Versions Compared

Old Version 8

changes.mady.by.user ASF Infrabot

Saved on

compared with

New Version Current

changes.mady.by.user Konstantin Kolinko

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add a permalink. Fix formatting. Convert links to https.

Permalink to this page; https://cwiki.apache.org/confluence/x/TCglBg

AJP over stunnel

stunnel is a little more complicated than a normal protocol because it can be used in a number of different ways. I'll give some contrived examples to see how you can set it up in different ways, depending upon the support for encryption of the underlying protocol.unmigrated-wiki-markup

This wiki entry is intended to be a starter-guide and not a replacement for the fine \[https://www.stunnel.org/docs.html|documentation provided by the stunnel team\].

Let's say that you have an HTTPS server, but your client can't speak HTTPS for some reason. If you set up stunnel on the client side, you can connect locally to the stunnel server and have it establish a secure-connection to the remote server running HTTPS. Like this:

No Format

  client -> localhost:12345 (stunnel)
  stunnel -> remote_host:443 (httpd)

As far as the client is concerned, it's using HTTP to talk to localhost. But really it's talking to remote_host:443, so everyone is happy. (Yes, there are issues with URLs and redirects produced by the server, but that's out of scope for this discussion).

Let's take another example: you have clients that are HTTPS-capable, but the service you are running can only support HTTP for some reason, and you want to secure it. Set up stunnel on the server, then have your remote clients connect to it and tunnel to localhost. Like this:

No Format

  client -> remote_host:443 (stunnel)
  stunnel -> localhost:8080 (httpd)

As far as the client is concerned, it's using HTTPS to communicate with remote_host:443, but really it's connecting to remote_host:8080. (Yes, there are some issues with URLs and redirects but that's out of scope for this discussion.)

...

  1. Depending upon the version, you might only be able to use TLSv1 (and not e.g. TLSv1.2)

...

  1. stunnel generally ignores certificate issues, such as expiration, etc. You might want to configure it with a little more care than the default. THIS ALSO MEANS IT DOES NOT AUTHENTICATE THE SERVER BY DEFAULT. You could accidentally connect to a malicious server.

This should be enough to get you started. Please refer to the official stunnel documentation for specifics.