I'm so close to making this work, I can taste it. I also need some suggestions on how to fix the last hurdle.
My setup
10.0.0.10 ip of my webserver 24.159.165.122 static ip of my untangle server (router mode)
untangle server port forwards 443 to 10.0.0.10:10443 80 to 10.0.0.10:80 (web server only listens on 443)
stunnel config file on the web server
[https-terminate] client = no cert = /var/lib/stroot/cypherdog.com.pem accept = 10.0.0.10:10443 connect = 24.159.165.122:80
[https-re-engage] client = yes accept = 10.0.0.10:80 connect = 10.0.0.10:443
What I'm trying to do is accept https traffic, decrypt it, pass it through untangle, then encrypt it back as it gets delivered to the https port of the web server.
This setup works in that I can point my browser at the https port of my untangle server and the web pages work properly.
What doesn't work is the untangle server shows no scanning activity when I access the web pages. I think the path webserver->untangle->webserver does not trigger the scanning in untangle because the traffic it sees is from an internal ip going to the same internal ip.
Is there a way to fix this, anyone?
On Mon, Feb 28, 2011 at 4:27 PM, Bing H Bang bingb@tcsaa.com wrote: [ ... ]
What I'm trying to do is accept https traffic, decrypt it, pass it through untangle, then encrypt it back as it gets delivered to the https port of the web server.
This setup works in that I can point my browser at the https port of my untangle server and the web pages work properly.
What doesn't work is the untangle server shows no scanning activity when I access the web pages. I think the path webserver->untangle->webserver does not trigger the scanning in untangle because the traffic it sees is from an internal ip going to the same internal ip.
Interesting. Can you put another Web server box outside of Untangle to decrypt the traffic, then pass it through as normal? That could help with performance as well. Or use a second network connection to pass the traffic back out to Untangle's external interface?
Also, do you find that stunnel is able to work reliably doing HTTPS in this way? My recollection is that there is some difficulty with redirects generated by the Web server, but perhaps something has changed.
Good luck!
-----Scott.
On 2/28/2011 10:36 PM, Scott Gifford wrote:
On Mon, Feb 28, 2011 at 4:27 PM, Bing H Bang <bingb@tcsaa.com mailto:bingb@tcsaa.com> wrote: [ ... ]
What I'm trying to do is accept https traffic, decrypt it, pass it through untangle, then encrypt it back as it gets delivered to the https port of the web server. This setup works in that I can point my browser at the https port of my untangle server and the web pages work properly. What doesn't work is the untangle server shows no scanning activity when I access the web pages. I think the path webserver->untangle->webserver does not trigger the scanning in untangle because the traffic it sees is from an internal ip going to the same internal ip.Interesting. Can you put another Web server box outside of Untangle to decrypt the traffic, then pass it through as normal? That could help with performance as well. Or use a second network connection to pass the traffic back out to Untangle's external interface?
I'd try that if I had another ip address. Also, putting a box in front of the firewall sounds dangerous.
Also, do you find that stunnel is able to work reliably doing HTTPS in this way? My recollection is that there is some difficulty with redirects generated by the Web server, but perhaps something has changed.
My website is currently pretty simple. Maybe I'll start seeing problems when the site gets going for real. Hope not!
Good luck!
-----Scott.
On Tue, Mar 1, 2011 at 2:21 AM, bing bingb@tcsaa.com wrote:
On 2/28/2011 10:36 PM, Scott Gifford wrote:
On Mon, Feb 28, 2011 at 4:27 PM,
[ ... ]
What doesn't work is the untangle server shows no scanning activity when I
access the web pages. I think the path webserver->untangle->webserver does not trigger the scanning in untangle because the traffic it sees is from an internal ip going to the same internal ip.
Interesting. Can you put another Web server box outside of Untangle to decrypt the traffic, then pass it through as normal? That could help with performance as well. Or use a second network connection to pass the traffic back out to Untangle's external interface?
I'd try that if I had another ip address. Also, putting a box in front of the firewall sounds dangerous.
It's true there's some risk to this approach. You would want to be very careful in locking the box down, so nothing is exposed apart from the service you are offering. Fortunately Linux includes a quite powerful firewall tool, so it's pretty straightforward to do this. Keep in mind that Untangle itself is a Linux server, so with careful configuration you should be able to make your system at least as secure as that server.
Also, do you find that stunnel is able to work reliably doing HTTPS in this way? My recollection is that there is some difficulty with redirects generated by the Web server, but perhaps something has changed.
My website is currently pretty simple. Maybe I'll start seeing problems when the site gets going for real. Hope not!
The trick can be on redirects IIRC, so you might want to test these. Using a dedicated SSL server in front of a Web server is not uncommon, if it doesn't work I bet a bit of Web searching could turn up a workable solution.
Good luck!
------Scott.
-
bing -
Bing H Bang
-
Scott Gifford