Discussion:
[stunnel-users] Requests to cloud server that requires host header
(too old to reply)
Lorne Kates
2016-05-17 20:03:28 UTC
Permalink
(related to Akamai message from before-- but I have better troubleshooting information).

I'm tying to route traffic through stunnel to a "cloud" based-endpoint. That endpoint has a static server name-- test.authorize.net. (This is the dev sandbox for auth.net).

But if you do an nslookup on test.authorize.net, you'll get back a different servername and IP, because it's so wonderfully "cloud".

Stunnel apparently tries to connect to the nslookup value. The server rejects the request because it can't route it back to test.authorize.net.

I've tried adding "delay = yes" and "sni = test.authorize.net", but neither work.

To see this in action, a simple setup with any accept, then connect to test.authorize.net:443 in client = yes mode.

This is what a valid response looks like (13 -- give me the darn merchant ID in a POST): https://test.authorize.net/gateway/transact.dll

This is what you'll get if you try to use stunnel (400 invalid url) : https://23.195.204.150/gateway/transact.dll

So how can I get stunnel to send the proper Request Header (host: test.authorize.net), make sure it's using http/1.1, etc?
Jose Alf.
2016-05-18 03:19:31 UTC
Permalink
Lorne,
Post by Lorne Kates
So how can I get stunnel to send the proper Request Header (host: test.authorize.net), make sure it's using http/1.1, etc?
Sorry. You can't. AFAIK stunnel have no support for user defined Headers. However, If you're not using a conventional web browser, you can modify the requests and insert any needed headers. You can do that with a library like libcurl.

regards,Jose

From: Lorne Kates <***@hotmail.com>
To: "stunnel-***@stunnel.org" <stunnel-***@stunnel.org>
Sent: Tuesday, May 17, 2016 3:03 PM
Subject: [stunnel-users] Requests to cloud server that requires host header

<!--#yiv8331428967 .yiv8331428967hmmessage P{margin:0px;padding:0px;}#yiv8331428967 body.yiv8331428967hmmessage{font-size:12pt;font-family:Calibri;}-->(related to Akamai message from before-- but I have better troubleshooting information).

I'm tying to route traffic through stunnel to a "cloud" based-endpoint.  That endpoint has a static server name-- test.authorize.net.  (This is the dev sandbox for auth.net).

But if you do an nslookup on test.authorize.net, you'll get back a different servername and IP, because it's so wonderfully "cloud".

Stunnel apparently tries to connect to the nslookup value.  The server rejects the request because it can't route it back to test.authorize.net.

I've tried adding "delay = yes" and "sni = test.authorize.net", but neither work.

To see this in action, a simple setup with any accept, then connect to test.authorize.net:443 in client = yes mode.

This is what a valid response looks like (13 -- give me the darn merchant ID in a POST): https://test.authorize.net/gateway/transact.dll

This is what you'll get if you try to use stunnel (400 invalid url) : https://23.195.204.150/gateway/transact.dll

So how can I get stunnel to send the proper Request Header (host: test.authorize.net), make sure it's using http/1.1, etc?
Guillermo Rodriguez Garcia
2016-05-18 08:51:01 UTC
Permalink
Hello,
Post by Lorne Kates
(related to Akamai message from before-- but I have better troubleshooting
information).
I'm tying to route traffic through stunnel to a "cloud" based-endpoint.
That endpoint has a static server name-- test.authorize.net. (This is the
dev sandbox for auth.net).
But if you do an nslookup on test.authorize.net, you'll get back a different
servername and IP, because it's so wonderfully "cloud".
Stunnel apparently tries to connect to the nslookup value. The server
rejects the request because it can't route it back to test.authorize.net.
I've tried adding "delay = yes" and "sni = test.authorize.net", but neither
work.
To see this in action, a simple setup with any accept, then connect to
test.authorize.net:443 in client = yes mode.
This is what a valid response looks like (13 -- give me the darn merchant ID
in a POST): https://test.authorize.net/gateway/transact.dll
https://23.195.204.150/gateway/transact.dll
test.authorize.net), make sure it's using http/1.1, etc?
Stunnel won't do this for you (it will not inject any HTTP headers at
all). You must tell your HTTP client software to do it. Example:

'nslookup test.authorize.net' says that the IP address is 104.83.163.210

Try the following (no stunnel involved here):

curl -k https://104.83.163.210/gateway/transact.dll -> 400 invalid url error
curl -k -H 'Host: test.authorize.net'
https://104.83.163.210/gateway/transact.dll -> Works

With stunnel it is the same. You must tell whatever HTTP client you
are using to send the correct Host: header. In your case you can try:

curl -k -H 'Host: test.authorize.net'
https://23.195.204.150/gateway/transact.dll

Best regards,

Guillermo Rodriguez Garcia
***@gmail.com

Loading...