[stunnel-users] Identification Propagation patch using stunnel client certificates
Christophe Nanteuil
christophe.nanteuil at gmail.com
Fri Jan 9 11:54:20 CET 2009
Hello,
NB : this patch is provided as alpha version : it handles only 1
request at a time for each administrative and ident servers.
Why to use this patch ?
This patch can be useful when :
- you provide access to Internet via your stunnel server and when your
legislation enforces you to keep logs of who connected where and when.
In this case, you will have Squid logs filled with identification of
stunnel clients in a very simple way : nothing to ask to the client as
it uses automatically its certificate to fill in the identity fields.
- you want to implement several profile access for your clients
accessing your web proxy/server : as the proxy will ask ident request
to stunnel, you can create filter groups to allow / denied access
(with redirection to a page that you can customize) depending on
stunnel answer : see filtergroups option of DansGuardian or acl
options in squid.
Patch to version : 4.26
Type : new feature
Description : Identification Propagation using stunnel client certificates
The patch proposes to extend the identification propagation provided
by the directive 'EXEC=' to directive 'CONNECT='
when using client certificates. With EXEC directive, Subject name and
Issuer Name of clients are put in environment variables, which allows
the program to determine identity of the stunnel client. This patch
adds an ident server functionality to stunnel, compliant with RFC
1413, to allow propagation of identification to remote hosts specified
by the service directive 'CONNECT='.
Additionnaly, this patch provides an admnistrative server "bound" to
the Ident server : on the administrative socket (default port
127.0.0.1:790), you can request number of users currently connected
and list them.
How to use this patch ?
You just have to add a 'identServer=yes' directive to services that
you want to propagate identification.
For example, you can use this patch when connecting to a DansGuardian
web proxy (installed on proxy.example.com) with the option authplugin
= '/etc/dansguardian/
authplugins/ident.conf' enabled in the configuration file (or when
connecting to a Squid web proxy compiled with --enable-ident-lookups
option), and the following stunnel configuration file (located in
/etc/ssl/stunnel/stunnel-ident.conf) :
...
[WEB]
accept=8080
connect=proxy.example.com:8080
identServer=yes
...
Stunnel will create a listening socket on 0.0.0.0:113 and answer
requests initiated by DansGuardian.
--
Christophe Nanteuil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel-identprop-0.21a.patch
Type: text/x-patch
Size: 37816 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20090109/d0b27936/attachment.bin>
More information about the stunnel-users
mailing list