[stunnel-users] stunnel & HAProxy : patch still required ?

Thu Nov 24 22:18:13 CET 2011

There is no patch "required" to use Stunnel with HAProxy, regardless of the
OS (i myself use the stunel and haproxy packages on several ubuntu servers).

The "patch" most people talk about in relation to stunnel and haproxy was
to fix the issue where stunnel does not pass the originating IP address of
the client (X-forwarded-for header) but that has been mostly take care of
in recent versions by using the "PROXY" protocol, and really is only
necessary if you need to track the originating https client IP address.

Hope this helps,
Mit

On Wed, Nov 23, 2011 at 4:07 PM, Thomas Manson <thomas at 123monsite.com>wrote:

> Hi,
>
> I'm willing to use this kind of configuration :
>
> https client -->stunnel --> haproxy --> 2 web servers in http (or more)
>
> I've understand that haproxy can't handle the ssl part, that's why stunnel
> is needed.
>
> I've read that a Patch is required for stunnel to work with haproxy in
> this kind of confirmation
>
> "I run stunnel 4.32 with patch from
> http://haproxy.1wt.eu/download/patches/ on port 443 and forward it to
> port 81 on the same machine which is bound to haproxy."
>
> Can anyone tell me if this patch is now included in stunnel,
> in particular, does Ubuntu 11.10 include it ?
>
> I really would rather stay with package provided  by ubuntu in order to
> have easy upgrade/security fix.
> I've experiences the work overload of manually compiling everything in
> Apache for instance ;)
>
> Any advices on this kind of setup ? documentation pointers? best practices
> ?
>
> Regards,
> Thomas.
>
> here is the current package version on ubuntu 11.10
>
>
> thomas at daisybox:~/Documents$ aptitude show stunnel4
> Package: stunnel4
> New: yes
> State: not installed
> Version: 3:4.35-2build1
> Priority: optional
> Section: universe/net
> Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
> Uncompressed Size: 541 k
> Depends: libc6 (>= 2.11), libssl1.0.0 (>= 1.0.0), libwrap0 (>= 7.6-4~),
> openssl, netbase, perl-modules
> PreDepends: adduser
> Suggests: logcheck-database
> Conflicts: stunnel4
> Breaks: stunnel (< 3:4.20-3), stunnel (< 3:4.20-3)
> Replaces: stunnel, stunnel
> Provides: stunnel
> Description: Universal SSL tunnel for network daemons
>  The stunnel program is designed to work  as  SSL  encryption wrapper
> between remote client and local (inetd-startable) or remote server. The
> concept is that having non-SSL
>  aware daemons running  on  your  system you can easily setup them to
> communicate with clients over secure SSL channel.
>
>  stunnel can be used to add  SSL  functionality  to  commonly used  inetd
>  daemons  like  POP-2,  POP-3  and  IMAP servers without any changes in the
> programs' code.
>
>  This package contains a wrapper script for compatibility with stunnel 3.x
> Homepage: http://www.stunnel.org/
>
> thomas at daisybox:~/Documents$ aptitude show stunnel
> No current or candidate version found for stunnel
> Package: stunnel
> State: not a real package
> Provided by: stunnel4
>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>
>

-- 
Will 'Mit' Rowe
Stagename*
*1-866-326-3098
mit at stagename.com <josh at stagename.com>
www.stagename.com
Twitter: @stagename

*The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of this
information by persons or entities other than the intended recipient is
prohibited. If you received this transmission in error, please contact the
sender and delete all material contained herein from your computer.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20111124/da65c746/attachment.html>