[stunnel-users] Conf question: HTTP to HTTPS with SNI

John Moser john.r.moser at gmail.com
Tue Jul 3 16:00:12 CEST 2012

I have a particular task I need to accomplish in which an HTTP-only
caching proxy server is to accept SSL.  The architecture in mind is as

 - Receive request
HTTP request:
 - Received by caching proxy at localhost:80

HTTPS request:
 - Received by Pound
 - Decoded to HTTP
 - X-FROM-SSL header added
 - Forwarded to localhost:80 (caching proxy)

Proxy receives HTTP request
 - Perform caching
 - If X-FROM-SSL, forward to localhost:8088
 - Else forward to HTTP server

It is at this point that two design options come into play, both using
stunnel.  Either use SNI or use stunnel and HTTP.  Via SNI, this would
appear as follows:

Stunnel receives HTTP request
 - Forward to https://http-server:443/ with SNI

This of course requires that stunnel can read the 'Host' header out of
an HTTP request and use that for SNI automatically (there's some 300
virtual hosts on that server).  If not, this is infeasible.

Which is my question, of course:  can this be done?

If this isn't an option, then the next logical way to handle this problem is:

Stunnel receives HTTP request:
 - SSL encrypt
 - Forward to http-server:8443

http-server receives HTTP over stunnel
 - stunnel receives on http-server:8443
 - Decrypt and forward to http://localhost:80/

In this way the entire connection would be encrypted, and the HTTP
server would see the Host: header and use that to figure out the
virtual host etc.

Is that the better/only way?

More information about the stunnel-users mailing list