STUNNEL Transparent Source
-
Hello,
I have to terminate POP3S,IMAPS,SMTPS on our
Firewall (SSL Offloading) and Forward the
unencrypted Sessions to our Loadbalancer.
Everything is working fine when i don't use
STUNNEL with option "transparent=source"
but i need to have the Client Source IP transparently
forwarded to our Backendservers.Client -> PFSENSE-FW (STUNNEL) -> PFSENSE-LOADBALANCER(HAPROXY) -> BACKENDSERVER
Client connects to STUNNEL via TLS/SSL
STUNNEL send SYN to HAPROXY with ClientIP as Source
HAPROXY send SYN,ACK to ClientIPSo i have to rewrite the Retrun-Packets from HAPROXY to go into
the STUNNEL.
I have to change Destination-IP from the Return-Packets to match
the IP Address from STUNNEL.Is there any posibility to do this ? ( do I need ipfw for this)
Or somebody knows any other Method for SSL offloading and transparent
Client-IP forwarding ? -
If you are willing to switch to haproxy-devel (1.5) it should be able to do both ssl-offloading and transparent-clientip. Also in the background it will create the needed ipfw rules.
How good of a job it will do for pop3s / imaps / smtps.. i have no experience there.