localhost. Multiple connect options are allowed in a single service section. If host resolves to multiple addresses and/or if multiple connectoptions are specified, then the remote address is chosen using a round- robin algorithm.
protocolHost = host:port
destination address for protocol negotiationsMike
ssh -g -D1080 proxy-host # create the proxy, open port 1080 on a public interface
There is no SOCKS proxy support in stunnel.
You can send stunnel over socks proxy using socat easily enough, and this works on both Windows and Linux.
Ah, that's good information - thanks!
--Alex
socat -lf z:\socat.log -d -d tcp4-listen:<local-port>,fork socks4a:localhost:<remote-IP>:<remote-port>,socksport=9050
In Windows this command at the prompt of a machine with socat installed would make socat listen for tcp4 data on <local-port>, which it then sends to localhost, but which you can replace with any IP, where the socks proxy is running and accepting data on port 9050, for instance; it then sends the data to <remote-IP> and <remote-port>. The part at the beginning of this command ( -lf z:\socat.log -d -d ) causes a log file to be created at directory location z:\socat.log, but you can change the location of course, and adding more of the "-d", plus space, adds levels of verbosity to the log. I hope this helps you. The current stable version of socat accepts socks 4 and 4a, but there is a newer beta version that is supposed to accept socks 5, though I have not used it yet.
I use socat with great success, but every so often I have to restart the program once or twice initially. After that is done, it stays connected well, at least in my experience it remains quite stable. It is an amazing program.
-----Original Message----- From: Alex Gottschalk [mailto:agottschalk@pacificbiosciences.com] Sent: Monday, February 11, 2013 11:49 AM To: John A. Wallace; 'Michal Trojnara'; stunnel-users@stunnel.org Subject: RE: [stunnel-users] Stunnel over a separate proxy?
ssh -g -D1080 proxy-host # create the proxy, open port 1080 on a public interface
There is no SOCKS proxy support in stunnel.
You can send stunnel over socks proxy using socat easily enough, and this works on both Windows and Linux.
Ah, that's good information - thanks!
--Alex
-
Alex Gottschalk -
John A. Wallace -
Michal Trojnara