[stunnel-users] stunnel OK without "transparent = source", with = timeout problem

Mon Aug 1 13:00:23 CEST 2011

I have exactly this same error : 
http://comments.gmane.org/gmane.network.stunnel.user/5019
but with Apache

Le 31/07/2011 21:01, Elodie BOSSIER a écrit :
> Again me ...
>
> I don't find my problem and i start to despair alone ...
>
> My stunnel works correctly with this config file :
>
> pid = /stunnel.pid
> debug = 7
> output = /var/log/stunnel.log
> options = NO_SSLv2
>
> #transparent = source
>
> [virtual]
> accept = 443
> cert = /usr/local/openssl/etc/CERTIFICATES/www.franceserv.fr_cert.cert
> key = /usr/local/openssl/etc/PRIVATE_KEYS/www.franceserv.fr_key.pem
> connect = www.franceserv.fr:80
> [sni1]
> sni = virtual:elodie.franceserv.com
> cert = /etc/ssl-fsh/cert-elodie.franceserv.com.pem
> key = /etc/ssl-fsh/key-franceserv.key
> connect = elodie.franceserv.com:80
> [sni2]
> sni = virtual:befun.franceserv.com
> cert = /etc/ssl-fsh/cert-befun.franceserv.com.pem
> key = /etc/ssl-fsh/key-franceserv.key
> connect = befun.franceserv.com:80
>
> But the IP transmited to my serveur is the stunnel IP and not the 
> visitor behind her navigator
> and it's don't work anymore when i take off the # to enable the 
> transparent mode.
>
> and this is my iptables tules :
>
>   iptables -t mangle -N DIVERT
>   iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>   iptables -t mangle -A DIVERT -j MARK --set-mark 1
>   iptables -t mangle -A DIVERT -j ACCEPT
>   ip rule add fwmark 1 lookup 100
>   ip route add local 0.0.0.0/0 dev lo table 100
>   echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>   echo 1 > /proc/sys/net/ipv4/ip_forward
>
> as it's said in the manual but nothing more ...
>
> A friend have tested in her side and he have the same problem.
>
> Someone could tell me my error please ?
>
> Le 29/07/2011 03:25, Elodie BOSSIER a écrit :
>> Back ...
>>
>> I don't find the problem,
>>
>> This is the log without transparent when it's working : 
>> http://pastebin.com/mjReyE8a
>> with transparent and not working : http://pastebin.com/ZGqRVXzF
>>
>> Thanks so much ...
>>
>> Le 28/07/2011 12:25, Elodie BOSSIER a écrit :
>>> Greetings again,
>>>
>>> Thanks so much to have updated the manual about SNI, my stunel works 
>>> correctly.
>>>
>>> But i have a tiny problem, when i visit my webserver, the 
>>> SERVER['REMOTE_ADDR'] with PHP isn't the ip adress of the visitor 
>>> but the IP of the stunnel.
>>> I have read the manual about this transparent proxy and i don't 
>>> sucess with the configuration.
>>>
>>> This is my config file :
>>>
>>> pid = /stunnel.pid
>>> options = NO_SSLv2
>>> transparent = source
>>> [virtual]
>>> accept = 443
>>> cert = /usr/local/openssl/etc/CERTIFICATES/www.franceserv.fr_cert.cert
>>> key = /usr/local/openssl/etc/PRIVATE_KEYS/www.franceserv.fr_key.pem
>>> connect = www.franceserv.fr:80
>>> [sni1]
>>> sni = virtual:elodie.franceserv.com
>>> cert = /etc/ssl-fsh/cert-elodie.franceserv.com.pem
>>> key = /etc/ssl-fsh/key-franceserv.key
>>> connect = elodie.franceserv.com:80
>>> [sni2]
>>> sni = virtual:befun.franceserv.com
>>> cert = /etc/ssl-fsh/cert-befun.franceserv.com.pem
>>> key = /etc/ssl-fsh/key-franceserv.key
>>> connect = befun.franceserv.com:80
>>>
>>> It's don't work, i have a timeout with my browser.
>>>
>>> With iptables, i have set this :
>>>
>>>   iptables -t mangle -N DIVERT
>>>   iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>   iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>   iptables -t mangle -A DIVERT -j ACCEPT
>>>   ip rule add fwmark 1 lookup 100
>>>   ip route add local 0.0.0.0/0 dev lo table 100
>>>   echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>>>   echo 1 > /proc/sys/net/ipv4/ip_forward
>>>
>>> My stunnel is on the server 192.168.0.20 and the webserver on 
>>> 192.168.0.2
>>>
>>> I try to follow the help of 
>>> http://www.stunnel.org/static/stunnel.html#service_level_options
>>> with : transparent = none | source | destination | both (Unix only)
>>>
>>> Could you tell me what i make wrong please ?