Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    HAProxy or STunnel for HTTPS proxy?

    Cache/Proxy
    2
    9
    1879
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • valnar
      valnar last edited by

      Long time pfSense user, short time package user.

      I have Blue Iris which runs the webcams in my house and the app has the ability (baked in) to use STunnel locally on the same Windows box for encryption.  The app normally only uses HTTP but this provides a HTTPS proxy to it.  However, from what I can see of STunnel, it's pretty rudimentary.

      I hit a thread that said pfSense can do this instead and that sounds like a better idea.  I wasn't sure if STunnel is still the package I want or it HAProxy did some of it.  Ideally it would at least do the same as STunnel on that Windows box, but bonus points if I can wrap a 2nd layer of security around it like a certificate.

      Can anyone point me in the right direction?

      1 Reply Last reply Reply Quote 0
      • P
        PiBa last edited by

        afaik STunnel is ment for 1 purpose and does that single job pretty well (decrypting ssl traffic).. As for its webgui it seems to have the minimally required options there to make it basically work..

        Haproxy allows a lot more control what happens with traffic, and has options for client-certificates in the webgui as well, its needs a bit more work to get fully configured but in the end i think you will probably like the extra options. It shouldn't be to hard to get it configured into a working state. And then allows for adding stats/logs/alerts/acl's and lots of other goodies ;) . Personally i would go for haproxy, but well as the package maintainer i'm a bit biased :).

        1 Reply Last reply Reply Quote 0
        • valnar
          valnar last edited by

          Well stunnel doesn't work at all, or I can't figure it out since there are no instructions anywhere.  I don't see how I can put in a variable for the listening IP, which would be the WAN IP of the firewall.

          I'll give HAProxy a try.  Thanks.

          1 Reply Last reply Reply Quote 0
          • P
            PiBa last edited by

            Stunnel is so simple it doesn't need instructions… For a dynamic ip fill in 0.0.0.0 to listen on.

            1 Reply Last reply Reply Quote 0
            • valnar
              valnar last edited by

              Is that right?  Listen on ANY IP?  That doesn't sound right. So anything that hits my firewall on that port gets redirected to that specific internal server?

              Edit: It's not working anyway, or I don't have the firewall rule set right.

              1 Reply Last reply Reply Quote 0
              • P
                PiBa last edited by

                What does your firewall rule look like?

                1 Reply Last reply Reply Quote 0
                • valnar
                  valnar last edited by

                  The basic NAT/port-forward rule I used previously which is probably wrong since STunnel (I assume) is supposed to intercept it.  I don't understand where STunnel inserts itself into the mix though.  I tried a couple different things with my ports 3456 (ext) and 81 (int).

                  NAT rule
                  Interface  WAN
                  Protocol  TCP
                  Dest Address  WAN Address
                  Dest Ports  3456
                  NAT IP  192.168.1.15
                  NAT Ports  81

                  NAT created FW rule
                  Protocol  IPv4 TCP
                  Source  *
                  Destination  192.168.1.15
                  Port  81

                  1 Reply Last reply Reply Quote 0
                  • P
                    PiBa last edited by

                    stunnel and haproxy are both programs that open a port on either a specific ip or 'any' ip.. When using these there is in general no need anymore to use a 'portforward'. As the client will be connecting to the wanip, and stunnel/haproxy is listening on that ip.
                    The only thing needed to allow the connection is a regular firewall rule.. Make sure to allow 'source any' for both the source-ip and source-port..

                    1 Reply Last reply Reply Quote 0
                    • valnar
                      valnar last edited by

                      I just got it to work in a slightly different way.  I can probably delete my NAT rule as you surmised so I'll play with it a bit, but I wonder if it's more secure keeping the NAT as it has to follow a traditional port-forward-nat rule first.

                      Basically the gist of it is I point it to my internal pfSense LAN IP and I assume STunnel does the rest.

                      Stunnel rule
                      Listen on 192.168.1.1  (internal IP of pfSense firewall LAN)
                      Listen on port 3456
                      Redirect to 192.168.1.15  (Camera software box)
                      Redirects on port 81

                      NAT rule
                      Interface  WAN
                      Protocol  TCP
                      Dest Address  WAN Address
                      Dest Ports  3456
                      NAT IP  192.168.1.1
                      NAT Ports  3456

                      NAT created FW rule
                      Protocol  IPv4 TCP
                      Source  *
                      Destination  192.168.1.1
                      Port  3456

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post