From charlesreid1

Covers how to forward HTTP traffic over stunnel.

Overview of Setup

Our goal here is to have traffic between a client and a server pass through an encrypted tunnel, with each service happening on different ports.

In particular, we want to have HTTP traffic on the stunnel client on port 9999 (e.g., the browser opening localhost:9999) pass through the encrypted tunnel and be forwarded to an HTTP server listening on the stunnel server machine.

In summary:

On the client, traffic from port 9999 (http, from the browser) will be forwarded to port 8000 (stunnel). We will forward that traffic on to the remote stunnel server listening on port 8000.

The server will receive traffic on port 8000. It will decrypt the traffic and forward the traffic on to a local HTTP server running on port 9998: python -m SimpleHTTPServer 9998

Client Setup

Client Port Configuration

On the client machine, we will forward local traffic from port 9999 to port 8000, where stunnel will receive the traffic and encrypt it before sending it to the stunnel server.

We want to configure stunnel to listen for traffic on port 9999, and make connections with another stunnel instance on port 8000.

Client Stunnel Config File

output  = /var/log/stunnel4/stunnel.log
cert    = /usr/local/etc/stunnel/stunnel.fullchain.pem
key     = /usr/local/etc/stunnel/stunnel.key.pem
client  = yes
accept  = 9999
connect = A.B.C.D:8000

Client Procedure

Stop any running instances of stunnel, then start stunnel:

$ killall stunnel && stunnel

Use nmap to verify port 9999 is open:

$ nmap localhost

Server Setup

Server Port Configuration

The stunnel server will receive encrypted SSL traffic on port 8000. The communications channel is duplex, so stunnel client and server can both send and receive information.

The traffic is forwarded on the remote server to an HTTP server that is listening. This will be a simple Python HTTP server listening on port 9998. We will cover that in a sec.

Server Stunnel Config File

output 	= /var/log/stunnel4/stunnel.log
cert	= /etc/stunnel/stunnel.fullchain.pem
key	= /etc/stunnel/stunnel.key.pem
client 	= no
accept = 8000
connect =

Server Procedure

Kill exiting instances of stunnel, then run it:

$ killall stunnel && stunnel

Now we need to run a Python HTTP server to test whether HTTP connections are being correctly forwarded. In a separate window or in a tmux/screen session, run the command:

$ mkdir -p /tmp/stunnel-http
$ cd /tmp/stunnel-http
$ echo "<h2>hallo werkld!</h2>" > index.html
$ python -m SimpleHTTPServer 9998

Now when stunnel is configured and run, you should be able to access a "hallo werkld!" page.

Test: Success

Once stunnel is running on the client and server, and the Python HTTP server is listening on the server, test it all out by going to localhost:9999 in a browser:

StunnelOverHTTP Test.png