HAProxy or STunnel for HTTPS proxy?

valnar

Long time pfSense user, short time package user.

I have Blue Iris which runs the webcams in my house and the app has the ability (baked in) to use STunnel locally on the same Windows box for encryption.  The app normally only uses HTTP but this provides a HTTPS proxy to it.  However, from what I can see of STunnel, it's pretty rudimentary.

I hit a thread that said pfSense can do this instead and that sounds like a better idea.  I wasn't sure if STunnel is still the package I want or it HAProxy did some of it.  Ideally it would at least do the same as STunnel on that Windows box, but bonus points if I can wrap a 2nd layer of security around it like a certificate.

Can anyone point me in the right direction?

PiBa

afaik STunnel is ment for 1 purpose and does that single job pretty well (decrypting ssl traffic).. As for its webgui it seems to have the minimally required options there to make it basically work..

Haproxy allows a lot more control what happens with traffic, and has options for client-certificates in the webgui as well, its needs a bit more work to get fully configured but in the end i think you will probably like the extra options. It shouldn't be to hard to get it configured into a working state. And then allows for adding stats/logs/alerts/acl's and lots of other goodies ;) . Personally i would go for haproxy, but well as the package maintainer i'm a bit biased :).

valnar

Well stunnel doesn't work at all, or I can't figure it out since there are no instructions anywhere.  I don't see how I can put in a variable for the listening IP, which would be the WAN IP of the firewall.

I'll give HAProxy a try.  Thanks.

PiBa

Stunnel is so simple it doesn't need instructions… For a dynamic ip fill in 0.0.0.0 to listen on.

valnar

Is that right?  Listen on ANY IP?  That doesn't sound right. So anything that hits my firewall on that port gets redirected to that specific internal server?

Edit: It's not working anyway, or I don't have the firewall rule set right.

PiBa

What does your firewall rule look like?

valnar

The basic NAT/port-forward rule I used previously which is probably wrong since STunnel (I assume) is supposed to intercept it.  I don't understand where STunnel inserts itself into the mix though.  I tried a couple different things with my ports 3456 (ext) and 81 (int).

NAT rule
Interface  WAN
Protocol  TCP
Dest Address  WAN Address
Dest Ports  3456
NAT IP  192.168.1.15
NAT Ports  81

NAT created FW rule
Protocol  IPv4 TCP
Source  *
Destination  192.168.1.15
Port  81

PiBa

stunnel and haproxy are both programs that open a port on either a specific ip or 'any' ip.. When using these there is in general no need anymore to use a 'portforward'. As the client will be connecting to the wanip, and stunnel/haproxy is listening on that ip.
The only thing needed to allow the connection is a regular firewall rule.. Make sure to allow 'source any' for both the source-ip and source-port..

valnar

I just got it to work in a slightly different way.  I can probably delete my NAT rule as you surmised so I'll play with it a bit, but I wonder if it's more secure keeping the NAT as it has to follow a traditional port-forward-nat rule first.

Basically the gist of it is I point it to my internal pfSense LAN IP and I assume STunnel does the rest.

Stunnel rule
Listen on 192.168.1.1  (internal IP of pfSense firewall LAN)
Listen on port 3456
Redirect to 192.168.1.15  (Camera software box)
Redirects on port 81

NAT rule
Interface  WAN
Protocol  TCP
Dest Address  WAN Address
Dest Ports  3456
NAT IP  192.168.1.1
NAT Ports  3456

NAT created FW rule
Protocol  IPv4 TCP
Source  *
Destination  192.168.1.1
Port  3456