Discussion:
[stunnel-users] How to use stunnel as a HTTPS to HTTPS reverse proxy
(too old to reply)
Claudio Beretta
2016-02-23 17:13:36 UTC
Permalink
I'd like Stunnel to act as a reverse proxy that accepts TLS 1.0 and TLS 1.2
for https://example.com and then forwards the traffic to https://example.net,
another web server that only accepts TLS 1.2
browser --TLS 1.0 or 1.2--> Stunnel --TLS 1.2--> Web App

The browser should have no idea that example.net even exists (only
example.com certificate will be presented to the browser).
Is this something Stunnel can do?


This is what I got so far:

cert = example.com.pem
;stunnel.pem

[proxy1]
client = yes
accept = 10.100.4.179:443
connect = localhost:54323
CAfile = sca.server1.crt.pem
;verify = 2

[proxy2]
client = no
accept = localhost:54323
connect = example.net:443
;CAfile = SymantecClass3EVSSLCA-G3.pem

example.com.pem contains the public and decrypted private key for
example.com
sca.server1.crt.pem contains the intermediate and root certificates of the
CA that issues the example.com.pem certificate

It partially works: the browser shows example.com in the address bad and
the content of example.net, but the certificate that is returned is from
example.net

What am I doing wrong?
Or do you have other recommendations to get something like this working on
Windows Server 2008 R2? (IIS + Application Request Routing + URL Rewrite
won't work: TLS1.2 is not properly supported)

Thank you
Claudio
Josealf.rm
2016-02-25 05:07:59 UTC
Permalink
Hi Claudio,

What happens if you Try client = no for proxy1 and client = yes for proxy2?

Regards,
José
I'd like Stunnel to act as a reverse proxy that accepts TLS 1.0 and TLS 1.2 for https://example.com and then forwards the traffic to https://example.net, another web server that only accepts TLS 1.2
browser --TLS 1.0 or 1.2--> Stunnel --TLS 1.2--> Web App
The browser should have no idea that example.net even exists (only example.com certificate will be presented to the browser).
Is this something Stunnel can do?
cert = example.com.pem
;stunnel.pem
[proxy1]
client = yes
accept = 10.100.4.179:443
connect = localhost:54323
CAfile = sca.server1.crt.pem
;verify = 2
[proxy2]
client = no
accept = localhost:54323
connect = example.net:443
;CAfile = SymantecClass3EVSSLCA-G3.pem
example.com.pem contains the public and decrypted private key for example.com
sca.server1.crt.pem contains the intermediate and root certificates of the CA that issues the example.com.pem certificate
It partially works: the browser shows example.com in the address bad and the content of example.net, but the certificate that is returned is from example.net
What am I doing wrong?
Or do you have other recommendations to get something like this working on Windows Server 2008 R2? (IIS + Application Request Routing + URL Rewrite won't work: TLS1.2 is not properly supported)
Thank you
Claudio
_______________________________________________
stunnel-users mailing list
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Claudio Beretta
2016-02-25 16:17:51 UTC
Permalink
José, that did the trick!
Thank you
Post by Josealf.rm
Hi Claudio,
What happens if you Try client = no for proxy1 and client = yes for proxy2?
Regards,
José
El 23 feb 2016, a las 12:13, Claudio Beretta <
I'd like Stunnel to act as a reverse proxy that accepts TLS 1.0 and TLS
1.2 for https://example.com and then forwards the traffic to
https://example.net, another web server that only accepts TLS 1.2
browser --TLS 1.0 or 1.2--> Stunnel --TLS 1.2--> Web App
The browser should have no idea that example.net even exists (only
example.com certificate will be presented to the browser).
Is this something Stunnel can do?
cert = example.com.pem
;stunnel.pem
[proxy1]
client = yes
accept = 10.100.4.179:443
connect = localhost:54323
CAfile = sca.server1.crt.pem
;verify = 2
[proxy2]
client = no
accept = localhost:54323
connect = example.net:443
;CAfile = SymantecClass3EVSSLCA-G3.pem
example.com.pem contains the public and decrypted private key for
example.com
sca.server1.crt.pem contains the intermediate and root certificates of the
CA that issues the example.com.pem certificate
It partially works: the browser shows example.com in the address bad and
the content of example.net, but the certificate that is returned is from
example.net
What am I doing wrong?
Or do you have other recommendations to get something like this working on
Windows Server 2008 R2? (IIS + Application Request Routing + URL Rewrite
won't work: TLS1.2 is not properly supported)
Thank you
Claudio
_______________________________________________
stunnel-users mailing list
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Jose Alf.
2016-02-25 17:03:03 UTC
Permalink
Claudio,
Sure, it works. Is it clear for you why? :)

