How to use stunnel as a HTTPS to HTTPS reverse proxy
I'd like Stunnel to act as a reverse proxy that accepts TLS 1.0 and TLS 1.2 for https://example.com and then forwards the traffic to https://example.net, another web server that only accepts TLS 1.2 browser --TLS 1.0 or 1.2--> Stunnel --TLS 1.2--> Web App The browser should have no idea that example.net even exists (only example.com certificate will be presented to the browser). Is this something Stunnel can do? This is what I got so far: cert = example.com.pem ;stunnel.pem [proxy1] client = yes accept = 10.100.4.179:443 connect = localhost:54323 CAfile = sca.server1.crt.pem ;verify = 2 [proxy2] client = no accept = localhost:54323 connect = example.net:443 ;CAfile = SymantecClass3EVSSLCA-G3.pem example.com.pem contains the public and decrypted private key for example.com sca.server1.crt.pem contains the intermediate and root certificates of the CA that issues the example.com.pem certificate It partially works: the browser shows example.com in the address bad and the content of example.net, but the certificate that is returned is from example.net What am I doing wrong? Or do you have other recommendations to get something like this working on Windows Server 2008 R2? (IIS + Application Request Routing + URL Rewrite won't work: TLS1.2 is not properly supported) Thank you Claudio
Hi Claudio, What happens if you Try client = no for proxy1 and client = yes for proxy2? Regards, José
El 23 feb 2016, a las 12:13, Claudio Beretta <claudio.beretta@helloinnovation.com> escribió:
I'd like Stunnel to act as a reverse proxy that accepts TLS 1.0 and TLS 1.2 for https://example.com and then forwards the traffic to https://example.net, another web server that only accepts TLS 1.2 browser --TLS 1.0 or 1.2--> Stunnel --TLS 1.2--> Web App
The browser should have no idea that example.net even exists (only example.com certificate will be presented to the browser). Is this something Stunnel can do?
This is what I got so far:
cert = example.com.pem ;stunnel.pem
[proxy1] client = yes accept = 10.100.4.179:443 connect = localhost:54323 CAfile = sca.server1.crt.pem ;verify = 2
[proxy2] client = no accept = localhost:54323 connect = example.net:443 ;CAfile = SymantecClass3EVSSLCA-G3.pem
example.com.pem contains the public and decrypted private key for example.com sca.server1.crt.pem contains the intermediate and root certificates of the CA that issues the example.com.pem certificate
It partially works: the browser shows example.com in the address bad and the content of example.net, but the certificate that is returned is from example.net
What am I doing wrong? Or do you have other recommendations to get something like this working on Windows Server 2008 R2? (IIS + Application Request Routing + URL Rewrite won't work: TLS1.2 is not properly supported)
Thank you Claudio _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
José, that did the trick! Thank you On Thu, Feb 25, 2016 at 12:07 AM, Josealf.rm <josealf@rocketmail.com> wrote:
Hi Claudio,
What happens if you Try client = no for proxy1 and client = yes for proxy2?
Regards, José
El 23 feb 2016, a las 12:13, Claudio Beretta < claudio.beretta@helloinnovation.com> escribió:
I'd like Stunnel to act as a reverse proxy that accepts TLS 1.0 and TLS 1.2 for https://example.com and then forwards the traffic to https://example.net, another web server that only accepts TLS 1.2 browser --TLS 1.0 or 1.2--> Stunnel --TLS 1.2--> Web App
The browser should have no idea that example.net even exists (only example.com certificate will be presented to the browser). Is this something Stunnel can do?
