On Tue, Jul 17, 2018 at 10:51:07PM -0600, C. Petro wrote: > I have a client who is setting up a logging infrastructure involving a > couple of DMZs forwarding logs into central logging points. > > They have to pass compliance audits (SOX, PCI at least) and have some > rather specific desires in regards to how they want the log traffic to > move, and which servers *initiate* the connections. > > Which is to say they want the internal servers to set up tunnels to the DMZ > servers and then the forwarders use that tunnel to deliver logs back.
...oof. I went back and reread your original message more carefully. The truth is, stunnel cannot really do what you want :( It seems to me that what you want could be accomplished with OpenSSH and its remote connection forwarding: set up an SSH server in the DMZ, generate a (possibly passphraseless) key pair on the central server, add the public key to an the authorized_keys file of an unprivileged account on the DMZ server, and then, on the central server (again, from an unprivileged account), run a command like: ssh -N -R 3000:localhost:3000 [email protected] Then SSH will listen for incoming connections on 127.0.0.1:3000 on the DMZ server and, when a connection comes in, create a connection from 127.0.0.1 to 127.0.0.1:3000 on the central server and start forwarding data. If needed, the OpenSSH server on the DMZ host may be configured so that it is very restricted: only public-key authentication, only certain users may connect, only certain commands may be executed, etc. Apologies for not reading your first message carefully enough! G'luck, Peter -- Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} [email protected] PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
signature.asc
Description: PGP signature
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
