Re: [stunnel-users] Access an arbitrary https website on http://localhost:3000 via stunnel.
2016-01-14 16:51 GMT+08:00 Michal Trojnara Michal.Trojnara@stunnel.org:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hi Hongyi,
My hint:
$ curl -s http://localhost:3000/ Cannot GET /
$ curl -s -H 'Host: coolaj86.com' http://localhost:3000/
Thanks a lot, I still have some issues:
1- Why must we use the ''-H 'Host: coolaj86.com' '' in this command for getting the correct result?
2- If I want to use internet explorer, such as firefox/chrome to open the corresponding url, i.e., http://localhost:3000/, how should I do?
3- There are 3 certificates given by the owner of the website https://coolaj86.com/. They are all stored here:
https://gist.github.com/coolaj86/327cee3eee6fc119b389/
Just as you can see, the 3 certificates are named as follows:
cert.pem chain.pem root.pem
What's the relationship between the above 3 certificates?
And the first certificate, i.e., the cert.pem, is the one used for the website https://coolaj86.com/.
So, I just want to know why we must the root.pem in the stunnel's conf file?
Regards
<!DOCTYPE html>
<html lang="en"> <head> <meta charset="utf-8"> <title>AJ ONeal</title> ...
Best regards, Mike
On 14.01.2016 05:51, Hongyi Zhao wrote:
Hi all,
Based on the descriptions on the following webpage:
http://plug.org/pipermail/plug/2015-August/033939.html
I do the following testing:
1- Complile and install the lastest stunnel, i.e., the stunnel-5.29.
2- Obtaining the root cert
wget -q https://gist.githubusercontent.com/coolaj86/327cee3eee6fc119b389/raw/r
oot.pem
- -O /tmp/root.pem
3- Prepare the following config file for stunnel:
pid = /tmp/stunnel-tlsvpn.pid
client = yes verify = 1 foreground = yes
[tlsvpn] accept = localhost:3000 sni = coolaj86.com connect = coolaj86.com:443 CAfile = /tmp/root.pem
4- Starting the stunnel:
$ stunnel ./stunnel-tlsvpn.conf
5- Testing:
At this moment, I use the firefox to open the following url:
But the firefox will only give the following line in its windows:
Cannot GET /
Any hints on this issue?
Regards
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQIcBAEBCAAGBQJWl2GYAAoJEC78f/DUFuAUwlAP/3w4sq5u4Wp1SV9mbB4Sr7D4 nP++WO10HLpSFQRnO85BaX2XHwU5aC+AxDI9wztvkEXLE9gup3KfT9Dvk9cfrHHv Vb+EmOnspKslsOI1X/pHbSxB7tuc816aqqW9Q2Vmwh9RoVnt0djFIIB/GpKQa/0m YhJrfcpT+WmZ3xrKQUcsahVFTzgxWxZCbDO26c/B3n/ORSmCvs4lRuYXtAuqfGlX q0+qHt4+gi69lc6PMLeGWEonFhgHCl3Mc2Oa5Y3atb52uWG3KS2b4KF+ZQWfhPFK qMggrXNnGgtxrb52rTw8C0/e14v3ZmENB2NX3qZGOvgiS4YujbjE2yGOgjeJzaxo x/UEOFY2X879TECrThEWS87e6BiMog5iKYw8VneJ6rAYn40vGPEji5Lg8kTUU3kC Du5u2zyIdPmqHhTKqpSoIgFKt1w80VpM7wZ/Z8H12yJJh1MHvh7EFUZTZ987nMpt UNf8wCTTDxMEnQI/kMODLBLO9ntGnCHF0PXQ3s24zQ10/BftLyNbTMMTs14bktQG hyWV/aGqF7+dtgcTgirLn1cypxKW5wrF8JOt5I/B1c3/fafHny/I4NyuF5MQuEB9 GDDjYwbcQrU4shSA4Hoe5mWQDpdBJUBb5+8wHkgZg2neU8wcfyzEPucS960eG46Q zSbvpAgUjmvP91qZhWyI =oyVS -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 14.01.2016 14:34, Hongyi Zhao wrote:
1- Why must we use the ''-H 'Host: coolaj86.com' '' in this command for getting the correct result?
https://en.wikipedia.org/wiki/Virtual_hosting#Name-based
2- If I want to use internet explorer, such as firefox/chrome to open the corresponding url, i.e., http://localhost:3000/, how should I do?
Here are various ways depending on which parts of your infrastructure are under your control:
1. Your client machines need to connect (what they believe is) coolaj86.com to send this specific host name in the headers. You can achieve it with DNS or /etc/hosts (or equivalent) file.
