Proxy HTTPS via stunnel without any certificates on proxy/stunnel box
Greetings, We are trying to decide between SNIProxy and stunnel for the following task: - Client browser hits https://foo.bar.org, which resolves to an IP that corresponds to the stunnel machine listening on 443. - stunnel "forwards" (sorry if this is not the correct technical term) the connection to a different machine, specified by a different IP address, which is also configured to believe it is foo.bar.org and actually has a web server listening on 443 and houses the SSL key/cert. - when stunnel hits the end server, the latter sees the stunnel IP address as source, not the original user's (who initiated the web request for https://foo.bar.org). I believe this is default behavior, but just noting it for completeness. Is it possible to accomplish this (stunnel listening on and connecting to https endpoints) without housing any certs/keys on the stunnel machine itself, because we want the second server to deal with all that and we do not have access to those keys anyway. And of course, the users which go to the https://foo.bar.org should not see any cert mismatches as a result of loading https://foo.bar.org which, for the user, will resolve to the stunnel/proxy IP, rather than the end server which actually had a running web server and keys/cert. Sorry if the above detail is insufficient; do let me know. Thanks for your help. Gary
On 25/09/13 00:43, Gary Chodos wrote:
We are trying to decide between SNIProxy and stunnel for the following task:
- Client browser hits https://foo.bar.org, which resolves to an IP that corresponds to the stunnel machine listening on 443.
- stunnel "forwards" (sorry if this is not the correct technical term) the connection to a different machine, specified by a different IP address, which is also configured to believe it is foo.bar.org <http://foo.bar.org> and actually has a web server listening on 443 and houses the SSL key/cert.
What an odd setup. You want to make an HTTPS connection to an IP address, but want that to make an HTTPS connection to another IP address, but don't want it to house the SSL cert. That isn't possible - an "SSL terminator" requires the cert - otherwise it isn't terminating the SSL connection. Why don't you just use a standard TCP forwarder instead - won't that do what you want? Don't forget: SSL occurs *within* a TCP session - so a standard TCP forwarder can "reroute" the SSL transaction without needing to know what it is forwarding (ie no need for certs) You could use xinetd or netcat - tonnes of options -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
On Tuesday, September 24, 2013, Jason Haar wrote:
On 25/09/13 00:43, Gary Chodos wrote:
We are trying to decide between SNIProxy and stunnel for the following task:
- Client browser hits https://foo.bar.org, which resolves to an IP that corresponds to the stunnel machine listening on 443.
- stunnel "forwards" (sorry if this is not the correct technical term) the connection to a different machine, specified by a different IP address, which is also configured to believe it is foo.bar.org and actually has a web server listening on 443 and houses the SSL key/cert.
What an odd setup. You want to make an HTTPS connection to an IP address, but want that to make an HTTPS connection to another IP address, but don't want it to house the SSL cert.
Correct.
That isn't possible - an "SSL terminator" requires the cert - otherwise it isn't terminating the SSL connection. Why don't you just use a standard TCP forwarder instead - won't that do what you want? Don't forget: SSL occurs *within* a TCP session - so a standard TCP forwarder can "reroute" the SSL transaction without needing to know what it is forwarding (ie no need for certs)
You could use xinetd or netcat - tonnes of options
Thanks to cluebats from you and the kind folks over on the nginx list, we went with haproxy in tcpmode. Thanks, Gary
participants (2)
-
Gary Chodos -
Jason Haar