Re: stunnel to provide https

Tue, 08 Sep 2009 16:56:23 -0700

Rather than multiple stunnel instances a single instance can manage multiple IP addresses and certs. As Bernhard mentioned once the request is picked up by stunnel and forwarded to haproxy it is no longer encrypted on your backend network.
Here is what your stunnel.conf may look like with 3 IP addresses and 3 SSL certificates. 


sslVersion = SSLv3                          
pid = /var/run/stunnel.pid                   


#debug = 7
output = /var/log/stunnel.log

   socket=l:TCP_NODELAY=1
   socket=r:TCP_NODELAY=1

   [https-website1]
   cert=/etc/stunnel/website1.newdot.com.pem

   accept=10.22.13.110:443     
   connect=10.22.13.110:80     
   xforwardedfor=yes           


   [https-website2]
   cert=/etc/stunnel/website2.newdot.net.pem

   accept=10.22.13.111:443     
   connect=10.22.13.111:80     
   xforwardedfor=yes           



   [https-webamil]
   cert=/etc/stunnel/mailman.newdot.com.pem

   accept=10.22.13.112:443     
   connect=10.22.13.112:80     
   xforwardedfor=yes  


Regards,

Duncan


Bernhard Krieger wrote:



Is there a way to
manage several certificates with this configuration?


Hmm... multiple Stunnel-Instances?!?!




However, I have a problem with this configuration. When I connect to
https://mysite, it shows the certificate I put on stunnel but it
redirects my https to http  and everything goes in clear. I thought it
will keep talking https.


Stunnel forward the requests to haproxy/frontend which is bound to 
local LB IP.


Then the haproxy forward it to the backend.

Stunnel dont forward  the requests directly back to the backend!



I am wondering if I really need stunnel. Stopping it, haproxy redirects
my https traffic to my backends (they are able to talk https). It works
but it shows the certificate stored on each backend instead of a
generic one.


Haproxy handles https  too -> switching  "mode http" to  "mode tcp"

But then you cant see the real client ip addresses in the backends log 
files.



If you provide money transactions,.... its a good reason to log the 
real ip ;)


So you have to compile/install a patched stunnel on the LB.
See Documentation too!


Example:
REAL LB-IP: 198.12.241.19:443
LOCAL LB-IP: 192.168.2.150:80
BACKENDS: 192.158.2.100, .101


STUNNEL-CONFIG:
[https]
accept  = 198.12.241.19:443
connect = 192.168.2.150:80
TIMEOUTclose = 0



HAPROXY-CONFIG:

listen 443-STUN 192.168.2.150:80
        mode    http
        source  192.168.2.150:0
        balance roundrobin
        option forwardfor except 192.168.2.150

server BACKEND1 192.168.2.100:80 .....
server BACKEND2 192.168.2.101:80 .....


bye
Bernhard













----- Nachricht von [email protected] ---------
     Datum: Tue, 08 Sep 2009 13:23:46 +0200
       Von: Xavier Fustero <[email protected]>
Antwort an: Xavier Fustero <[email protected]>
   Betreff: stunnel to provide https
        An: [email protected]



Hi,

I would like to provide a webmail service under https. Regarding the
docs, haproxy isn't able to talk ssl itself so I decided to go for
stunnel + haproxy. However things don't work as I thought. This is the
scenario:

LB1: stunnel + haproxy
A: webmail SUN messenger
B: webmail SUN messenger

My stunnel contains the following lines:
....
[https]
accept=ip_number:443
connect=ip_number:80
xforwardedfor = yes

I would like to use https with a generic certificate like
webmail.company.org. I've installed it on stunnel and I can see it on
my browser. My first question is how I would be able to use this
LBA1+stunnel to traffic more https sites in future? Is there a way to
manage several certificates with this configuration?

However, I have a problem with this configuration. When I connect to
https://mysite, it shows the certificate I put on stunnel but it
redirects my https to http  and everything goes in clear. I thought it
will keep talking https.

I am wondering if I really need stunnel. Stopping it, haproxy redirects
my https traffic to my backends (they are able to talk https). It works
but it shows the certificate stored on each backend instead of a
generic one.

This is my haproxy config file:
....
backend b_webmail_secured
       mode tcp
       balance source
       option ssl-hello-chk
       server secure-A ip_number:443 weight 10
       server secure-B ip_number:443 weight 10


I would appreciate some suggestions on how setting it up.
Thanks a lot,
Xavi



----- Ende der Nachricht von [email protected] -----



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



























					Reply via email to