Howto stunnel from HTTPS to HTTPS
Sadly it’s fairly typical for corporate web filters to block ‘unusual’ ports, which means that if you’re trying to access a service that’s using anything other than port 80 for HTTP and port 443 for HTTPS then you might be in trouble.
I recently came across a situation where somebody was trying to access an HTTPS service running on port 8000, which appeared to be blocked for them. Having previously used stunnel to connect and old POP3 client to gmail I thought it would be able to help, and indeed it did.
You will need
A box (VM) that you can install stuff on (with root access) beyond the firewall with an unblocked public IP that’s not already being used to host HTTPS – e.g. anything on a public cloud or VPS.
I used Ubuntu (12.04), so it was a simple matter of:
sudo apt-get install -y stunnel4
The installer doesn’t create any certificates, so you need to do this yourself:
sudo openssl req -new -out /etc/ssl/certs/stunnel.pem \
-keyout /etc/ssl/certs/stunnel.pem -nodes -x509 -days 365
Create a file /etc/stunnel/stunnel.conf with contents like this:
debug = debug
cert = /etc/ssl/certs/stunnel.pem
client = yes
accept = host_ip:443
connect = localhost:54321
client = no
accept = localhost:54321
connect = destination_server_ip:8000
host_ip should be the IP address of the server running stunnel
destination_server_ip is the IP address of the server running whatever it is on an unusual port that can’t be accessed (obviously if the unusual port isn’t 8000 then change that too).
What’s happening here?
stunnel is designed to go from HTTP-HTTPS or HTTPS-HTTP so to go from HTTPS-HTTPS we actually need two tunnels connected back to back: HTTPS-[Tunnel_in]-HTTP–HTTP-[Tunnel_out]-HTTPS
If I add in the port numbers then we have: HTTPS:443-HTTP:54321-HTTP:54321-HTTPS:8000
The choice of port 54321 for the intermediate tunnel is completely arbitrary.
There are plenty of HTTPS proxy services out there (e.g. myhttpsproxy) , but often these will be blocked by corporate web filters too. Also don’t trust these with anything – they are by design a man in the middle, so any passwords you type in could be scraped.
You could set up your own HTTPS proxy service using Glype, but that’s much more likely to lead to trouble with hosting providers (unless it’s very carefully locked down to prevent abuse) than a single point-point tunnel.
Filed under: howto | 1 Comment
Tags: filter, howto, HTTPS, proxy, stunnel, tunnel, web