[stunnel-users] Some troubles with PROXY protocol

Alexey V. Drozdov anyquist at yandex.ru
Wed Mar 26 23:44:02 CET 2014


Hi,
I try to use PROXY protocol ability for my virtual server, but this options work for root section only.
E.g. it not work for this simple case: 

[virtual_server]
accept  = 443
connect = localhost:1081

cert = /etc/stunnel/serverCA.crt
key = /etc/stunnel/serverCA.key

verify = 2
CAfile = /etc/stunnel/serverCA.crt

[server_ru]
sni = virtual_server:server.ru

cert = /etc/stunnel/server.cer
key = /etc/stunnel/server.pem

connect = localhost:7000
protocol = proxy  <-- option don not work there

This problem exist due some code bug:

NOEXPORT void client_try(CLI *c)
{
    init_local(c);
    if(!c->opt->option.client && c->opt->protocol<0) // <-- condition is true in spite of setup protorol=proxy
    {
        init_ssl(c);
	// we'll switch to target section (c->opt) there only!
        init_remote(c);
    } 
    else 
    { 
        protocol(c, PROTOCOL_PRE_CONNECT);
        init_remote(c);
        protocol(c, PROTOCOL_PRE_SSL);
        init_ssl(c);
        protocol(c, PROTOCOL_POST_SSL);
    }
...	

Simple adhoc solution work for me:

    if(!c->opt->option.client && c->opt->protocol<0) // <-- condition is true in spite of setup protorol=proxy
	{
        init_ssl(c);
        init_remote(c);
	// force initiate PROXY protocol
	protocol(c, PROTOCOL_PRE_SSL);
    } 

It's crutch and not general solution certain. But some code refactoring needs for more correct fix.
I think that this bug will be fixed in future versions.

Thanks for stunnel! :)

/Alexey V. Drozdov
e-mail: anyquist at yandex.ru



More information about the stunnel-users mailing list