This is what I got so far:
cert = example.com.pem ;stunnel.pem
[proxy1] client = yes accept = 10.100.4.179:443 connect = localhost:54323 CAfile = sca.server1.crt.pem ;verify = 2
[proxy2] client = no accept = localhost:54323 connect = example.net:443 ;CAfile = SymantecClass3EVSSLCA-G3.pem
example.com.pem contains the public and decrypted private key for example.com sca.server1.crt.pem contains the intermediate and root certificates of the CA that issues the example.com.pem certificate
It partially works: the browser shows example.com in the address bad and the content of example.net, but the certificate that is returned is from example.net
What am I doing wrong? Or do you have other recommendations to get something like this working on Windows Server 2008 R2? (IIS + Application Request Routing + URL Rewrite won't work: TLS1.2 is not properly supported)
Thank you Claudio
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Claudio, Sure, it works. Is it clear for you why? :) On Thursday, February 25, 2016 11:18 AM, Claudio Beretta <claudio.beretta@helloinnovation.com> wrote: José, that did the trick! Thank you On Thu, Feb 25, 2016 at 12:07 AM, Josealf.rm <josealf@rocketmail.com> wrote: Hi Claudio, What happens if you Try client = no for proxy1 and client = yes for proxy2? Regards,José El 23 feb 2016, a las 12:13, Claudio Beretta <claudio.beretta@helloinnovation.com> escribió: I'd like Stunnel to act as a reverse proxy that accepts TLS 1.0 and TLS 1.2 for https://example.com and then forwards the traffic to https://example.net, another web server that only accepts TLS 1.2 browser --TLS 1.0 or 1.2--> Stunnel --TLS 1.2--> Web App The browser should have no idea that example.net even exists (only example.com certificate will be presented to the browser).Is this something Stunnel can do? This is what I got so far: cert = example.com.pem;stunnel.pem [proxy1]client = yesaccept = 10.100.4.179:443connect = localhost:54323CAfile = sca.server1.crt.pem;verify = 2 [proxy2]client = noaccept = localhost:54323connect = example.net:443;CAfile = SymantecClass3EVSSLCA-G3.pem example.com.pem contains the public and decrypted private key for example.com sca.server1.crt.pem contains the intermediate and root certificates of the CA that issues the example.com.pem certificate It partially works: the browser shows example.com in the address bad and the content of example.net, but the certificate that is returned is from example.net What am I doing wrong?Or do you have other recommendations to get something like this working on Windows Server 2008 R2? (IIS + Application Request Routing + URL Rewrite won't work: TLS1.2 is not properly supported) Thank youClaudio _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
yeah, now it's obvious why it works :) I got part of the (wrong) solution from another place, and later I guess I didn't understand the explanation for the "client" option in the manual. Thanks again On Thu, Feb 25, 2016 at 12:03 PM, Jose Alf. <josealf@rocketmail.com> wrote:
Claudio,
Sure, it works. Is it clear for you why? :)
On Thursday, February 25, 2016 11:18 AM, Claudio Beretta < claudio.beretta@helloinnovation.com> wrote:
José, that did the trick! Thank you
On Thu, Feb 25, 2016 at 12:07 AM, Josealf.rm <josealf@rocketmail.com> wrote:
Hi Claudio,
What happens if you Try client = no for proxy1 and client = yes for proxy2?
Regards, José
El 23 feb 2016, a las 12:13, Claudio Beretta < claudio.beretta@helloinnovation.com> escribió:
I'd like Stunnel to act as a reverse proxy that accepts TLS 1.0 and TLS 1.2 for https://example.com and then forwards the traffic to https://example.net, another web server that only accepts TLS 1.2 browser --TLS 1.0 or 1.2--> Stunnel --TLS 1.2--> Web App
The browser should have no idea that example.net even exists (only example.com certificate will be presented to the browser). Is this something Stunnel can do?
This is what I got so far:
cert = example.com.pem ;stunnel.pem
[proxy1] client = yes accept = 10.100.4.179:443 connect = localhost:54323 CAfile = sca.server1.crt.pem ;verify = 2
[proxy2] client = no accept = localhost:54323 connect = example.net:443 ;CAfile = SymantecClass3EVSSLCA-G3.pem
example.com.pem contains the public and decrypted private key for example.com sca.server1.crt.pem contains the intermediate and root certificates of the CA that issues the example.com.pem certificate
It partially works: the browser shows example.com in the address bad and the content of example.net, but the certificate that is returned is from example.net
What am I doing wrong? Or do you have other recommendations to get something like this working on Windows Server 2008 R2? (IIS + Application Request Routing + URL Rewrite won't work: TLS1.2 is not properly supported)
Thank you Claudio
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
participants (3)
-
Claudio Beretta -
Jose Alf. -
Josealf.rm