2. You can rewrite HTTP headers with another software (stunnel won't do it for you).
3. You can reconfigure coolaj86.com to accept "localhost" as the host name for virtual server coolaj86.com.
Mike
2016-01-14 22:17 GMT+08:00 Michal Trojnara Michal.Trojnara@stunnel.org:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 14.01.2016 14:34, Hongyi Zhao wrote:
1- Why must we use the ''-H 'Host: coolaj86.com' '' in this command for getting the correct result?
https://en.wikipedia.org/wiki/Virtual_hosting#Name-based
2- If I want to use internet explorer, such as firefox/chrome to open the corresponding url, i.e., http://localhost:3000/, how should I do?
Here are various ways depending on which parts of your infrastructure are under your control:
- Your client machines need to connect (what they believe is)
coolaj86.com to send this specific host name in the headers. You can achieve it with DNS or /etc/hosts (or equivalent) file.
I've tried add the following two lines into the /etc/hosts file:
67.166.110.237 www.coolaj86.com 67.166.110.237 coolaj86.com
But still the issue exists when I use firefox to open http://localhost:3000/.
I'm not sure whether I've understood your above explanations correctly or not?
Regards
- You can rewrite HTTP headers with another software (stunnel won't
do it for you).
- You can reconfigure coolaj86.com to accept "localhost" as the host
name for virtual server coolaj86.com.
Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQIcBAEBCAAGBQJWl63cAAoJEC78f/DUFuAU8+gQALLNIupVbIlEnVpMkCnh7LPB HuvD9ijblHehqvyDPTo14/M/eAg+VXTMKugsZyt3Q8tYT+vTnMcbU0JNRMDmuVLV annpjfcS+zzGfvxh40uPrz2x5Mv370fGbR2MAIMuP83g+UBRRxZ7SV67k1gj3Bqt TxRzWJid36djZqSS+KXPP2SEKD0xe2JqPI5Qx/7Xs3h7V31oFLEpoPMLuQM2Gips WnNnZnUg/VgBFiaF6glS3PGErR4bcqI7DQiUViML9uc79DVvWGE6Xe200wXoXM0a iePPSbXTl81uJhvyHqR9BqP0k9rb2gyu2Kn5xLiTDkOrwUffb6pCB/Viru/JjccG /B3VnmGXwYcglSlswwpulNYBW36c5dqFCzvi6GsVSLw0OBZGPrnYY7Sv8oiYWxwx dX/nmadV8r0zv6D0Iqc3jDqAIAroHibNFxckihK3TyJ8WIDZBCtWpKhktaAysouN gjw+qJSEu1E+21HuhIlcH7hsfSRq1mvVzNXDZ+BB+ULArX74eQCAvgIzLYg7o1u+ QG+f3jBelhYvV8eJqkfe8Q/Wj7PKPCYFQ2YX/DnqS4NKAvtRk12wxhAEy2n4/vxh 2+sMkUAi/lU7itT2eVUp4csPBUC6SBCAUXRqVKRuNXERjTaykGK/VZ7sXNSkPIq+ 7lxTKCTwCyo/GjyKmMpg =bF3C -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On Thu, 2016-01-14 22:41:41 +0800, Hongyi Zhao wrote:
[..]
I've tried add the following two lines into the /etc/hosts file:
67.166.110.237 www.coolaj86.com 67.166.110.237 coolaj86.com
But still the issue exists when I use firefox to open http://localhost:3000/.
Hongyi,
you have to convince firefox use 127.0.0.1 as IP address and coolaj86.com as host for the HTTP requests.
127.0.0.1 is the IP address your stunnel daemon listens on, and coolaj86.com is needed by the remote server to select the right virtual host.
Try to change your /etc/hosts to read | | 127.0.0.1 coolaj86.com | and stunnel-tlsvpn.conf to read | | connect = 67.166.110.237:443 |
Then, use http://coolaj86.com:3000 in firefox.
HTH,
Ludolf
P.S.: As your signature is English, I suppose it is for European/ American/Oceanian eyes and your name is given in the European order (family name last). Hongyi is your given name then. My apologies if this is wrong.
2016-01-15 0:45 GMT+08:00 Ludolf Holzheid lholzheid@bihl-wiedemann.de:
On Thu, 2016-01-14 22:41:41 +0800, Hongyi Zhao wrote:
[..]
I've tried add the following two lines into the /etc/hosts file:
67.166.110.237 www.coolaj86.com 67.166.110.237 coolaj86.com
But still the issue exists when I use firefox to open http://localhost:3000/.
Hongyi,
you have to convince firefox use 127.0.0.1 as IP address and coolaj86.com as host for the HTTP requests.
127.0.0.1 is the IP address your stunnel daemon listens on, and coolaj86.com is needed by the remote server to select the right virtual host.
Try to change your /etc/hosts to read | | 127.0.0.1 coolaj86.com
Added this to /etc/hosts file.
| and stunnel-tlsvpn.conf to read | | connect = 67.166.110.237:443 |
Based on you above notes, I use the following settings in stunnel-tlsvpn.conf:
$ grep -Ev '^[ ]*(#|;|$)' stunnel-tlsvpn.conf client = yes verify = 1 foreground = yes [tlsvpn] accept = 127.0.0.1:3000 sni = coolaj86.com connect = 67.166.110.237:443 CAfile = ./root.pem
Then, use http://coolaj86.com:3000 in firefox.
