[stunnel-users] Connecting a HTTP browser to a HTTPS server.

peter at easthope.ca peter at easthope.ca
Fri Jan 12 22:42:11 CET 2018


I'm interested to configure stunnel to allow my local non-TLS Web browser to 
receive pages from a remote server providing only HTTPS.

This section of https://www.stunnel.org/static/stunnel.html appears relevant.

transparent = none | source | destination | both (Unix only)
enable transparent proxy support on selected platforms
The original destination is used instead of the connect option.

A service section for transparent destination may look like this:
    client = yes
    accept = <stunnel_port>
    transparent = destination
This configuration requires iptables setup to work, possibly in /etc/rc.local or equivalent file.
For a connect target installed on a remote host:

    /sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT
    /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \
        -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
The transparent destination option is currently only supported on Linux.

Substitution of parameters for my context gives these configurations..

    client = yes
    accept =
    transparent = destination

    /sbin/iptables -I INPUT -i eth0 -p tcp --dport 954 -j ACCEPT
    /sbin/iptables -t nat -I PREROUTING -p tcp --dport 443 \
        -i eth0 -j DNAT --to-destination

The non-TLS browser would address http://www.stunnel.org:954/ and 
receive the page from https://www.stunnel.org:443/.  According to 
Wikipedia, 954 is not assigned.

The browser would continue to receive the page http://www.website.org/ 
without involvement of stunnel or iptables.  


Thanks,           ... P.


123456789 123456789 123456789 123456789 123456789 123456789 123456789
Tel: +1 360 639 0202                      Pender Is.: +1 250 629 3757
http://easthope.ca/Peter.html              Bcc: peter at easthope. ca

More information about the stunnel-users mailing list