<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hello,<br>
I am always intrigued by people using stunnel on "client" space to
reach an https server :<br>
all browsers, except on a few platforms (eg Windows Mobile 5) can do
that directly provided that you have imported the proper certs in
their cert store.<br>
On the other hand Stunnel then can HELP to secure an http SERVER to
enhance it to https, but I have already explained in other notes
about webdav that http+SSL is NOT https.<br>
This is another discussion.<br>
But, if you have access to the server machine, it is better to
activate SSL support in Apache.<br>
<br>
Something else : and if you want to secure remote websites, that you
DO NOT administer, then it is 1/ non sense and 2/ impossible to
speak SSL with them.<br>
<br>
Anyway, it appears that you want ORDINARY clients to SHARE a unique
CERT to OPEN their access to RESTRICTED areas.<br>
It is not exactly, hmmm, I should say "appropriate".<br>
<br>
And if your clients are just accessing SSL servers only using
"server ssl auth" but not "client ssl auth", then it is useless to
use stunnel for that : any browser can do that directly.<br>
<br>
Let me insist on the sole case where your problem seem to be "real"
:<br>
if you want clients, that do NOT have a proper cert, to share a cert
to access remote protected serverS.<br>
Your "solution" could only make sense if, by chance, ALL the remote
servers recognizes the SAME client cert.<br>
Which is improbable. Anyway, in that case, you can imagine to put
that cert in stunnel proxy.<br>
<br>
<br>
Well alright, what you want to do is "transparent proxying with ssl
support".<br>
It is only possible with a special gateway machine placed between
your users and internet:<br>
Apache proxy feature can do that.<br>
May be squid also.<br>
<br>
But once again it is unlikely that all your serverS recognize the
same "client user cert".<br>
<br>
A possible architecture could be this :<br>
cleint --------> request to <a class="moz-txt-link-freetext" href="https://server1">https://server1</a>, <a class="moz-txt-link-freetext" href="https://server2">https://server2</a><br>
<br>
request----> iptables : redirect request for server1 to gateway:
port 1, request for server 2 to gw: port2<br>
<br>
on the gateway : configure stunnel to proxy localhost: port 1 to
remote <a class="moz-txt-link-freetext" href="https://server1">https://server1</a>, request to port 2 to remote <a class="moz-txt-link-freetext" href="https://server2">https://server2</a><br>
<br>
<br>
TIP : if you do not have iptables, trick the /etc/hosts on your
clients putting server1 ...addr of gateway/stunnel server...<br>
and if you have not the right to administer the clients,...hmmmm,
nor the http serverS, nor ...the stunnel gateway...<br>
Than maybe we can say that you are trying to do something not
allowed....<br>
<br>
Yours sincerely,<br>
Pierre<br>
<br>
<br>
<br>
<br>
<br>
Le 30/10/2010 20:46, Hugo a écrit :
<blockquote cite="mid:4CCC680A.6060401@gkz.fr.nf" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Thanks for the answer, but it seems I haven't got access to
IPTables (my stunnel is on a remote shell service) and I think
using a webserver is not a good solution for that case.<br>
<br>
So does anyone knows a program able to bind on a single port, and
redirect requests on another depending on the domain name?<br>
<br>
Thanks you in anticipation<br>
Hugo<br>
<br>
On 30/10/2010 17:02, Pierre DELAAGE wrote:
<blockquote cite="mid:4CCC3378.5000005@free.fr" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
Hello,<br>
The answer is simply NO in stunnel,<br>
but yes in Apache.<br>
If you are joining one "http server", hosting many virtual
hosts,<br>
it should be "trivial".<br>
I recommend using IP based hosting.<br>
<br>
I guess you want to act as a transparent gateway/proxy to https
servers :<br>
there is another way to proceed if you have a linux PC on your
network that can act as a routing/gateway:<br>
with iptables you can do redirection to stunnel and get what you
want.<br>
Sorry but it is a little bit complicated to develop more now.<br>
<br>
Hope this helps,<br>
Pierre Delaage<br>
<br>
<br>
Le 30/10/2010 17:12, Hugo a écrit :
<blockquote cite="mid:4CCC35D3.1050903@gkz.fr.nf" type="cite">
<pre wrap="">Hello all!
Does anyone knows a way to make many services listening on the same port?
I've got one stunnel4 server which allows me to crypt two http servers.
The first service bind on port 465 and the second on 470.
What I will is to let user access on the port 465 using 2 different
ServerNames.
Thank you in anticipation, and excuse me for my quite bad english =D
</pre>
<pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
stunnel-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:stunnel-users@mirt.net">stunnel-users@mirt.net</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://stunnel.mirt.net/mailman/listinfo/stunnel-users">http://stunnel.mirt.net/mailman/listinfo/stunnel-users</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
stunnel-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:stunnel-users@mirt.net">stunnel-users@mirt.net</a>
<a class="moz-txt-link-freetext" href="http://stunnel.mirt.net/mailman/listinfo/stunnel-users">http://stunnel.mirt.net/mailman/listinfo/stunnel-users</a>
</pre>
</blockquote>
<br>
</body>
</html>