[stunnel-users] Many services on the same port (VirtualHost)

Pierre DELAAGE delaage.pierre at free.fr
Sat Oct 30 21:03:10 CEST 2010

I am always intrigued by people using stunnel on "client" space to reach 
an https server :
all browsers, except on a few platforms (eg Windows Mobile 5) can do 
that directly provided that you have imported the proper certs in their 
cert store.
On the other hand Stunnel then can HELP to secure an http SERVER to 
enhance it to https, but I have already explained in other notes about 
webdav that http+SSL is NOT https.
This is another discussion.
But, if you have access to the server machine, it is better to activate 
SSL support in Apache.

Something else : and if you want to secure remote websites, that you DO 
NOT administer, then it is 1/ non sense and 2/ impossible to speak SSL 
with them.

Anyway, it appears that you want ORDINARY clients to SHARE a unique CERT 
to OPEN their access to RESTRICTED areas.
It is not exactly, hmmm, I should say "appropriate".

And if your clients are just accessing SSL servers only using "server 
ssl auth" but not "client ssl auth", then it is useless to use stunnel 
for that : any browser can do that directly.

Let me insist on the sole case where your problem seem to be "real" :
if you want clients, that do NOT have a proper cert, to share a cert to 
access remote protected serverS.
Your "solution" could only make sense if, by chance, ALL the remote 
servers recognizes the SAME client cert.
Which is improbable. Anyway, in that case, you can imagine to put that 
cert in stunnel proxy.

Well alright, what you want to do is "transparent proxying with ssl 
It is only possible with a special gateway machine placed between your 
users and internet:
Apache proxy feature can do that.
May be squid also.

But once again it is unlikely that all your serverS recognize the same 
"client user  cert".

A possible architecture could be this :
cleint --------> request to https://server1, https://server2

request----> iptables : redirect request for server1 to gateway: port 1, 
request for server 2 to gw: port2

on the gateway : configure stunnel to proxy localhost: port 1 to remote 
https://server1, request to port 2 to remote https://server2

TIP : if you do not have iptables, trick the /etc/hosts on your clients 
putting server1 ...addr of gateway/stunnel server...
and if you have not the right to administer the clients,...hmmmm, nor 
the http serverS, nor ...the stunnel gateway...
Than maybe we can say that you are trying to do something not allowed....

Yours sincerely,

Le 30/10/2010 20:46, Hugo a écrit :
> Thanks for the answer, but it seems I haven't got access to IPTables 
> (my stunnel is on a remote shell service) and I think using a 
> webserver is not a good solution for that case.
> So does anyone knows a program able to bind on a single port, and 
> redirect requests on another depending on the domain name?
> Thanks you in anticipation
> Hugo
> On 30/10/2010 17:02, Pierre DELAAGE wrote:
>> Hello,
>> The answer is simply NO in stunnel,
>> but yes in Apache.
>> If you are joining one "http server", hosting many virtual hosts,
>> it should be "trivial".
>> I recommend using IP based hosting.
>> I guess you want to act as a transparent gateway/proxy to https servers :
>> there is another way to proceed if you have a linux PC on your 
>> network that can act as a routing/gateway:
>> with iptables you can do redirection to stunnel and get what you want.
>> Sorry but it is a little bit complicated to develop more now.
>> Hope this helps,
>> Pierre Delaage
>> Le 30/10/2010 17:12, Hugo a écrit :
>>> Hello all!
>>> Does anyone knows a way to make many services listening on the same port?
>>> I've got one stunnel4 server which allows me to crypt two http servers.
>>> The first service bind on port 465 and the second on 470.
>>> What I will is to let user access on the port 465 using 2 different
>>> ServerNames.
>>> Thank you in anticipation, and excuse me for my quite bad english =D
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at mirt.net
>>> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20101030/654f3152/attachment.html>

More information about the stunnel-users mailing list