Howto stunnel from HTTPS to HTTPS


Sadly it’s fairly typical for corporate web filters to block ‘unusual’ ports, which means that if you’re trying to access a service that’s using anything other than port 80 for HTTP and port 443 for HTTPS then you might be in trouble.

CC image by Julian Schüngel

I recently came across a situation where somebody was trying to access an HTTPS service running on port 8000, which appeared to be blocked for them. Having previously used stunnel to connect and old POP3 client to gmail I thought it would be able to help, and indeed it did.

You will need

A box (VM) that you can install stuff on (with root access) beyond the firewall with an unblocked public IP that’s not already being used to host HTTPS – e.g. anything on a public cloud or VPS.

Installing stunnel

I used Ubuntu (12.04), so it was a simple matter of:

sudo apt-get install -y stunnel4

The installer doesn’t create any certificates, so you need to do this yourself:

sudo openssl req -new -out /etc/ssl/certs/stunnel.pem \
-keyout /etc/ssl/certs/stunnel.pem -nodes -x509 -days 365

Configuration file

Create a file /etc/stunnel/stunnel.conf with contents like this:

debug = debug
cert = /etc/ssl/certs/stunnel.pem

client = yes
accept = host_ip:443
connect = localhost:54321

client = no
accept = localhost:54321
connect = destination_server_ip:8000

host_ip should be the IP address of the server running stunnel

destination_server_ip is the IP address of the server running whatever it is on an unusual port that can’t be accessed (obviously if the unusual port isn’t 8000 then change that too).

What’s happening here?

stunnel is designed to go from HTTP-HTTPS or HTTPS-HTTP so to go from HTTPS-HTTPS we actually need two tunnels connected back to back: HTTPS-[Tunnel_in]-HTTP–HTTP-[Tunnel_out]-HTTPS

If I add in the port numbers then we have: HTTPS:443-HTTP:54321-HTTP:54321-HTTPS:8000

The choice of port 54321 for the intermediate tunnel is completely arbitrary.


There are plenty of HTTPS proxy services out there (e.g. myhttpsproxy) , but often these will be blocked by corporate web filters too. Also don’t trust these with anything – they are by design a man in the middle, so any passwords you type in could be scraped.

You could set up your own HTTPS proxy service using Glype, but that’s much more likely to lead to trouble with hosting providers (unless it’s very carefully locked down to prevent abuse) than a single point-point tunnel.

Update 10 Jan 20

Alexander Traud emailed me to note:

Tunnel_out has to be “client = yes”.
Tunnel_in has to be the server (default; “client = no” is possible).
“cert” should be in Tunnel_in.

2 Responses to “Howto stunnel from HTTPS to HTTPS”

  1. 1 Siva

    Hi Sir,

    We have a linux device running on an ARM architecture. This is a surveillance device which has multiple IP camera’s connected to it. Using the thttpd as a web sever we can view live video from all these camera’s using http (on any web browser) on port 80. Now we are planning to support to https as well. Since thttpd doesnt support https we thought we could do that with the help of Stunnel. Now the questions I have it..

    Q1) Is it sufficient to have an stunnel client running on the device with the a similar stunnel.conf setting..

    accept = 443
    connect =
    TIMEOUTclose = 0

    Q2) Do we need an other stunnel server running on the device to accept the response from port 80 and send it back to the web client from the port 443 of the device.

    Any inputs will be really appreciated!

    Thanks in advance

  2. 2 Some Guy

    Please read – I get the error “Wrong permissions on stunnel.pem” – in stunnel FAQ (

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: