That's what I was afraid of. Thanks.
This is going to be passing a lot of traffic and there's a lot more CPU load from using SSH v.s. stunnel or something like OpenVPN. We'll give the ssh thing a shot and monitor the loads. On Fri, Jul 20, 2018 at 9:33 AM, Peter Pentchev <[email protected]> wrote: > On Tue, Jul 17, 2018 at 10:51:07PM -0600, C. Petro wrote: > > I have a client who is setting up a logging infrastructure involving a > > couple of DMZs forwarding logs into central logging points. > > > > They have to pass compliance audits (SOX, PCI at least) and have some > > rather specific desires in regards to how they want the log traffic to > > move, and which servers *initiate* the connections. > > > > Which is to say they want the internal servers to set up tunnels to the > DMZ > > servers and then the forwarders use that tunnel to deliver logs back. > > ...oof. I went back and reread your original message more carefully. > The truth is, stunnel cannot really do what you want :( > > It seems to me that what you want could be accomplished with OpenSSH and > its remote connection forwarding: set up an SSH server in the DMZ, > generate a (possibly passphraseless) key pair on the central server, > add the public key to an the authorized_keys file of an unprivileged > account on the DMZ server, and then, on the central server (again, from > an unprivileged account), run a command like: > > ssh -N -R 3000:localhost:3000 [email protected] > > Then SSH will listen for incoming connections on 127.0.0.1:3000 on the DMZ > server and, when a connection comes in, create a connection from 127.0.0.1 > to > 127.0.0.1:3000 on the central server and start forwarding data. > > If needed, the OpenSSH server on the DMZ host may be configured so that it > is > very restricted: only public-key authentication, only certain users may > connect, only certain commands may be executed, etc. > > Apologies for not reading your first message carefully enough! > > G'luck, > Peter > > -- > Peter Pentchev roam@{ringlet.net,debian.org,FreeBSD.org} [email protected] > PGP key: http://people.FreeBSD.org/~roam/roam.key.asc > Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 >
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
