6

Here's the deal:

  • Our client software can only connect using http protocol, it can not do https.
  • However, security requirements dictate end-to-end security, so we need to use https when talking to the server.
  • Now I have been able to do this in a testing environment by using stunnel with the following configuration:

stunnel.conf file:

[mylocalproxy]
client = yes
accept = 127.0.0.1:3000
connect = the.real.server:443
  • Given the stunnel config above, I can configure my test client to use endpoint address http://localhost:3000/endpoint/url/ and everything works fine.
  • But on the production environment, the client side does not have direct network access to the.real.server. Http/s traffic from the client side has to go through a proxy server.
  • My questions:
    • Is it possible to configure stunnel to connect using a proxy server?
    • If not possible using stunnel, is there another way I can accomplish this?
codeape
  • 485
  • 2
  • 10
  • 16
  • What type of proxy do you have in your environment? Is the client software not proxy-aware? – bentek Oct 08 '15 at 13:25
  • I believe the proxy server is Forefront TMG. – codeape Oct 08 '15 at 16:51
  • Not sure if the client software is proxy-aware, but will that make a difference? Since the client can not do https, it won't do https over a proxy either. – codeape Oct 08 '15 at 16:53

2 Answers2

1

It appears to be supported, but the man page, but the language is written so that you more or less have to know the protocols to understand it:

Under Protocol we can see the following:

connect Based on RFC 2817 - Upgrading to TLS Within HTTP/1.1, section 5.2 - Requesting a Tunnel with CONNECT This protocol is only supported in client mode.

Further down we find the following:

protocolHost = ADDRESS host address for the protocol negotiations For the 'connect' protocol negotiations, protocolHost specifies HOST:PORT of the final TLS server to be connected to by the proxy. The proxy server directly connected by stunnel must be specified with the connect option.

Thus we can piece this together:

[mylocalproxy]
client = yes
accept = 127.0.0.1:3000
protocol = connect
connect = proxy.example.org:3128
protocolHost = the.real.server:443

I have not tested it, but based on the wording of the documentation this should function as desired.

vidarlo
  • 6,654
  • 2
  • 18
  • 31
0

You can do it with:

[SSL Proxy]
accept = 8443
connect = 8084
cert = certificate.pem
key = private_key.pem

You will need a certificate from a certificate authority to allow https client connections.

Daniel K
  • 649
  • 1
  • 4
  • 16
Bokili Production
  • 109
  • 3