[prev in list] [next in list] [prev in thread] [next in thread]
List: stunnel-users
Subject: Re: [stunnel-users] issue making stunnel 4.35 use an apache
From: Matt Wise <mwise () netflix ! com>
Date: 2011-04-08 20:50:35
Message-ID: 6C36A378-E5B9-4ED7-B72B-B1DBD8ED11D2 () netflix ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
Doh.. that solved it. The docs were a bit confusing, I figured I just had to add the \
proxy info and that stunnel would figure it out. Instead, you explicitly redirect \
where stunnel is going byu changing its 'connect' address, and then give it a new \
destination address. I find this very confusing, but it is indeed working now. \
Thanks!
On Apr 8, 2011, at 10:17 AM, Michal Trojnara wrote:
Hi Matt,
You have configured stunnel to connect your final destination and than use CONNECT \
protocol to access your proxy. 8-)
You should configure stunnel to connect your proxy first, and than use protocol \
negotiation to request your proxy to connect your final destination.
Mike
--
Wysłane z Androida za pomocą K-9 Mail. Prosze wybaczyć lakoniczność.
Matt Wise <mwise@netflix.com<mailto:mwise@netflix.com>> wrote:
I've got an Apache proxy on port 3128 that will allow our clients to get outbound \
with a 'CONNECT" to a few services.. I'm trying to make stunnel use this service, and \
it seems to be ignoring my configuration completely. Tcpdumps show NO packets going \
outbound on port 3128... any ideas what i'm doing wrong? This config allows an \
inbound connection to port 1234 to hit port 2345 (a local service), while also \
handling the setup of an inbound connection to localhost:514 to a remote host on port \
1514... debug = 7 pid = /var/run/stunnel.pid service = stunnel syslog = yes \
foreground = no socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 fips = no # \
Localhost:1234 hits localhost:2345 [cseservices] client = no accept = 1234 connect = \
127.0.0.1:2345<x-msg://2181/127.0.0.1:2345> CAfile = \
/etc/stunnel/ssl/tunnel-CAs.cert.pem cert = /etc/stunnel/ssl/server.pub key = \
/etc/stunnel/ssl/server.key verify = 2 ## Localhost:514 hits remotehost:1514 [syslog] \
client = yes accept = 514 connect = xxx:1514 CAfile = \
/var/lib/puppet/ssl/certs/ca.pem key = /var/lib/puppet/ssl/private_keys/xxx.pem cert \
= /var/lib/puppet/ssl/certs/xxx.pem session = 5 TIMEOUTidle = 600 TIMEOUTbusy = 600 \
TIMEOUTclose = 300 TIMEOUTconnect = 10 verify = 2 protocol=connect \
protocolHost=proxy:3128 protocolAuthentication=basic —Matt \
________________________________ stunnel-users mailing list \
stunnel-users@stunnel.org<mailto:stunnel-users@stunnel.org> \
http://stunnel.mirt.net/mailman/listinfo/stunnel-users \
_______________________________________________ stunnel-users mailing list
stunnel-users@stunnel.org<mailto:stunnel-users@stunnel.org>
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
[Attachment #3 (text/html)]
<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space; ">Doh.. that solved it. The docs were a bit \
confusing, I figured I just had to add the proxy info and that stunnel would figure \
it out. Instead, you explicitly redirect where stunnel is going byu changing its \
'connect' address, and then give it a new destination address. I find this very \
confusing, but it is indeed working now. Thanks!<div><br><div><div>On Apr 8, 2011, at \
10:17 AM, Michal Trojnara wrote:</div><br \
class="Apple-interchange-newline"><blockquote type="cite"><div>Hi Matt,<br> <br>
You have configured stunnel to connect your final destination and than use CONNECT \
protocol to access your proxy. 8-)<br> <br>
You should configure stunnel to connect your proxy first, and than use protocol \
negotiation to request your proxy to connect your final destination.<br> <br>
Mike<br>
-- <br>
Wysłane z Androida za pomocą K-9 Mail. Prosze wybaczyć lakoniczność.<br><br><div \
class="gmail_quote">Matt Wise <<a \
href="mailto:mwise@netflix.com">mwise@netflix.com</a>> wrote:<blockquote \
class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, \
204, 204); padding-left: 1ex;"> <div style="white-space: pre-wrap; \
word-wrap:break-word; ">I've got an Apache proxy on port 3128 that will allow our \
clients to get outbound with a 'CONNECT" to a few services.. I'm trying to make \
stunnel use this service, and it seems to be ignoring my configuration completely. \
Tcpdumps show NO packets going outbound on port 3128... any ideas what i'm doing \
wrong? This config allows an inbound connection to port 1234 to hit port 2345 (a \
local service), while also handling the setup of an inbound connection to \
localhost:514 to a remote host on port 1514... debug = 7 pid = /var/run/stunnel.pid \
service = stunnel syslog = yes foreground = no socket = l:TCP_NODELAY=1 socket = \
r:TCP_NODELAY=1 fips = no
# Localhost:1234 hits localhost:2345
[cseservices]
client = no accept = 1234 connect = <a \
href="x-msg://2181/127.0.0.1:2345">127.0.0.1:2345</a> CAfile = \
/etc/stunnel/ssl/tunnel-CAs.cert.pem cert = /etc/stunnel/ssl/server.pub key = \
/etc/stunnel/ssl/server.key verify = 2
## Localhost:514 hits remotehost:1514
[syslog]
client = yes accept = 514 connect = xxx:1514
CAfile = /var/lib/puppet/ssl/certs/ca.pem key = \
/var/lib/puppet/ssl/private_keys/xxx.pem cert = /var/lib/puppet/ssl/certs/xxx.pem \
session = 5 TIMEOUTidle = 600
TIMEOUTbusy = 600
TIMEOUTclose = 300
TIMEOUTconnect = 10 verify = 2
protocol=connect
protocolHost=proxy:3128
protocolAuthentication=basic
—Matt<hr>stunnel-users mailing list
<a href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a>
<a href="http://stunnel.mirt.net/mailman/listinfo/stunnel-users">http://stunnel.mirt.net/mailman/listinfo/stunnel-users</a>
</div></blockquote></div></div>_______________________________________________<br>stunnel-users \
mailing list<br><a href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</ \
a><br>http://stunnel.mirt.net/mailman/listinfo/stunnel-users<br></blockquote></div><br></div></body></html>
_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
--===============1066072426==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic