[stunnel-users] X-Forwarded-For / X-Forwarded-Proto

Michal Trojnara Michal.Trojnara at mirt.net
Wed Feb 9 17:18:24 CET 2011

Stefan Behte wrote:
> I believe the overflow was fixed in the newer version of the patch I've
> attached.

I have briefly reviewed the patch and I couldn't find any vulnerabilities
On the other hand its coding style makes my eyes bleed.  8-)

> IMHO the patch will still be very useful, even if it does not support
> keep-alive: often in high-performence setups keep-alive is not even
> because it fills up ressources needlessly. Even if this does not provide
> all features, a lot of people would be satisfied with it.
> There is a great desire for this patch, if one searches for "stunnel
> x-forwarded-for" on google, you will find more than 60 pages and not
only a
> few dozens of blogs/mailing lists that discuss applying the patch and
> getting it to work as an SSL terminator for loadbalancing software.

This feature is on my TODO list for quite a long time.
I guess some people use stunnel for expensive, high-performance clusters. 
It seems strange that none of them decided to sponsor adding a clean
implementation with support for persistent HTTP connections.  Maybe they
don't care.

BTW: Isn't it better to use non-local bind ("transparent=source") instead?

> If it's too much of a hassle for you to review and/or integrate the
> I can understand that very well, I'd just like to open a discussion and
> would like to know if you have concerns regarding the patch quality,
> if you do not want to include the patch at this time. :)

I'm not going to integrate the patch as it is.  That's for sure.

Re-implementing the same functionality (i.e. without persistent HTTP
connections) seems to be quite simple, but the idea of adding a BOA (broken
on arrival) feature seems awkward to me.


More information about the stunnel-users mailing list