Stunnel and multiple endpoints.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi guys, I'm new to stunnel and I'm looking for a way to run stunnel on a single port. Then based on the client certificate, proxy that connection (in clear) to a different IP:port. If this something I can do with stunnel or am i barking up the wrong tree so to speak. Any help would be a appreciated guys. Cheers Ric - -- Richard Harvey European Linux Administrator Core Systems Ticketmaster +44 (0)207 9804328 80228 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktv5ZIACgkQlh7dZJ0PyjcfxQCfWA5PO0d/uDf/Mqq2BrFsu5wf xBYAoKmKW8760P91JR3oeviKwjd/1o/A =o+/U -----END PGP SIGNATURE-----
Richard Harvey wrote:
Hi guys, I'm new to stunnel and I'm looking for a way to run stunnel on a single port. Then based on the client certificate, proxy that connection (in clear) to a different IP:port.
If this something I can do with stunnel or am i barking up the wrong tree so to speak.
Server Name Indication support is already on the TODO list: http://stunnel.mirt.net/?page=todo_sdf http://en.wikipedia.org/wiki/Server_Name_Indication Please let me know if you would like to sponsor the implementation of this feature. Best regards, Mike
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In this case the client would always connect to example.com on port 7000 for example. Then based on which client cert is used to connect the client would be forwarded to a different IP:port. I'm not sure thats what you mean with Server Name Indication. my example: both client 1 and client 2 connect to stunnel.example.com:7000 client 1 would connect and may be proxied to client1.example.com:9000 client 2 would connect and may be proxied to cleint2.example.com:6789 If possible this would be configured in the stunnel.conf file on the server. Ric On 08/02/10 10:34, Michal Trojnara wrote:
Richard Harvey wrote:
Hi guys, I'm new to stunnel and I'm looking for a way to run stunnel on a single port. Then based on the client certificate, proxy that connection (in clear) to a different IP:port.
If this something I can do with stunnel or am i barking up the wrong tree so to speak.
Server Name Indication support is already on the TODO list: http://stunnel.mirt.net/?page=todo_sdf http://en.wikipedia.org/wiki/Server_Name_Indication
Please let me know if you would like to sponsor the implementation of this feature.
Best regards, Mike _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
- -- Richard Harvey European Linux Administrator Core Systems Ticketmaster +44 (0)207 9804328 80228 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktwAb4ACgkQlh7dZJ0PyjeVTgCff1gUFO9bHBwqqXNcL9X4v5bE uGMAnjjuyO8s9vqAr6fHMt/s0vciTir5 =8PhW -----END PGP SIGNATURE-----
Dear Richard, Yes, that's precisely what I mean by Server Name Indication support in stunnel. Mike On Mon, 08 Feb 2010 12:21:25 +0000, Richard Harvey <richard.harvey@ticketmaster.co.uk> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
In this case the client would always connect to example.com on port 7000 for example. Then based on which client cert is used to connect the client would be forwarded to a different IP:port. I'm not sure thats what you mean with Server Name Indication.
my example:
both client 1 and client 2 connect to stunnel.example.com:7000
client 1 would connect and may be proxied to client1.example.com:9000
client 2 would connect and may be proxied to cleint2.example.com:6789
If possible this would be configured in the stunnel.conf file on the server.
Ric
On 08/02/10 10:34, Michal Trojnara wrote:
Richard Harvey wrote:
Hi guys, I'm new to stunnel and I'm looking for a way to run stunnel on a single port. Then based on the client certificate, proxy that connection (in clear) to a different IP:port.
If this something I can do with stunnel or am i barking up the wrong tree so to speak.
Server Name Indication support is already on the TODO list: http://stunnel.mirt.net/?page=todo_sdf http://en.wikipedia.org/wiki/Server_Name_Indication
Please let me know if you would like to sponsor the implementation of this feature.
Best regards, Mike _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
- -- Richard Harvey European Linux Administrator Core Systems Ticketmaster +44 (0)207 9804328 80228 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAktwAb4ACgkQlh7dZJ0PyjeVTgCff1gUFO9bHBwqqXNcL9X4v5bE uGMAnjjuyO8s9vqAr6fHMt/s0vciTir5 =8PhW -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Dear Richard,
In this case the client would always connect to example.com on port 7000 for example. Then based on which client cert is used to connect the client would be forwarded to a different IP:port. I'm not sure thats what you mean with Server Name Indication.
Yes, that's precisely what I mean by Server Name Indication support in stunnel.
I read your email once again and I discovered that I had misunderstood you. Stunnel only implements authentication based on client certificates and not authorization. I'm sorry for confusion. Mike
Hi Richard, On Mon, Feb 08, 2010 at 12:21:25PM +0000, Richard Harvey wrote:
In this case the client would always connect to example.com on port 7000 for example. Then based on which client cert is used to connect the client would be forwarded to a different IP:port. I'm not sure thats what you mean with Server Name Indication.
my example:
both client 1 and client 2 connect to stunnel.example.com:7000
client 1 would connect and may be proxied to client1.example.com:9000
client 2 would connect and may be proxied to cleint2.example.com:6789
If possible this would be configured in the stunnel.conf file on the server.
Not exactly what you're looking for, but it may be worth to mention that I've written a patch to redirect to a user that doesn't successfully authentify: http://ftp.nluug.nl/networking/stunnel/contrib/evil.patch A small explanation is available at the beginning. Regards, -- Jeremie Le Hen Humans are born free and equal. But some are more equal than the others. Coluche
participants (3)
-
Jeremie Le Hen -
Michal Trojnara -
Richard Harvey