your-apache-tomcat-ip:
Michael,
Sorry I could not answer before.I read your note and I think this is mostly
off-topic. I am not sure I understand what you want to do with stunnel in this
configuration. But l will try an educated guess:
1. Keep in mind that Stunnel is mostly used for securing services that do not
support TLS natively.I haven't worked with tomcat + ISS, but I have experience
with tomcat + Apache httpd
2. It looks like you already have your IIS servers configured to serve web
requests with TLS on port 443, and since you are trying to insert an stunnel
client between IIS and tomcat AJP port (9009 or 8009), I guess you are trying
to encrypt the AJP trafic. It doesn't make much sense to encrypt local traffic,
so I assume your apache tomcat is running on different host than your IIS. Is
this correct?
3. If I am right on 2, you need to run an stunnel in your IIS host and another
stunnel in your tomcat host.
In your IIS host, you configure stunnel like this:
[client]accept = localhost:9009connect = your-apache-tomcat-ip:10009 (or
another free port)client = yes
In your tomcat host, you configure stunnel like this:
[server]accept = your-apache-tomcat-ip:10009 (same port as connect in client)
connect = localhost:9009 (or another free port)client = no
Do you see the tunnel? Note that your isapi filter in IIS should also reference
localhost and port 9009.
Hope this helps.
Regards,Jose
From: J. Michael Drew <[email protected]>
To: 'Jose Alf.' <[email protected]>
Cc: [email protected]
Sent: Monday, June 20, 2016 6:00 PM
Subject: RE: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit
.Jose, I appreciate your patience. Internet - Clients : 443 -> :
https://website.company.com/website/ ________Firewall___________
Web\Presentation Layer 2 Win 2012 Webservers (443) not currently connected to
the production LB, application needs to work before connecting to LB. This
configuration is first time on 64 bit OS… Win 2012.IIS 8 running Jakarta ISAPI
Filter\Stunnel to redirect 9001 to 9009: _________Firewall\App
Layer________Port 9009 Connects to App server running Apache Application
is working as expected as long as I am logged in to the IIS 8 server. I can
telnet to the APP layer over 9009 and I can reach these websites externally as
expected. Firewalls are good. Please let me know any other information you
need. Thank you again, Michael From: Jose Alf.
[mailto:[email protected]]
Sent: Monday, June 20, 2016 4:32 PM
To: J. Michael Drew
Subject: Re: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit
Michael, Please take this in constructive way. I am trying to help, but it
looks like you need to do some reading and homework. Please check
http://catb.org/~esr/faqs/smart-questions.html I suggest you draw a picture of
your environment and explain well what you're trying to achieve. Show your
client, your backend server, your stunnel server, include the IPs and ports
they're listening to and everything should be easier. Don't forget any
firewalls thay may be in the way. Regards,Jose. From: J. Michael Drew
<[email protected]>
To: 'Jose Alf.' <[email protected]>
Sent: Monday, June 20, 2016 1:00 PM
Subject: RE: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit Hi
Jose, I made the changes you suggested, but I am still getting the same
behavior. My external address is: https://website.company.com/website I am not
adding any ports to the address. Thanks so much for your help! Michael From:
Jose Alf. [mailto:[email protected]]
Sent: Monday, June 20, 2016 12:10 PM
To: J. Michael Drew; [email protected]
Subject: Re: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit
Michael, I guess what you want to do is to be able to connect to your internal
Webserver via your Win2012 stunnel proxy using a URL like:
https://yourwin2012dnsname:9001/ if that is correct, I suggest to adjust your
configuration as follows: 1. Your stunnel mode must be server, not client. So
adjust your service stanza as follows:
[CLI9F529A0A]accept=9001connect=10.xxx.xxx.xxx:9009client=no 2. In your current
configuration stunnel is listening only in the localhost ipv4 address
(127.0.0.1). Therefore, you can only connect when you are logged on the server,
you can't connect from a remote client. Hope this helps you clarify what's
going on. Regards,Jose From: J. Michael Drew [mailto:[email protected]]
Sent: Monday, June 20, 2016 9:54 AM
To: 'Josealf.rm'
Subject: RE: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit Jose, Once
logged in to the server I can open a browser on the server and connect through
https://localhost/website and I can log in to the site externally as expected.
