[stunnel-users] Many services on the same port (VirtualHost)
Pierre DELAAGE
delaage.pierre at free.fr
Sat Oct 30 21:03:10 CEST 2010
Hello,
I am always intrigued by people using stunnel on "client" space to reach
an https server :
all browsers, except on a few platforms (eg Windows Mobile 5) can do
that directly provided that you have imported the proper certs in their
cert store.
On the other hand Stunnel then can HELP to secure an http SERVER to
enhance it to https, but I have already explained in other notes about
webdav that http+SSL is NOT https.
This is another discussion.
But, if you have access to the server machine, it is better to activate
SSL support in Apache.
Something else : and if you want to secure remote websites, that you DO
NOT administer, then it is 1/ non sense and 2/ impossible to speak SSL
with them.
Anyway, it appears that you want ORDINARY clients to SHARE a unique CERT
to OPEN their access to RESTRICTED areas.
It is not exactly, hmmm, I should say "appropriate".
And if your clients are just accessing SSL servers only using "server
ssl auth" but not "client ssl auth", then it is useless to use stunnel
for that : any browser can do that directly.
Let me insist on the sole case where your problem seem to be "real" :
if you want clients, that do NOT have a proper cert, to share a cert to
access remote protected serverS.
Your "solution" could only make sense if, by chance, ALL the remote
servers recognizes the SAME client cert.
Which is improbable. Anyway, in that case, you can imagine to put that
cert in stunnel proxy.
Well alright, what you want to do is "transparent proxying with ssl
support".
It is only possible with a special gateway machine placed between your
users and internet:
Apache proxy feature can do that.
May be squid also.
But once again it is unlikely that all your serverS recognize the same
"client user cert".
A possible architecture could be this :
cleint --------> request to https://server1, https://server2
request----> iptables : redirect request for server1 to gateway: port 1,
request for server 2 to gw: port2
on the gateway : configure stunnel to proxy localhost: port 1 to remote
https://server1, request to port 2 to remote https://server2
TIP : if you do not have iptables, trick the /etc/hosts on your clients
putting server1 ...addr of gateway/stunnel server...
and if you have not the right to administer the clients,...hmmmm, nor
the http serverS, nor ...the stunnel gateway...
Than maybe we can say that you are trying to do something not allowed....
Yours sincerely,
Pierre
Le 30/10/2010 20:46, Hugo a écrit :
> Thanks for the answer, but it seems I haven't got access to IPTables
> (my stunnel is on a remote shell service) and I think using a
> webserver is not a good solution for that case.
>
> So does anyone knows a program able to bind on a single port, and
> redirect requests on another depending on the domain name?
>
> Thanks you in anticipation
> Hugo
>
> On 30/10/2010 17:02, Pierre DELAAGE wrote:
>> Hello,
>> The answer is simply NO in stunnel,
>> but yes in Apache.
>> If you are joining one "http server", hosting many virtual hosts,
>> it should be "trivial".
>> I recommend using IP based hosting.
>>
>> I guess you want to act as a transparent gateway/proxy to https servers :
>> there is another way to proceed if you have a linux PC on your
>> network that can act as a routing/gateway:
>> with iptables you can do redirection to stunnel and get what you want.
>> Sorry but it is a little bit complicated to develop more now.
>>
>> Hope this helps,
>> Pierre Delaage
>>
>>
>> Le 30/10/2010 17:12, Hugo a écrit :
>>> Hello all!
>>>
>>> Does anyone knows a way to make many services listening on the same port?
>>> I've got one stunnel4 server which allows me to crypt two http servers.
>>> The first service bind on port 465 and the second on 470.
>>> What I will is to let user access on the port 465 using 2 different
>>> ServerNames.
>>>
>>> Thank you in anticipation, and excuse me for my quite bad english =D
>>>
>>>
>>>
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at mirt.net
>>> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20101030/654f3152/attachment.html>
More information about the stunnel-users
mailing list