[stunnel-users] Feature request - verify fall-back
Brian Hatch
bri at stunnel.org
Thu May 8 21:53:32 CEST 2008
Roughly around 2008-05-07 15:34 -0400, Sudhaker Raj mentioned:
> I wish to use stunnel for following use-case (to create a
> highly-protected website which can be accessed only using a valid
> client-cert).
>
> gateway.example.com:443 -> public.example.com:80 (when client-cert
> verification fails)
> gateway.example.com:443 -> intranet.example.com:80 (when client-cert
> verification ok - normally hidden from public)
>
...
> I guess it will be a nice addition to stunnel's feature list.
I disagree. I don't think it's a good idea to add to Stunnel.
This is application layer logic you want, essentially. Your best
bet would be to use SSL in apache/webserver of choice directly.
Then you can place the verification constraint in the configuration
and configure the webserver to serve up selected pages if and only
if a cert has been used via normal apache 'require' ACLs.
Alternatively this could be configured with apache as a reverse
proxy using mod_proxy in front of two different back end webservers
(public and intranet in your example above) if you really want
distinct webservers for each.
--
Brian Hatch "I think that we missed something.
Systems and We should have called it 'Licensed
Security Engineer Software Delivery', not 'Electronic.'"
http://www.ifokr.org/bri/ --Bruce
Every message PGP signed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20080508/b9e2cebe/attachment.sig>
More information about the stunnel-users
mailing list