[stunnel-users] stunnel OK without "transparent = source", with = timeout problem

Michal Trojnara Michal.Trojnara at mirt.net
Wed Aug 3 16:53:23 CEST 2011


Elodie,

With this kind of issues, tcpdump is your best friend.

Make sure your stunnel machine is configured as the default router for 
your webserver machine!

Mike

On Mon, 01 Aug 2011 13:00:23 +0200, Elodie BOSSIER wrote:
> I have exactly this same error :
> http://comments.gmane.org/gmane.network.stunnel.user/5019
> but with Apache
>
> Le 31/07/2011 21:01, Elodie BOSSIER a écrit :
>> Again me ...
>>
>> I don't find my problem and i start to despair alone ...
>>
>> My stunnel works correctly with this config file :
>>
>> pid = /stunnel.pid
>> debug = 7
>> output = /var/log/stunnel.log
>> options = NO_SSLv2
>>
>> #transparent = source
>>
>> [virtual]
>> accept = 443
>> cert = 
>> /usr/local/openssl/etc/CERTIFICATES/www.franceserv.fr_cert.cert
>> key = /usr/local/openssl/etc/PRIVATE_KEYS/www.franceserv.fr_key.pem
>> connect = www.franceserv.fr:80
>> [sni1]
>> sni = virtual:elodie.franceserv.com
>> cert = /etc/ssl-fsh/cert-elodie.franceserv.com.pem
>> key = /etc/ssl-fsh/key-franceserv.key
>> connect = elodie.franceserv.com:80
>> [sni2]
>> sni = virtual:befun.franceserv.com
>> cert = /etc/ssl-fsh/cert-befun.franceserv.com.pem
>> key = /etc/ssl-fsh/key-franceserv.key
>> connect = befun.franceserv.com:80
>>
>> But the IP transmited to my serveur is the stunnel IP and not the 
>> visitor behind her navigator
>> and it's don't work anymore when i take off the # to enable the 
>> transparent mode.
>>
>> and this is my iptables tules :
>>
>>   iptables -t mangle -N DIVERT
>>   iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>   iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>   iptables -t mangle -A DIVERT -j ACCEPT
>>   ip rule add fwmark 1 lookup 100
>>   ip route add local 0.0.0.0/0 dev lo table 100
>>   echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>>   echo 1 > /proc/sys/net/ipv4/ip_forward
>>
>> as it's said in the manual but nothing more ...
>>
>> A friend have tested in her side and he have the same problem.
>>
>> Someone could tell me my error please ?
>>
>> Le 29/07/2011 03:25, Elodie BOSSIER a écrit :
>>> Back ...
>>>
>>> I don't find the problem,
>>>
>>> This is the log without transparent when it's working : 
>>> http://pastebin.com/mjReyE8a
>>> with transparent and not working : http://pastebin.com/ZGqRVXzF
>>>
>>> Thanks so much ...
>>>
>>> Le 28/07/2011 12:25, Elodie BOSSIER a écrit :
>>>> Greetings again,
>>>>
>>>> Thanks so much to have updated the manual about SNI, my stunel 
>>>> works correctly.
>>>>
>>>> But i have a tiny problem, when i visit my webserver, the 
>>>> SERVER['REMOTE_ADDR'] with PHP isn't the ip adress of the visitor 
>>>> but the IP of the stunnel.
>>>> I have read the manual about this transparent proxy and i don't 
>>>> sucess with the configuration.
>>>>
>>>> This is my config file :
>>>>
>>>> pid = /stunnel.pid
>>>> options = NO_SSLv2
>>>> transparent = source
>>>> [virtual]
>>>> accept = 443
>>>> cert = 
>>>> /usr/local/openssl/etc/CERTIFICATES/www.franceserv.fr_cert.cert
>>>> key = 
>>>> /usr/local/openssl/etc/PRIVATE_KEYS/www.franceserv.fr_key.pem
>>>> connect = www.franceserv.fr:80
>>>> [sni1]
>>>> sni = virtual:elodie.franceserv.com
>>>> cert = /etc/ssl-fsh/cert-elodie.franceserv.com.pem
>>>> key = /etc/ssl-fsh/key-franceserv.key
>>>> connect = elodie.franceserv.com:80
>>>> [sni2]
>>>> sni = virtual:befun.franceserv.com
>>>> cert = /etc/ssl-fsh/cert-befun.franceserv.com.pem
>>>> key = /etc/ssl-fsh/key-franceserv.key
>>>> connect = befun.franceserv.com:80
>>>>
>>>> It's don't work, i have a timeout with my browser.
>>>>
>>>> With iptables, i have set this :
>>>>
>>>>   iptables -t mangle -N DIVERT
>>>>   iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>>>>   iptables -t mangle -A DIVERT -j MARK --set-mark 1
>>>>   iptables -t mangle -A DIVERT -j ACCEPT
>>>>   ip rule add fwmark 1 lookup 100
>>>>   ip route add local 0.0.0.0/0 dev lo table 100
>>>>   echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>>>>   echo 1 > /proc/sys/net/ipv4/ip_forward
>>>>
>>>> My stunnel is on the server 192.168.0.20 and the webserver on 
>>>> 192.168.0.2
>>>>
>>>> I try to follow the help of 
>>>> http://www.stunnel.org/static/stunnel.html#service_level_options
>>>> with : transparent = none | source | destination | both (Unix 
>>>> only)
>>>>
>>>> Could you tell me what i make wrong please ?
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users




More information about the stunnel-users mailing list