On Tuesday, September 24, 2013, Jason Haar wrote: > On 25/09/13 00:43, Gary Chodos wrote: > > We are trying to decide between SNIProxy and stunnel for the following > task: > > - Client browser hits https://foo.bar.org, which resolves to an IP that > corresponds to the stunnel machine listening on 443. > > - stunnel "forwards" (sorry if this is not the correct technical term) the > connection to a different machine, specified by a different IP address, > which is also configured to believe it is foo.bar.org and actually has a > web server listening on 443 and houses the SSL key/cert. > > What an odd setup. You want to make an HTTPS connection to an IP > address, but want that to make an HTTPS connection to another IP address, > but don't want it to house the SSL cert. >
Correct. > That isn't possible - an "SSL terminator" requires the cert - otherwise it > isn't terminating the SSL connection. Why don't you just use a standard TCP > forwarder instead - won't that do what you want? Don't forget: SSL occurs > *within* a TCP session - so a standard TCP forwarder can "reroute" the SSL > transaction without needing to know what it is forwarding (ie no need for > certs) > > You could use xinetd or netcat - tonnes of options > Thanks to cluebats from you and the kind folks over on the nginx list, we went with haproxy in tcpmode. Thanks, Gary
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
