[stunnel-users] SSL proxy in Windows - IP Address Issue

Michal Trojnara Michal.Trojnara at mirt.net
Tue Oct 16 12:44:54 CEST 2012

On 2012-10-11 16:21, Brian McGinity wrote:
> Thanks for your reply.  I've been using Stunnel for client/server database
> connection encryption, outgoing gmail and https connections from within the
> Oracle database.  Stunnel is working so well and the program is actively
> maintained, so this is one program I trust.

Thank you.

> I really, really, really want to pull SSL out of Apache for performance
> reasons and also for maintenance issues.  I am running Oracle's Http Server
> which is really just Apache with Oracle's modifications.  So the way Oracle
> implements SSL is through their Wallet mechanism.  Anytime I upgrade the DB
> or renew an SSL cert, it's cumbersome and I always feel like I will drop the
> website for a lengthily period of time or have so much trouble it won't come
> back on line.  

I see. If you use the closed-source Oracle webserver on a Windows
server, I can see no easy way to get transparent proxy with stunnel
running on the same machine.

Fortunately there is another possibility: You can setup a stunnel
gateway (or a cluster of stunnel gateways) on a separate machine running
one of the platforms that support transparent proxy (e.g. Linux). Your
Windows box must have your Linux box configured as its default gateway.
 The Linux box needs to be configured with "transparent = source" option.

> Putting the SSL in Stunnel, is so much cleaner.  It is faster (as I've
> already tested it), the management and maintenance issues go away.  It's a
> win-win situation.

Cool.  Feel free to share your benchmarks with the mailing list.

> I like the idea so much, I am counting the costs associated with Apache not
> knowing the IP address.  I'm not sure if I can do it as the data is somewhat
> sensitive and the IP log is pretty necessary.

I just found an alternative solution.  You could configure your Apache
to log remote port with "%a:%{remote}p" LogFormat string:
, and then rewrite Apache log based on stunnel log.

> Can Stunnel create a cgi environment variable or modify the request header
> so the client ip address could be known inside Apache?

You can't pass an environment variable through a TCP connection.
Adding a request header would require stunnel to implement HTTP
protocol.  There are some quick&dirty hacks for this (x-forwarded-for
patch you mentioned), but they only support basic HTTP/1.0.
I refuse to include such code upstream.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20121016/9e47188a/attachment.sig>

More information about the stunnel-users mailing list