But still, firefox failed with the above url, the error is as follows:
Secure Connection Failed
The connection to coolaj86.com:3000 was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
Why should I slove this issue?
Thanks again.
HTH,
Ludolf
P.S.: As your signature is English, I suppose it is for European/ American/Oceanian eyes and your name is given in the European order (family name last). Hongyi is your given name then. My apologies if this is wrong.
No, I'm from China. Thanks for help again.
Regards
--
Ludolf Holzheid
Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany
Tel: +49 621 33996-0 Fax: +49 621 3392239
mailto:lholzheid@bihl-wiedemann.de http://www.bihl-wiedemann.de
Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On Fri, 2016-01-15 08:35:05 +0800, Hongyi Zhao wrote:
[..]
But still, firefox failed with the above url, the error is as follows:
Secure Connection Failed
The connection to coolaj86.com:3000 was interrupted while the page was loading.
The page you are trying to view cannot be shown because theauthenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
Zhao,
For some reason, firefox does not use the stunnel but tries to connect coolaj86.com directly. It looks as if the entry in the host file is not effective. (You might check who replies to 'ping coolaj86.com'.)
[..]
P.S.: As your signature is English, I suppose it is for European/ American/Oceanian eyes and your name is given in the European order (family name last). Hongyi is your given name then. My apologies if this is wrong.
No, I'm from China. Thanks for help again.
I know you're from China, that's why I was uncertain about the order of names. Some people from East Asia swap their names if they write them using the Latin script, others don't, so I didn't know how you want to be called.
Ludolf
2016-01-15 18:04 GMT+08:00 Ludolf Holzheid lholzheid@bihl-wiedemann.de:
On Fri, 2016-01-15 08:35:05 +0800, Hongyi Zhao wrote:
[..]
But still, firefox failed with the above url, the error is as follows:
Secure Connection Failed
The connection to coolaj86.com:3000 was interrupted while the page was loading.
The page you are trying to view cannot be shown because theauthenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
Zhao,
Yes, you're right, this is my surname.
For some reason, firefox does not use the stunnel but tries to connect coolaj86.com directly. It looks as if the entry in the host file is not effective. (You might check who replies to 'ping coolaj86.com'.)
1- If not insert the following line into /etc/hosts:
127.0.0.1 coolaj86.com
$ ping coolaj86.com PING coolaj86.com (67.166.110.237) 56(84) bytes of data. 64 bytes from c-67-166-110-237.hsd1.ut.comcast.net (67.166.110.237): icmp_seq=1 ttl=44 time=261 ms 64 bytes from c-67-166-110-237.hsd1.ut.comcast.net (67.166.110.237): icmp_seq=2 ttl=44 time=259 ms 64 bytes from c-67-166-110-237.hsd1.ut.comcast.net (67.166.110.237): icmp_seq=3 ttl=44 time=257 ms ^C --- coolaj86.com ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 257.055/259.227/261.534/1.923 ms
2- If insert the above line into /etc/hosts:
$ ping coolaj86.com PING coolaj86.com (127.0.0.1) 56(84) bytes of data. 64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.077 ms 64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.067 ms 64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.050 ms 64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.071 ms 64 bytes from localhost (127.0.0.1): icmp_seq=5 ttl=64 time=0.052 ms 64 bytes from localhost (127.0.0.1): icmp_seq=6 ttl=64 time=0.073 ms 64 bytes from localhost (127.0.0.1): icmp_seq=7 ttl=64 time=0.060 ms 64 bytes from localhost (127.0.0.1): icmp_seq=8 ttl=64 time=0.122 ms ^C --- coolaj86.com ping statistics --- 8 packets transmitted, 8 received, 0% packet loss, time 7000ms rtt min/avg/max/mdev = 0.050/0.071/0.122/0.022 ms
Regards
[..]
P.S.: As your signature is English, I suppose it is for European/ American/Oceanian eyes and your name is given in the European order (family name last). Hongyi is your given name then. My apologies if this is wrong.
No, I'm from China. Thanks for help again.
I know you're from China, that's why I was uncertain about the order of names. Some people from East Asia swap their names if they write them using the Latin script, others don't, so I didn't know how you want to be called.
Zhao is my surname, and Hongyi is my name.
Regards
Ludolf
--
Ludolf Holzheid
Bihl+Wiedemann GmbH Floßwörthstraße 41 68199 Mannheim, Germany
Tel: +49 621 33996-0 Fax: +49 621 3392239
mailto:lholzheid@bihl-wiedemann.de http://www.bihl-wiedemann.de
Sitz der Gesellschaft: Mannheim Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Hongyi Zhao -
Ludolf Holzheid -
Michal Trojnara