[stunnel-users] stunnel OK without "transparent = source", with = timeout problem
Elodie BOSSIER
elodieuse at gmail.com
Sun Jul 31 21:01:36 CEST 2011
Again me ...
I don't find my problem and i start to despair alone ...
My stunnel works correctly with this config file :
pid = /stunnel.pid
debug = 7
output = /var/log/stunnel.log
options = NO_SSLv2
#transparent = source
[virtual]
accept = 443
cert = /usr/local/openssl/etc/CERTIFICATES/www.franceserv.fr_cert.cert
key = /usr/local/openssl/etc/PRIVATE_KEYS/www.franceserv.fr_key.pem
connect = www.franceserv.fr:80
[sni1]
sni = virtual:elodie.franceserv.com
cert = /etc/ssl-fsh/cert-elodie.franceserv.com.pem
key = /etc/ssl-fsh/key-franceserv.key
connect = elodie.franceserv.com:80
[sni2]
sni = virtual:befun.franceserv.com
cert = /etc/ssl-fsh/cert-befun.franceserv.com.pem
key = /etc/ssl-fsh/key-franceserv.key
connect = befun.franceserv.com:80
But the IP transmited to my serveur is the stunnel IP and not the
visitor behind her navigator
and it's don't work anymore when i take off the # to enable the
transparent mode.
and this is my iptables tules :
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward
as it's said in the manual but nothing more ...
A friend have tested in her side and he have the same problem.
Someone could tell me my error please ?
Le 29/07/2011 03:25, Elodie BOSSIER a écrit :
> Back ...
>
> I don't find the problem,
>
> This is the log without transparent when it's working :
> http://pastebin.com/mjReyE8a
> with transparent and not working : http://pastebin.com/ZGqRVXzF
>
> Thanks so much ...
>
> Le 28/07/2011 12:25, Elodie BOSSIER a écrit :
>> Greetings again,
>>
>> Thanks so much to have updated the manual about SNI, my stunel works
>> correctly.
>>
>> But i have a tiny problem, when i visit my webserver, the
>> SERVER['REMOTE_ADDR'] with PHP isn't the ip adress of the visitor but
>> the IP of the stunnel.
>> I have read the manual about this transparent proxy and i don't
>> sucess with the configuration.
>>
>> This is my config file :
>>
>> pid = /stunnel.pid
>> options = NO_SSLv2
>> transparent = source
>> [virtual]
>> accept = 443
>> cert = /usr/local/openssl/etc/CERTIFICATES/www.franceserv.fr_cert.cert
>> key = /usr/local/openssl/etc/PRIVATE_KEYS/www.franceserv.fr_key.pem
>> connect = www.franceserv.fr:80
>> [sni1]
>> sni = virtual:elodie.franceserv.com
>> cert = /etc/ssl-fsh/cert-elodie.franceserv.com.pem
>> key = /etc/ssl-fsh/key-franceserv.key
>> connect = elodie.franceserv.com:80
>> [sni2]
>> sni = virtual:befun.franceserv.com
>> cert = /etc/ssl-fsh/cert-befun.franceserv.com.pem
>> key = /etc/ssl-fsh/key-franceserv.key
>> connect = befun.franceserv.com:80
>>
>> It's don't work, i have a timeout with my browser.
>>
>> With iptables, i have set this :
>>
>> iptables -t mangle -N DIVERT
>> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>> iptables -t mangle -A DIVERT -j MARK --set-mark 1
>> iptables -t mangle -A DIVERT -j ACCEPT
>> ip rule add fwmark 1 lookup 100
>> ip route add local 0.0.0.0/0 dev lo table 100
>> echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>> echo 1 > /proc/sys/net/ipv4/ip_forward
>>
>> My stunnel is on the server 192.168.0.20 and the webserver on
>> 192.168.0.2
>>
>> I try to follow the help of
>> http://www.stunnel.org/static/stunnel.html#service_level_options
>> with : transparent = none | source | destination | both (Unix only)
>>
>> Could you tell me what i make wrong please ?
More information about the stunnel-users
mailing list