[stunnel-users] Proxy HTTPS via stunnel without any certificates on proxy/stunnel box

Gary Chodos gchodos at gmail.com
Tue Sep 24 14:43:27 CEST 2013


We are trying to decide between SNIProxy and stunnel for the following task:

- Client browser hits https://foo.bar.org, which resolves to an IP that
corresponds to the stunnel machine listening on 443.

- stunnel "forwards" (sorry if this is not the correct technical term) the
connection to a different machine, specified by a different IP address,
which is also configured to believe it is foo.bar.org and actually has a
web server listening on 443 and houses the SSL key/cert.

- when stunnel hits the end server, the latter sees the stunnel IP address
as source, not the original user's (who initiated the web request for
https://foo.bar.org).  I believe this is default behavior, but just noting
it for completeness.

Is it possible to accomplish this (stunnel listening on and connecting to
https endpoints) without housing any certs/keys on the stunnel machine
itself, because we want the second server to deal with all that and we do
not have access to those keys anyway.  And of course, the users which go to
the https://foo.bar.org should not see any cert mismatches as a result of
loading https://foo.bar.org which, for the user, will resolve to the
stunnel/proxy IP, rather than the end server which actually had a running
web server and keys/cert.

Sorry if the above detail is insufficient; do let me know.

Thanks for your help.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130924/a55ae3c6/attachment.html>

More information about the stunnel-users mailing list