[stunnel-users] Feature request - verify fall-back

Brian Hatch bri at stunnel.org
Thu May 8 21:53:32 CEST 2008


Roughly around 2008-05-07 15:34 -0400, Sudhaker Raj mentioned:

> I wish to use stunnel for following use-case (to create a
> highly-protected website which can be accessed only using a valid
> client-cert).
> 
> gateway.example.com:443 -> public.example.com:80 (when client-cert
> verification fails)
> gateway.example.com:443 -> intranet.example.com:80 (when client-cert
> verification ok - normally hidden from public)
> 
...
> I guess it will be a nice addition to stunnel's feature list.


I disagree.  I don't think it's a good idea to add to Stunnel.

This is application layer logic you want, essentially.  Your best
bet would be to use SSL in apache/webserver of choice directly.
Then you can place the verification constraint in the configuration
and configure the webserver to serve up selected pages if and only
if a cert has been used via normal apache 'require' ACLs.

Alternatively this could be configured with apache as a reverse
proxy using mod_proxy in front of two different back end webservers
(public and intranet in your example above) if you really want
distinct webservers for each.

-- 
Brian Hatch                  "I think that we missed something.
   Systems and                We should have called it 'Licensed
   Security Engineer          Software Delivery', not 'Electronic.'"
http://www.ifokr.org/bri/    --Bruce

Every message PGP signed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20080508/b9e2cebe/attachment.sig>


More information about the stunnel-users mailing list