Thank you so much for stunnel. This program is amazing!!!!
In Windows, I'd like to move SSL processing out of Apache and into stunnel.
Is there a way for Apache to know the client's ip address?
- In Windows, "transparent" mode is unavailable - "xforwardedfor" is for smtp and not https connections - "protocol = proxy" is for Haproxy only?
Brian
On 2012-10-10 17:04, Brian McGinity wrote:
Thank you so much for stunnel. This program is amazing!!!!
Thank you.
- In Windows, “transparent” mode is unavailable
Correct. Transparent mode requires kernel-mode support.
- “xforwardedfor” is for smtp and not https connections
It's currently not supported. AFAIK there are 3rd party patches for https.
- “protocol = proxy” is for Haproxy only?
I don't think it's currently implemented outside HAProxy/stunnel. https://www.varnish-cache.org/trac/wiki/Future_Protocols
It should be fairly easy to add proxy protocol support to Apache.
Why don't you just use mod_ssl? A dedicated solution will most likely be more suitable for HTTP than universal stunnel.
Mike
Michal,
Thanks for your reply. I've been using Stunnel for client/server database connection encryption, outgoing gmail and https connections from within the Oracle database. Stunnel is working so well and the program is actively maintained, so this is one program I trust.
I really, really, really want to pull SSL out of Apache for performance reasons and also for maintenance issues. I am running Oracle's Http Server which is really just Apache with Oracle's modifications. So the way Oracle implements SSL is through their Wallet mechanism. Anytime I upgrade the DB or renew an SSL cert, it's cumbersome and I always feel like I will drop the website for a lengthily period of time or have so much trouble it won't come back on line.
Putting the SSL in Stunnel, is so much cleaner. It is faster (as I've already tested it), the management and maintenance issues go away. It's a win-win situation.
I like the idea so much, I am counting the costs associated with Apache not knowing the IP address. I'm not sure if I can do it as the data is somewhat sensitive and the IP log is pretty necessary.
I am also considering running Nginx to offload SSL. I'm not sure how nicely Windows plays with Nginx.
Can Stunnel create a cgi environment variable or modify the request header so the client ip address could be known inside Apache?
Brian
-----Original Message----- From: Michal Trojnara [mailto:Michal.Trojnara@mirt.net] Sent: Wednesday, October 10, 2012 2:08 PM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] SSL proxy in Windows - IP Address Issue
On 2012-10-10 17:04, Brian McGinity wrote:
Thank you so much for stunnel. This program is amazing!!!!
Thank you.
- In Windows, "transparent" mode is unavailable
Correct. Transparent mode requires kernel-mode support.
- "xforwardedfor" is for smtp and not https connections
It's currently not supported. AFAIK there are 3rd party patches for https.
- "protocol = proxy" is for Haproxy only?
I don't think it's currently implemented outside HAProxy/stunnel. https://www.varnish-cache.org/trac/wiki/Future_Protocols
It should be fairly easy to add proxy protocol support to Apache.
Why don't you just use mod_ssl? A dedicated solution will most likely be more suitable for HTTP than universal stunnel.
Mike
On 2012-10-11 16:21, Brian McGinity wrote:
Thanks for your reply. I've been using Stunnel for client/server database connection encryption, outgoing gmail and https connections from within the Oracle database. Stunnel is working so well and the program is actively maintained, so this is one program I trust.
Thank you.
I really, really, really want to pull SSL out of Apache for performance reasons and also for maintenance issues. I am running Oracle's Http Server which is really just Apache with Oracle's modifications. So the way Oracle implements SSL is through their Wallet mechanism. Anytime I upgrade the DB or renew an SSL cert, it's cumbersome and I always feel like I will drop the website for a lengthily period of time or have so much trouble it won't come back on line.
I see. If you use the closed-source Oracle webserver on a Windows server, I can see no easy way to get transparent proxy with stunnel running on the same machine.
Fortunately there is another possibility: You can setup a stunnel gateway (or a cluster of stunnel gateways) on a separate machine running one of the platforms that support transparent proxy (e.g. Linux). Your Windows box must have your Linux box configured as its default gateway. The Linux box needs to be configured with "transparent = source" option.
Putting the SSL in Stunnel, is so much cleaner. It is faster (as I've already tested it), the management and maintenance issues go away. It's a win-win situation.
Cool. Feel free to share your benchmarks with the mailing list.
I like the idea so much, I am counting the costs associated with Apache not knowing the IP address. I'm not sure if I can do it as the data is somewhat sensitive and the IP log is pretty necessary.
I just found an alternative solution. You could configure your Apache to log remote port with "%a:%{remote}p" LogFormat string: https://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats , and then rewrite Apache log based on stunnel log.
Can Stunnel create a cgi environment variable or modify the request header so the client ip address could be known inside Apache?
You can't pass an environment variable through a TCP connection. Adding a request header would require stunnel to implement HTTP protocol. There are some quick&dirty hacks for this (x-forwarded-for patch you mentioned), but they only support basic HTTP/1.0. I refuse to include such code upstream.
Mike
-
Brian McGinity -
Michal Trojnara