Of course you can export the cert and private keys from IIS and use them in stunnel. You will need to use OpenSSL to convert the certificate but it will work.
Sent from my iPhone
On Apr 10, 2011, at 11:59 AM, "Joseph Hardeman" <jwhardeman#gmail.com<mailto:jwhardeman#gmail.com>> wrote:
Hi Guys
The problem is that this is for a customer who is running IIS and already has all their certs built for IIS, I don't know if the IIS cert would work with stunnel.
I tried the following configuration which I had found and they said it was working for them, but I am getting SSL to long errors:
#listen cust1_443 # maxconn 32000 # bind 0.0.0.0:443<http://0.0.0.0:443> # mode http # cookie SERVERID insert indirect nocache ## cookie SERVERID rewrite nocache # timeout client 70s # timeout server 70s # timeout connect 30s # balance source # reqadd X-Forwarded-Proto:\ https # reqadd SSL-TERMINATION:\ ON # server IIS1-443 192.168.0.206:443<http://192.168.0.206:443> cookie iis1ssl check inter 5000 fall 3 rise 1 maxconn 30 ## server IIS2-443 192.168.0.207:443<http://192.168.0.207:443> cookie iis2ssl check inter 5000 fall 3 rise 1 maxconn 30 # option abortonclose # option httpclose # option forwardfor # retries 3 # option redispatch # log global # option httplog # option ssl-hello-chk # option dontlognull
With the second IIS server commented out, they are able to serve 1 of their largest customer with their SSL site, but I want to be able to load balance the requests and at least pin each visitor to IIS server they are sent to.
listen cust1_443
mode tcp bind 0.0.0.0:443<http://0.0.0.0:443> option ssl-hello-chk balance roundrobin server IIS1-443 192.168.0.206:443<http://192.168.0.206:443> check inter 5000 fall 3 rise 1 maxconn 300 # server IIS2-443 192.168.0.207:443<http://192.168.0.207:443> check inter 5000 fall 3 rise 1 maxconn 300 timeout client 70s timeout server 70s timeout connect 30s
Any ideas or thoughts on this?
Thanks
JOe
On Sun, Apr 10, 2011 at 10:26 AM, Brian Carpio <<mailto:bcarpio#broadhop.com>bcarpio#broadhop.com<mailto:bcarpio#broadhop.com>> wrote: You probably need to ask that question on the stunnel mailing list.
Sent from my iPhone
On Apr 10, 2011, at 8:20 AM, "German Gutierrez" <<mailto:germang#olx.com>germang#olx.com<mailto:germang#olx.com>> wrote:
> BTW, will this patch ever go upstream? Why stunnel does not have this already?
>
> On Sat, Apr 9, 2011 at 11:43 PM, Vivek Malik <<mailto:vivek.malik#gmail.com>vivek.malik#gmail.com<mailto:vivek.malik#gmail.com>> wrote:
>> Joe,
>> You need to run as many stunnel instances as number of SSL certificates. If
>> the sites share SSL certificate, then one stunnel instance will do.
>> I run stunnel 4.32 with patch from <http://haproxy.1wt.eu/download/patches/> http://haproxy.1wt.eu/download/patches/
>> on port 443 and forward it to port 81 on the same machine which is bound to
>> haproxy.
>> My stunnel config looks like
>> cert = /etc/stunnel.pem
>> sslVersion = all
>> chroot = /var/lib/stunnel/
>> setuid = stunnel
>> setgid = stunnel
>> pid = /stunnel.pid
>> socket = l:TCP_NODELAY=1
>> socket = r:TCP_NODELAY=1
>> [https]
>> accept = 443
>> connect = 127.0.0.1:81<http://127.0.0.1:81>
>> TIMEOUTclose = 0
>> xforwardedfor = yes
>> Note that xforwardedfor option only works after the patch is installed. My
>> haproxy config looks like
>> frontend http
>> bind 0.0.0.0:80<http://0.0.0.0:80>
>> reqidel ^X-Forwarded-Proto:.*
>> reqadd X-Forwarded-Proto:\ HTTP
>> option forwardfor
>> frontend https
>> bind 127.0.0.1:81<http://127.0.0.1:81>
>> reqidel ^X-Forwarded-Proto:.*
>> reqadd X-Forwarded-Proto:\ HTTPS
>> Note that I am passing a X-Forwarded-Proto to underlying application so that
>> it can logic specific to https calls.
>> Vivek
>> On Sat, Apr 9, 2011 at 4:00 PM, Ben Timby <<mailto:btimby#gmail.com>btimby#gmail.com<mailto:btimby#gmail.com>> wrote:
>>>
>>> On Sat, Apr 9, 2011 at 2:07 PM, Joseph Hardeman <<mailto:jwhardeman#gmail.com>jwhardeman#gmail.com<mailto:jwhardeman#gmail.com>>
>>> wrote:
>>>> Hi Guys,
>>>>
>>>> I was wondering if someone has a good example I could use for proxying
>>>> https
>>>> traffic. We are trying to proxy multiple sites that use https and I was
>>>> hoping for a way to see how to proxy that traffic between multiple IIS
>>>> servers without having to setup many different backend sections. The
>>>> way
>>>> the sites are setup they use a couple of cookies but mostly session
>>>> variables to track the user as they do their thing. Either I need to be
>>>> able to pin the user to a single server using the mode tcp function when
>>>> they come in or be able to use some form of mode http that doesn't break
>>>> the
>>>> SSL function.
>>>>
>>>> This morning around 5am, I got one site running with only 1 backend
>>>> using
>>>> tcp but I really need to be able to load balance it between multiple
>>>> servers.
>>>
>>> Joe, haproxy itself does not do SSL. That said, you can set up an SSL
>>> server in front of it. Myself, I use stunnel. Stunnel strips the SSL
>>> and forwards the traffic to haproxy. I have many instances of stunnel
>>> (one per cert/ip) which all feed a single haproxy http listener.
>>>
>>> <http://www.stunnel.org/> http://www.stunnel.org/
>>>
>>> You could also use another server like nginx, apache etc. to strip the
>>> SSL. However, I find stunnel well suited as all it does is SSL and it
>>> is fast and efficient at it (similar to how haproxy does proxyinig
>>> very well).
>>>
>>
>>
>
>
>
> --
> Germán Gutiérrez
>
> OLX Operation Center
> OLX Inc.
> Buenos Aires - Argentina
> Phone: 54.11.4775.6696
> Mobile: 54.911.5669.6175
> Skype: errare_est
> Email: <mailto:germang#olx.com> germang#olx.com<mailto:germang#olx.com>
>
> Delivering common sense since 1969 <Epoch Fail!>.
>
> The Nature is not amiable; It treats impartially to all the things.
> The wise person is not amiable; He treats all people impartially.
>
> No afecta el sitio, no necesita QA.
>
>
Received on 2011/04/10 23:14
This archive was generated by hypermail 2.2.0 : 2011/04/10 23:30 CEST