On Tue, Jul 17, 2018 at 10:51:07PM -0600, C. Petro wrote:
I have a client who is setting up a logging infrastructure involving a couple of DMZs forwarding logs into central logging points.
They have to pass compliance audits (SOX, PCI at least) and have some rather specific desires in regards to how they want the log traffic to move, and which servers *initiate* the connections.
Which is to say they want the internal servers to set up tunnels to the DMZ servers and then the forwarders use that tunnel to deliver logs back.
...oof. I went back and reread your original message more carefully. The truth is, stunnel cannot really do what you want :(
It seems to me that what you want could be accomplished with OpenSSH and its remote connection forwarding: set up an SSH server in the DMZ, generate a (possibly passphraseless) key pair on the central server, add the public key to an the authorized_keys file of an unprivileged account on the DMZ server, and then, on the central server (again, from an unprivileged account), run a command like:
ssh -N -R 3000:localhost:3000 [email protected]
Then SSH will listen for incoming connections on 127.0.0.1:3000 on the DMZ server and, when a connection comes in, create a connection from 127.0.0.1 to 127.0.0.1:3000 on the central server and start forwarding data.
If needed, the OpenSSH server on the DMZ host may be configured so that it is very restricted: only public-key authentication, only certain users may connect, only certain commands may be executed, etc.
Apologies for not reading your first message carefully enough!
G'luck, Peter