[stunnel-users] Proxy HTTPS via stunnel without any certificates on proxy/stunnel box

Gary Chodos gchodos at gmail.com
Wed Sep 25 16:56:26 CEST 2013


On Tuesday, September 24, 2013, Jason Haar wrote:

>  On 25/09/13 00:43, Gary Chodos wrote:
>
> We are trying to decide between SNIProxy and stunnel for the following
> task:
>
>  - Client browser hits https://foo.bar.org, which resolves to an IP that
> corresponds to the stunnel machine listening on 443.
>
> - stunnel "forwards" (sorry if this is not the correct technical term) the
> connection to a different machine, specified by a different IP address,
> which is also configured to believe it is foo.bar.org and actually has a
> web server listening on 443 and houses the SSL key/cert.
>
>  What an odd setup. You want to make an HTTPS connection to an IP
> address, but want that to make an HTTPS connection to another IP address,
> but don't want it to house the SSL cert.
>

Correct.


> That isn't possible - an "SSL terminator" requires the cert - otherwise it
> isn't terminating the SSL connection. Why don't you just use a standard TCP
> forwarder instead - won't that do what you want? Don't forget: SSL occurs
> *within* a TCP session - so a standard TCP forwarder can "reroute" the SSL
> transaction without needing to know what it is forwarding (ie no need for
> certs)
>
> You could use xinetd or netcat - tonnes of options
>

Thanks to cluebats from you and the kind folks over on the nginx list, we
went with haproxy in tcpmode.

Thanks,
Gary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130925/242b704e/attachment.html>


More information about the stunnel-users mailing list