[stunnel-users] Feature request: set environment variable for inetd-type program
Michael Renner
michael.renner at gmx.de
Sat Jan 24 19:39:47 CET 2009
On Friday 23 January 2009, Lund, Claus wrote:
> I'm not a developer on stunnel so my opinion doesn't carry much weight :-)
> But, to me, this seems a bit outside the scope of what's stunnel's main
> goal in life. Why not just have that authentication handled between the
> client and server programs using the tunnel stunnel provides? Or maybe I
> just don't quite get what you're trying to accomplish (a totally plausible
> option!).
Moin,
thanks for your answer. The scenario is simple; at least at the first view.
To reach a proxy server in a country or an other network with less internet
restrictions. This is more or less a simple setup. stunnel at both ends
(firefox can not use https to connect to a proxy).
challenge no 1: protect the proxy from use/abuse by others
challenge no 2: nobody must know that you use a proxy, even if somebody is
using a network sniffer to track the network packages. Therefore, this proxy
must act like a harmless https webserver for others.
scenario no 1: a curious person knows, that I have a lot of traffic to
192.0.20.1:443. He connect with a browser to https://192.0.20.1 and get a
squid error message, that this request was not unserstood -> suspect
scenario no 2: The curious person connect with a browser to https://192.0.20.1
and get a password dialog: suspect
scenario no 3: The curious persion connect to https://192.0.20.1 and get a
client certificate error -> suspect
I have success to set an additional http header using the firefox
plugin "modify header". as a door opener. At the moment, every connect with
this header is processed as a request to the proxy and it should be possible
to find a way to treat connections without this header like a normal http
request (or a redirection to a harmless web site).
But I am afraid to forget to switch off the header entry when I surf without
the proxy between (because the proxy filter out this header and its value).
Well, the possibility to set some variables for an inetd-type program (a
simple script) will solve this problem in a simple way. If the right variable
is set: forward the connection to the proxy, if not forward the connection to
a web server.
Maybe you have an other idea?
CU
>
> -Claus
>
> -----Original Message-----
> From: stunnel-users-bounces at mirt.net
> [mailto:stunnel-users-bounces at mirt.net] On Behalf Of Michael Renner Sent:
> Friday, January 23, 2009 1:34 PM
> To: stunnel-users at mirt.net
> Subject: [stunnel-users] Feature request: set environment variable for
> inetd-type program
>
> Moin,
>
> I am not a programmer, I am a writer and user, so I have to ask kindly for
> a additional stunnel feature
> I need the ability to push some information from the stunnel client side to
> the server side. To be more concrete: a self written script that is called
> by stunnels 'exec' statement need some settings, e.g. username and
> password. My idea is to configure this in the client side stunnel.conf and
> pass this as a environment variable to this script.
> There is no chance to pack these stings in a client certificate, because
> everybody who is able to handle snoop/tcpdump will be able to read this.
>
> I imagine a configuration like this:
>
> client stunnel.conf
> [foo]
> accept = 127.0.0.1:1234
> connect = 192.0.20.0:443
> env = "SUSER=renner"
> env = "SPASS=geheim"
>
>
> server stunnel.conf
> [foo]
> accept = 192.0.20.0:443
> exec = /opt/foo/script.sh
> env = yes
>
> My question to the developers: do you think this is a helpful feature, also
> for others?
>
> Greetings
--
|Michael Renner E-mail: michael.renner at gmx.de |
|D-81541 Munich Germany ICQ: #112280325 |
|Germany Don't drink as root! ESC:wq
More information about the stunnel-users
mailing list