[stunnel-users] Conf question: HTTP to HTTPS with SNI

• Previous message (by thread): [stunnel-users] more than 1000 concurrent connections?
• Next message (by thread): [stunnel-users] Stunnel on WIndows Server 2008 R2 SP1 x 64 fails - Microsoft.VC90.CRT.MANIFEST
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have a particular task I need to accomplish in which an HTTP-only
caching proxy server is to accept SSL.  The architecture in mind is as
follows:


 - Receive request
{
HTTP request:
 - Received by caching proxy at localhost:80

HTTPS request:
 - Received by Pound
 - Decoded to HTTP
 - X-FROM-SSL header added
 - Forwarded to localhost:80 (caching proxy)
}

Proxy receives HTTP request
 - Perform caching
 - If X-FROM-SSL, forward to localhost:8088
 - Else forward to HTTP server



It is at this point that two design options come into play, both using
stunnel.  Either use SNI or use stunnel and HTTP.  Via SNI, this would
appear as follows:

Stunnel receives HTTP request
 - Forward to https://http-server:443/ with SNI

This of course requires that stunnel can read the 'Host' header out of
an HTTP request and use that for SNI automatically (there's some 300
virtual hosts on that server).  If not, this is infeasible.

Which is my question, of course:  can this be done?


If this isn't an option, then the next logical way to handle this problem is:

Stunnel receives HTTP request:
 - SSL encrypt
 - Forward to http-server:8443

http-server receives HTTP over stunnel
 - stunnel receives on http-server:8443
 - Decrypt and forward to http://localhost:80/

In this way the entire connection would be encrypted, and the HTTP
server would see the Host: header and use that to figure out the
virtual host etc.

Is that the better/only way?

• Previous message (by thread): [stunnel-users] more than 1000 concurrent connections?
• Next message (by thread): [stunnel-users] Stunnel on WIndows Server 2008 R2 SP1 x 64 fails - Microsoft.VC90.CRT.MANIFEST
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]