[stunnel-users] SSL proxy in Windows - IP Address Issue

Brian McGinity brian at westpcbeach.com
Thu Oct 11 16:21:52 CEST 2012


Thanks for your reply.  I've been using Stunnel for client/server database
connection encryption, outgoing gmail and https connections from within the
Oracle database.  Stunnel is working so well and the program is actively
maintained, so this is one program I trust.

I really, really, really want to pull SSL out of Apache for performance
reasons and also for maintenance issues.  I am running Oracle's Http Server
which is really just Apache with Oracle's modifications.  So the way Oracle
implements SSL is through their Wallet mechanism.  Anytime I upgrade the DB
or renew an SSL cert, it's cumbersome and I always feel like I will drop the
website for a lengthily period of time or have so much trouble it won't come
back on line.  

Putting the SSL in Stunnel, is so much cleaner.  It is faster (as I've
already tested it), the management and maintenance issues go away.  It's a
win-win situation.

I like the idea so much, I am counting the costs associated with Apache not
knowing the IP address.  I'm not sure if I can do it as the data is somewhat
sensitive and the IP log is pretty necessary.

I am also considering running Nginx to offload SSL.  I'm not sure how nicely
Windows plays with Nginx.  

Can Stunnel create a cgi environment variable or modify the request header
so the client ip address could be known inside Apache?


-----Original Message-----
From: Michal Trojnara [mailto:Michal.Trojnara at mirt.net] 
Sent: Wednesday, October 10, 2012 2:08 PM
To: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] SSL proxy in Windows - IP Address Issue

On 2012-10-10 17:04, Brian McGinity wrote:
> Thank you so much for stunnel.  This program is amazing!!!! 

Thank you.

> - In Windows, "transparent" mode is unavailable

Correct.  Transparent mode requires kernel-mode support.

> - "xforwardedfor" is for smtp and not https connections

It's currently not supported.
AFAIK there are 3rd party patches for https.

> - "protocol = proxy" is for Haproxy only?

I don't think it's currently implemented outside HAProxy/stunnel.

It should be fairly easy to add proxy protocol support to Apache.

Why don't you just use mod_ssl?  A dedicated solution will most likely be
more suitable for HTTP than universal stunnel.


More information about the stunnel-users mailing list