Discussion:
[stunnel-users] When X-FORWARDED-FOR for Stunnel ?
(too old to reply)
Elodie BOSSIER
2011-08-18 12:58:13 UTC
Permalink
Greetings,

Why you don't implement X-FORWARDED-FOR into stunnel ?

I have found this patch :
http://haproxy.1wt.eu/download/patches/stunnel-4.32-xforwarded-for.diff
but this on is to much old, i'm with stunnel 4.41 and i can't go to 4.32
because i need SNI, implemented since 4.38

I have attempt to modify the patch to match with the current version, in
begining it's ok but not after, all line code have changed and i'm not
developer.

X-FORWARDED-FOR is very important and exist on mostly all the frontend
web and usuable by all the web server.

Someone told me to switch to Nginx because X-FORWARDED-FOR don't exist
in Stunnel ... I would like stay on Stunnel because it's only a light
tunnel.

The patch have only 219 lines, could you help me please to addapt it to
the version 4.41 and/or add this feature into Stunnel please ?

This is the "manual" to apply the patch :
http://www.buro9.com/blog/2009/12/07/installing-haproxy-load-balance-http-and-https/
Just need to add "xforwardedfor=yes" into your config file and should be OK.

With this feature, I won't have need to "play" with this (censured) of
transparent = source, iptables rules, tcpdump and root exec ...

Thanks so much ...

Elodie.
Michal Trojnara
2011-08-18 15:24:47 UTC
Permalink
Post by Elodie BOSSIER
Why you don't implement X-FORWARDED-FOR into stunnel ?
I didn't implement this feature yet, because:
1. It's hard to do it right.
2. I'm the breadwinner for my family. I'm too busy with things I do
for a living.
Post by Elodie BOSSIER
The patch have only 219 lines, could you help me please to addapt it
to the version 4.41 and/or add this feature into Stunnel please ?
I'm not going to apply this patch, because:
1. It does not support chains of proxies:
https://secure.wikimedia.org/wikipedia/en/wiki/X-Forwarded-
For#Format
2. It does not support HTTP persistent connections (only modifies the
first request of each connection):
https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_persistent_connection
3. The code is ugly.
4. It does not have a GPL-compatible, non-copyleft license.
Post by Elodie BOSSIER
Thanks so much ...
You're welcome.

Mike
Elodie BOSSIER
2011-08-18 15:59:40 UTC
Permalink
Ok thanks.

Do you think to create more later (when you will be less busy) this
feature with a better code ?
Post by Michal Trojnara
Post by Elodie BOSSIER
Why you don't implement X-FORWARDED-FOR into stunnel ?
1. It's hard to do it right.
2. I'm the breadwinner for my family. I'm too busy with things I do
for a living.
Post by Elodie BOSSIER
The patch have only 219 lines, could you help me please to addapt it
to the version 4.41 and/or add this feature into Stunnel please ?
https://secure.wikimedia.org/wikipedia/en/wiki/X-Forwarded-For#Format
2. It does not support HTTP persistent connections (only modifies the
https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_persistent_connection
3. The code is ugly.
4. It does not have a GPL-compatible, non-copyleft license.
Post by Elodie BOSSIER
Thanks so much ...
You're welcome.
Mike
Michal Trojnara
2011-08-18 16:42:04 UTC
Permalink
Post by Elodie BOSSIER
Do you think to create more later (when you will be less busy) this
feature with a better code ?
Yes.

Mike
Vladimir Marchenko
2011-10-01 13:44:44 UTC
Permalink
stunnel would have been a perfect solution for my little system that I
build today for http://dialcoin.com. If only it's author would
consider X-FORWARDED-FOR as something useful as opposed to something
philosophically and ideologically wrong to have in stunnel . Of
course, everyone can appreciate that stunnel's author could have been
busy with more important things in his life for last few years while
stunnel users cried to have IP address propagated to their web apps
somehow.

As of now there are two choices for people who are considering using
stunnel in front of haproxy->nginx setup or something similar all to
common in our days of FCGI/PCGI/*CGI apps:

1. Do not use stunnel.
2. Use older versions with old patches and have a little long term
maintenance nightmare.
3. Develop a proper patch send it to stunnel author and pray that he
is really too busy as opposed to not wanting X-FORWARDED-FOR handling
in stunnel in principle for whatever reason.
4. Fork stunnel.

My choice is 1. even if it means something ugly like niginx->haproxy-
nginx->FCGI app or simplifying it to nginx->FCGI app. I do hope that
someone takes choice 4 here.

I hope it summarises quite nicely state of the things for all those
people googling "haproxy stunnel X-FORWARDED-FOR".
Do you think to create more later (when you will be less busy) this  
feature with a better code ?
Yes.
Mike
_______________________________________________
stunnel-users mailing list
Loading...