Covers how to forward HTTP traffic over stunnel.
Overview of Setup
Our goal here is to have traffic between a client and a server pass through an encrypted tunnel, with each service happening on different ports.
In particular, we want to have HTTP traffic on the stunnel client on port 9999 (e.g., the browser opening
localhost:9999) pass through the encrypted tunnel and be forwarded to an HTTP server listening on the stunnel server machine.
On the client, traffic from port 9999 (http, from the browser) will be forwarded to port 8000 (stunnel). We will forward that traffic on to the remote stunnel server listening on port 8000.
The server will receive traffic on port 8000. It will decrypt the traffic and forward the traffic on to a local HTTP server running on port 9998:
python -m SimpleHTTPServer 9998
Client Port Configuration
On the client machine, we will forward local traffic from port 9999 to port 8000, where stunnel will receive the traffic and encrypt it before sending it to the stunnel server.
We want to configure stunnel to listen for traffic on port 9999, and make connections with another stunnel instance on port 8000.
Client Stunnel Config File
output = /var/log/stunnel4/stunnel.log cert = /usr/local/etc/stunnel/stunnel.fullchain.pem key = /usr/local/etc/stunnel/stunnel.key.pem client = yes [http] accept = 9999 connect = A.B.C.D:8000
Stop any running instances of stunnel, then start stunnel:
$ killall stunnel && stunnel
Use nmap to verify port 9999 is open:
$ nmap localhost
Server Port Configuration
The stunnel server will receive encrypted SSL traffic on port 8000. The communications channel is duplex, so stunnel client and server can both send and receive information.
The traffic is forwarded on the remote server to an HTTP server that is listening. This will be a simple Python HTTP server listening on port 9998. We will cover that in a sec.
Server Stunnel Config File
output = /var/log/stunnel4/stunnel.log cert = /etc/stunnel/stunnel.fullchain.pem key = /etc/stunnel/stunnel.key.pem client = no [http] accept = 8000 connect = 127.0.0.1:9998
Kill exiting instances of stunnel, then run it:
$ killall stunnel && stunnel
Now we need to run a Python HTTP server to test whether HTTP connections are being correctly forwarded. In a separate window or in a tmux/screen session, run the command:
$ mkdir -p /tmp/stunnel-http $ cd /tmp/stunnel-http $ echo "<h2>hallo werkld!</h2>" > index.html $ python -m SimpleHTTPServer 9998
Now when stunnel is configured and run, you should be able to access a "hallo werkld!" page.
Once stunnel is running on the client and server, and the Python HTTP server is listening on the server, test it all out by going to
localhost:9999 in a browser:
stunnelsecure tunnel - create secure encrypted connections on any port to wrap any protocol
Stunnel Over Docker: Stunnel/Docker
Flags · Template:StunnelFlag · e