Here are the log files from IIS and stunnel where stunnel is running as a
service on the Windows 2012 server: When I am not logged in to the server it
fails: #Software: Microsoft Internet Information Services 8.5#Version:
1.0#Date: 2016-06-20 00:30:21#Fields: date time s-ip cs-method cs-uri-stem
cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status
sc-substatus sc-win32-status time-taken2016-06-20 00:30:21 159.xxx.xxx.xxx HEAD
/ - 443 - 190.xxx.xxx.xxx - - 200 0 0 1218#Software: Microsoft Internet
Information Services 8.5#Version: 1.0#Date: 2016-06-20 05:41:01#Fields: date
time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip
cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status
time-taken2016-06-20 05:41:01 10.xxx.xxx.xxx OPTIONS
/C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx
Microsoft-WebDAV-MiniRedir/6.1.7601 - 200 0 0 5002016-06-20 05:41:01
10.xxx.xxx.xxx PROPFIND /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx
Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 462016-06-20 05:41:01
10.xxx.xxx.xxx PROPFIND /C$/windows/system32 - 80 - 159.xxx.xxx.xxx
Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 2182016-06-20 05:41:16
10.xxx.xxx.xxx PROPFIND
/patch-{682810b5-36dc-4e5d-81dd-6c02cd8f445b}-patchtoolsd.exe - 80 -
159.82.156.241 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 64 622016-06-20
05:41:27 10.xxx.xxx.xxx PROPFIND /N$cl64.exe - 80 - 159.xxx.xxx.xxx 1
Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 622016-06-20 05:41:27
10.xxx.xxx.xxx PROPFIND /C$rome.dll - 80 - 159.xxx.xxx.xxx
Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 296 Stunell.conf: cert =
extwebsvr_ver.pem ; Some performance tuningsocket = l:TCP_NODELAY=1socket =
r:TCP_NODELAY=1 ; Peer Authenticationverify = 2CAfile = extwebsvr_root.pem ;
Debug mode - useful for troubleshootingdebug = 7output = stunnel.log ; Client
modeclient = yes ; Setup tunnels to each EMS node
[CLIxxxxxxxx)]accept=127.0.0.1:9001connect=10.xxx.xxx.xxx:9009 Stunnel.log:
2016.06.20 09:17:39 LOG7[main]: No limit detected for the number of
clients2016.06.20 09:17:39 LOG5[main]: stunnel 5.27 on x86-pc-msvc-1500
platform2016.06.20 09:17:39 LOG5[main]: Compiled/running with OpenSSL
1.0.2e-fips 3 Dec 20152016.06.20 09:17:39 LOG5[main]: Threading:WIN32
Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI2016.06.20 09:17:39 LOG7[main]:
errno: (*_errno())2016.06.20 09:17:39 LOG5[main]: Reading configuration from
file stunnel.conf2016.06.20 09:17:39 LOG7[ui]: GUI message loop
initialized2016.06.20 09:17:39 LOG7[cron]: Cron thread initialized2016.06.20
09:17:39 LOG5[main]: UTF-8 byte order mark detected2016.06.20 09:17:39
LOG6[main]: Initializing service [CLI9F529A0A]2016.06.20 09:17:39 LOG6[main]:
Loading certificate from file: extwebsvr_ver.pem2016.06.20 09:17:39 LOG6[main]:
Certificate loaded from file: extwebsvr_ver.pem2016.06.20 09:17:39 LOG6[main]:
Loading private key from file: extwebsvr_ver.pem2016.06.20 09:17:39 LOG6[main]:
Private key loaded from file: extwebsvr_ver.pem2016.06.20 09:17:39 LOG7[main]:
Private key check succeeded2016.06.20 09:17:39 LOG4[main]: Service
[CLIxxxxxxxx] uses "verify = 2" without subject checks2016.06.20 09:17:39
LOG4[main]: Use "checkHost" or "checkIP" to restrict trusted
certificates2016.06.20 09:17:39 LOG7[main]: SSL options: 0x03000004
(+0x03000000, -0x00000000)2016.06.20 09:17:39 LOG5[main]: Configuration
successful Thanks for your help, Michael From: Josealf.rm
[mailto:[email protected]]
Sent: Monday, June 20, 2016 8:01 AM
To: J. Michael Drew
Cc: [email protected]
Subject: Re: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit Michael,
Is your stunnel running as a service?Please post sanitized logs and
configuration for a better diagnostic ...
Regards Jose
El 20 jun 2016, a las 6:39, J. Michael Drew <[email protected]> escribió:
Hi, I have a website on IIS8 and am using stunnel to forward requests over 9009
inside to my application server. When I log in to the IIS server and stay
logged in everything works as expected. When I log off the IIS 8 web server my
site is unreachable with a “service is unavailable”. Can someone help me?
Sincere thanks, Michael
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
