[stunnel-users] Stunnel over a separate proxy?

Michal Trojnara Michal.Trojnara at mirt.net
Fri Feb 8 09:25:00 CET 2013

Alex Gottschalk wrote:
> I've successfully deployed stunnel4 to wrap rsync for transferring
> data between remote sites and a central repository.  The issue I'm
> running into, is that some of these sites mandate use of a proxy 
> or SOCKS5 usually) for outbound network connections.  It seems like
> there is some proxy support in stunnel with the
> protocol{Host,Authentication,etc} configuration options, but I have
> had zero luck getting them to work.  For example, I've tried making a
> simple SOCKS5 proxy using ssh, that I'm successfully able to send 
> traffic over:
> ssh -g -D1080 proxy-host # create the proxy, open port 1080 on a
> public interface

There is no SOCKS proxy support in stunnel.

> [rsync]
>     protocol = connect
>     protocolHost = proxy-host:1080
>     accept =
>     connect = rsync-destination:443

You have reversed "protocolHost" and "connect" values.  "connect" is 
the host *stunnel* connects to while "protocolHost" is the final 
destination requested from this host.  It may be unintuitive compared to 
other services (like web browsers), but for stunnel proxy support is a 
part of SSL protocol negotiations rather than a separate feature.

 From the fine manual of stunnel:

connect = address

     connect to a remote address

     If no host is specified, the host defaults to localhost.

     Multiple connect options are allowed in a single service section.

     If host resolves to multiple addresses and/or if multiple connect 
options are specified, then the remote address is chosen using a 
round-robin algorithm.

protocolHost = host:port

     destination address for protocol negotiations


More information about the stunnel-users mailing list