[stunnel-users] older browsers, stunnel and privoxy

Zizhong Zhang zizazit at protonmail.com
Tue Dec 4 20:16:53 CET 2018


Hello,

> im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites.
> i heard stunnel cant be configured to always forward to the current
> site address dynamically, thats why i would use privoxy.

If by "forward to the current site address dynamically" you meant "forward to the current address of one specific domain" then stunnel can achieve that by adding "delay = yes".

However, if I understood correctly, you wanted to let stunnel strip
or remove SSL for whatever sites you visit. Then no, I don't think you can achieve that with privoxy and stunnel. If that's what you want, I would suggest you use nginx to remove SSL. The following example configuration will let nginx "upgrade" your HTTP request to HTTPS.

events {} http { server {
    resolver 9.9.9.9;
    listen 80;
    location / {
            proxy_pass https://$host$request_uri;
            proxy_set_header Host $http_host;
    }
}}

You can then point any domain to the nginx server (for example, via the hosts file) and visit the site via HTTP. This will make HTTPS-oly servers happy.

That won't strip third-party HTTPS:// URL resources like NewIPNow does, but you can use the nginx "sub_filter" to replace HTTPS with HTTP in HTML. Also there are "security features" like "Content-Security-Policy" that prevent modern browsers from visiting your SSL-stripped sites, but I believe your out-dated browser will happily ignore those.

--Zizhong



More information about the stunnel-users mailing list