On Thursday, February 25, 2016 11:18 AM, Claudio Beretta <***@helloinnovation.com> wrote:


José, that did the trick!
Thank you
On Thu, Feb 25, 2016 at 12:07 AM, Josealf.rm <***@rocketmail.com> wrote:

Hi Claudio,
What happens if you Try client = no for proxy1 and client = yes for proxy2?

Regards,José
El 23 feb 2016, a las 12:13, Claudio Beretta <***@helloinnovation.com> escribió:


I'd like Stunnel to act as a reverse proxy that accepts TLS 1.0 and TLS 1.2 for https://example.com and then forwards the traffic to https://example.net, another web server that only accepts TLS 1.2
browser --TLS 1.0 or 1.2--> Stunnel --TLS 1.2--> Web App

The browser should have no idea that example.net even exists (only example.com certificate will be presented to the browser).Is this something Stunnel can do?

This is what I got so far:
cert = example.com.pem;stunnel.pem
[proxy1]client = yesaccept = 10.100.4.179:443connect = localhost:54323CAfile = sca.server1.crt.pem;verify = 2
[proxy2]client = noaccept = localhost:54323connect = example.net:443;CAfile = SymantecClass3EVSSLCA-G3.pem
example.com.pem contains the public and decrypted private key for example.com
sca.server1.crt.pem contains the intermediate and root certificates of the CA that issues the example.com.pem certificate

It partially works: the browser shows example.com in the address bad and the content of example.net, but the certificate that is returned is from example.net
What am I doing wrong?Or do you have other recommendations to get something like this working on Windows Server 2008 R2? (IIS + Application Request Routing + URL Rewrite won't work: TLS1.2 is not properly supported)

Thank youClaudio
Claudio Beretta
2016-02-26 16:42:49 UTC
Permalink
yeah, now it's obvious why it works :)
I got part of the (wrong) solution from another place, and later I guess I
didn't understand the explanation for the "client" option in the manual.
Thanks again
Post by Josealf.rm
Claudio,
Sure, it works. Is it clear for you why? :)
On Thursday, February 25, 2016 11:18 AM, Claudio Beretta <
José, that did the trick!
Thank you
Hi Claudio,
What happens if you Try client = no for proxy1 and client = yes for proxy2?
Regards,
José
El 23 feb 2016, a las 12:13, Claudio Beretta <
I'd like Stunnel to act as a reverse proxy that accepts TLS 1.0 and TLS
1.2 for https://example.com and then forwards the traffic to
https://example.net, another web server that only accepts TLS 1.2
browser --TLS 1.0 or 1.2--> Stunnel --TLS 1.2--> Web App
The browser should have no idea that example.net even exists (only
example.com certificate will be presented to the browser).
Is this something Stunnel can do?
cert = example.com.pem
;stunnel.pem
[proxy1]
client = yes
accept = 10.100.4.179:443
connect = localhost:54323
CAfile = sca.server1.crt.pem
;verify = 2
[proxy2]
client = no
accept = localhost:54323
connect = example.net:443
;CAfile = SymantecClass3EVSSLCA-G3.pem
example.com.pem contains the public and decrypted private key for
example.com
sca.server1.crt.pem contains the intermediate and root certificates of the
CA that issues the example.com.pem certificate
It partially works: the browser shows example.com in the address bad and
the content of example.net, but the certificate that is returned is from
example.net
What am I doing wrong?
Or do you have other recommendations to get something like this working on
Windows Server 2008 R2? (IIS + Application Request Routing + URL Rewrite
won't work: TLS1.2 is not properly supported)
Thank you
Claudio
_______________________________________________
stunnel-users mailing list
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Loading...