Re: stunnel to provide https

From: Duncan Hall <duncan#viator.com>
Date: Wed, 09 Sep 2009 09:55:47 +1000


Rather than multiple stunnel instances a single instance can manage multiple IP addresses and certs. As Bernhard mentioned once the request is picked up by stunnel and forwarded to haproxy it is no longer encrypted on your backend network.

Here is what your stunnel.conf may look like with 3 IP addresses and 3 SSL certificates.

sslVersion = SSLv3                          
pid = /var/run/stunnel.pid                   

#debug = 7
output = /var/log/stunnel.log

    socket=l:TCP_NODELAY=1
    socket=r:TCP_NODELAY=1

    [https-website1]
    cert=/etc/stunnel/website1.newdot.com.pem

    accept=10.22.13.110:443     
    connect=10.22.13.110:80     
    xforwardedfor=yes           

    [https-website2]
    cert=/etc/stunnel/website2.newdot.net.pem

    accept=10.22.13.111:443     
    connect=10.22.13.111:80     
    xforwardedfor=yes           


    [https-webamil]
    cert=/etc/stunnel/mailman.newdot.com.pem

    accept=10.22.13.112:443     
    connect=10.22.13.112:80     

    xforwardedfor=yes

Regards,

Duncan

Bernhard Krieger wrote:
>
>> Is there a way to
>> manage several certificates with this configuration?
>
> Hmm... multiple Stunnel-Instances?!?!
>
>
>>
>> However, I have a problem with this configuration. When I connect to
>> https://mysite, it shows the certificate I put on stunnel but it
>> redirects my https to http and everything goes in clear. I thought it
>> will keep talking https.
>>
> Stunnel forward the requests to haproxy/frontend which is bound to
> local LB IP.
>
> Then the haproxy forward it to the backend.
>
> Stunnel dont forward the requests directly back to the backend!
>
>
>> I am wondering if I really need stunnel. Stopping it, haproxy redirects
>> my https traffic to my backends (they are able to talk https). It works
>> but it shows the certificate stored on each backend instead of a
>> generic one.
>
> Haproxy handles https too -> switching "mode http" to "mode tcp"
> But then you cant see the real client ip addresses in the backends log
> files.
>
> If you provide money transactions,.... its a good reason to log the
> real ip ;)
>
> So you have to compile/install a patched stunnel on the LB.
> See Documentation too!
>
>
> Example:
> REAL LB-IP: 198.12.241.19:443
> LOCAL LB-IP: 192.168.2.150:80
> BACKENDS: 192.158.2.100, .101
>
>
> STUNNEL-CONFIG:
> [https]
> accept = 198.12.241.19:443
> connect = 192.168.2.150:80
> TIMEOUTclose = 0
>
>
>
> HAPROXY-CONFIG:
>
> listen 443-STUN 192.168.2.150:80
> mode http
> source 192.168.2.150:0
> balance roundrobin
> option forwardfor except 192.168.2.150
>
> server BACKEND1 192.168.2.100:80 .....
> server BACKEND2 192.168.2.101:80 .....
>
>
> bye
> Bernhard
>
>
>
>
>
>
>
>
>
>
>
>
>
> ----- Nachricht von xfustero#xtec.cat ---------
> Datum: Tue, 08 Sep 2009 13:23:46 +0200
> Von: Xavier Fustero <xfustero#xtec.cat>
> Antwort an: Xavier Fustero <xfustero#xtec.cat>
> Betreff: stunnel to provide https
> An: haproxy#formilux.org
>
>
>> Hi,
>>
>> I would like to provide a webmail service under https. Regarding the
>> docs, haproxy isn't able to talk ssl itself so I decided to go for
>> stunnel + haproxy. However things don't work as I thought. This is the
>> scenario:
>>
>> LB1: stunnel + haproxy
>> A: webmail SUN messenger
>> B: webmail SUN messenger
>>
>> My stunnel contains the following lines:
>> ....
>> [https]
>> accept=ip_number:443
>> connect=ip_number:80
>> xforwardedfor = yes
>>
>> I would like to use https with a generic certificate like
>> webmail.company.org. I've installed it on stunnel and I can see it on
>> my browser. My first question is how I would be able to use this
>> LBA1+stunnel to traffic more https sites in future? Is there a way to
>> manage several certificates with this configuration?
>>
>> However, I have a problem with this configuration. When I connect to
>> https://mysite, it shows the certificate I put on stunnel but it
>> redirects my https to http and everything goes in clear. I thought it
>> will keep talking https.
>>
>> I am wondering if I really need stunnel. Stopping it, haproxy redirects
>> my https traffic to my backends (they are able to talk https). It works
>> but it shows the certificate stored on each backend instead of a
>> generic one.
>>
>> This is my haproxy config file:
>> ....
>> backend b_webmail_secured
>> mode tcp
>> balance source
>> option ssl-hello-chk
>> server secure-A ip_number:443 weight 10
>> server secure-B ip_number:443 weight 10
>>
>>
>> I would appreciate some suggestions on how setting it up.
>> Thanks a lot,
>> Xavi
>
>
> ----- Ende der Nachricht von xfustero#xtec.cat -----
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
Received on 2009/09/09 01:55

This archive was generated by hypermail 2.2.0 : 2009/09/09 02:00 CEST