Hello,
I am always intrigued by people using stunnel on "client" space to reach an https server :
all browsers, except on a few platforms (eg Windows Mobile 5) can do that directly provided that you have imported the proper certs in their cert store.
On the other hand Stunnel then can HELP to secure an http SERVER to enhance it to https, but I have already explained in other notes about webdav that http+SSL is NOT https.
This is another discussion.
But, if you have access to the server machine, it is better to activate SSL support in Apache.

Something else : and if you want to secure remote websites, that you DO NOT administer, then it is 1/ non sense and 2/ impossible to speak SSL with them.

Anyway, it appears that you want ORDINARY clients to SHARE a unique CERT to OPEN their access to RESTRICTED areas.
It is not exactly, hmmm, I should say "appropriate".

And if your clients are just accessing SSL servers only using "server ssl auth" but not "client ssl auth", then it is useless to use stunnel for that : any browser can do that directly.

Let me insist on the sole case where your problem seem to be "real" :
if you want clients, that do NOT have a proper cert, to share a cert to access remote protected serverS.
Your "solution" could only make sense if, by chance, ALL the remote servers recognizes the SAME client cert.
Which is improbable. Anyway, in that case, you can imagine to put that cert in stunnel proxy.


Well alright, what you want to do is "transparent proxying with ssl support".
It is only possible with a special gateway machine placed between your users and internet:
Apache proxy feature can do that.
May be squid also.

But once again it is unlikely that all your serverS recognize the same "client user  cert".

A possible architecture could be this :
cleint --------> request to https://server1, https://server2

request----> iptables : redirect request for server1 to gateway: port 1, request for server 2 to gw: port2

on the gateway : configure stunnel to proxy localhost: port 1 to remote https://server1, request to port 2 to remote https://server2


TIP : if you do not have iptables, trick the /etc/hosts on your clients putting server1 ...addr of gateway/stunnel server...
and if you have not the right to administer the clients,...hmmmm, nor the http serverS, nor ...the stunnel gateway...
Than maybe we can say that you are trying to do something not allowed....

Yours sincerely,
Pierre





Le 30/10/2010 20:46, Hugo a écrit :
Thanks for the answer, but it seems I haven't got access to IPTables (my stunnel is on a remote shell service) and I think using a webserver is not a good solution for that case.

So does anyone knows a program able to bind on a single port, and redirect requests on another depending on the domain name?

Thanks you in anticipation
Hugo

On 30/10/2010 17:02, Pierre DELAAGE wrote:
Hello,
The answer is simply NO in stunnel,
but yes in Apache.
If you are joining one "http server", hosting many virtual hosts,
it should be "trivial".
I recommend using IP based hosting.

I guess you want to act as a transparent gateway/proxy to https servers :
there is another way to proceed if you have a linux PC on your network that can act as a routing/gateway:
with iptables you can do redirection to stunnel and get what you want.
Sorry but it is a little bit complicated to develop more now.

Hope this helps,
Pierre Delaage


Le 30/10/2010 17:12, Hugo a écrit : 
Hello all!

Does anyone knows a way to make many services listening on the same port?
I've got one stunnel4 server which allows me to crypt two http servers.
The first service bind on port 465 and the second on 470.
What I will is to let user access on the port 465 using 2 different
ServerNames.

Thank you in anticipation, and excuse me for my quite bad english =D



_______________________________________________
stunnel-users mailing list
[email protected]
http://stunnel.mirt.net/mailman/listinfo/stunnel-users




_______________________________________________
stunnel-users mailing list
[email protected]
http://stunnel.mirt.net/mailman/listinfo/stunnel-users