4

I am trying to setup stunnel to access a HTTPS web service from a HTTP-only client. Should be a piece of cake, right? I have the following stunnel.conf:

client=yes
verify=0
[test-https]
accept  = 1337
connect = www.google.com:443

But when I point my browser to http://localhost:1337 I get the 404 error page from Google:

404. That’s an error. The requested URL / was not found on this server

I tried many other sites and always get some kind of error. Wordpress sites, for example, would say:

Neither /etc/wordpress/config-localhost.php nor /etc/wordpress/config-localhost.php could be found. Ensure one of them exists, is readable by the webserver and contains the right password/username.

It seems I am doing something fundamentally wrong but every single example on the web show the exact same configuration I have. Can someone please give me any kind of help?

I am using stunnel 5.02-1 (x86_64) on Arch Linux. I put my stunnel log on pastebin.

kaqqao
  • 213
  • 3
  • 6

2 Answers2

4

Problem is with the localhost part. Most servers does not respond if you use localhost as its name.

How to resolve this: first, do a nslookup on the server you want to reach and choose one of the multiple IP, i.e. 12.34.56.78 (not a true Google IP, just made it up) Configure your stunnel.conf to point to that IP:

connect = 12.34.56.78:443

Set on your client's /etc/hosts (I'm assuming it is the same machine as the stunnel, if not, use the correspondig IP) this new line:

127.0.0.1 www.google.com

Use the URL http://www.google.com:1337

NOTE: if you still get errors, try to change the accept from 1337 to 443.

NuTTyX
  • 2,628
  • 11
  • 15
  • Ok, so the host actually gets preserved. Funny that not a single source mentioned anything about this. Doing as you said did indeed help, and I was finally able to get to an https site, so thank you (!!), and I'm accepting the answer. Still, my original purpose is not yet fulfilled. The problem is I only have the IP of the server where the service runs... so I have nothing to put into my hosts file. Is there a way to get away in this situation? – kaqqao Aug 10 '14 at 21:50
  • Btw, now that I knew what to look for, I found more mentions of this, e.g. http://comments.gmane.org/gmane.network.stunnel.user/5696 – kaqqao Aug 10 '14 at 22:06
  • Does `https://` work from your server? If so, it will be probably work also if you use localhost. Nevertheless, you could guess the name of the server by doing `openssl s_client -connect :443` and searching for the line starting with `subject` and looking for the name after the `CN=` (that is the certificate of the remote server). It is very uncommon for a site to have a certificate issued for an IP, so you could still try my suggestion. – NuTTyX Aug 10 '14 at 22:25
  • yeah, host gets preserved. some hosts require that you have the correct IP address and port in the "Host:" http request header sending a redirect if you don't, if you've got that problem you'll need to mess with firewall rules (eg:iptables) to get that to work, or setup s local proxy of some sort. it might be easier to took for a client that does support HTTPS. – Jasen Aug 31 '14 at 02:18
0

Two problems:

  1. Generate your own self-signed certificate with these commands, in the directory /etc/stunnel:

    openssl genrsa 1024 > stunnel.key openssl req -new -key stunnel.key -x509 -days 1000 -out stunnel.crt cat stunnel.crt stunnel.key > stunnel.pem

and make sure the two lines in the file /etc/stunnel/stunnel.conf

 ;cert = /etc/stunnel/mail.pem
 ;key = /etc/stunnel/mail.pem

are modified as follows:

 cert = /etc/stunnel/stunnel.pem
 key = /etc/stunnel/stunnel.pem
  1. The invocation in your browser, given your [test-https] label, must not be http://localhost:1337 but instead it must be test-https://localhost:1337
MariusMatutiae
  • 46,990
  • 12
  • 80
  • 129
  • All the clients I could come up with, expectedly, failed to parse the inexistent protocol. I tried changing the label to a more obvious "http" to no avail. While I've seen references to invoking Stunnel in this fashion, I think it does not apply to recent versions. Also, I'm only using Stunnel in client mode and I've disabled SSL verification, so the cert and key should not matter, as far as I understand. – kaqqao Aug 10 '14 at 22:05