[stunnel-users] transparent proxy ssl for a socket server
Alex Needham
alex.needham at gmail.com
Thu Jan 24 01:45:35 CET 2013
Hi
I have to figure out how to get some ssl encapsulation for an application
we have that only servs on obscure ports, the app needs to retain the
source ip adress of the client requests. So i looked at stunnel, its
working great in transparent mode where the stunnel server is the default
gateway of the socket server, but I would like to get the stunnel server
onto the same machine as the socket server and keep the client src ip.
Testing with a apache as a backend as its easy to test.
running centos 6.3 (2.6.32-279.19.1.el6.x86_64), updated an hour ago, built
stunnel 4.54 from src.rpm.
The players
stunnel-boxen external=192.168.0.1, internal=192.168.1.1
web/socket-boxen internal=192.168.1.11, dg=192.168.1.1
The configs
Config A - works ok
debug = 7
foreground = yes
#not chrooted runnnig as root no setuid,setguid
[socket-1234]
cert=blarg.crt
key=blarg.key
accept = 192.168.0.1:1234
connect = 192.168.1.11:80
transparent = source
Config B - Not so good
connect = 192.168.1.1:80 <- inside interface of stunnel box
iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
/etc/sysctl.conf
no route filtering and forwarding is on
am i trying something impossible? or am i missing something?
Any help greatly appreciated, if I get this going I'll happily do a nice
neater write up for others.
Cheers
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130123/72ece8c9/attachment.html>
More information about the stunnel-users
mailing list