Stunnel FAQ: Transparent Mode
Chapter Contents:
This section gives you very basic information on Transparent mode.
The -T option causes your Stunnel daemon
to re-write it's address as if it were the
actual SSL client. This option does nothing when Stunnel is
not running in daemon mode, and doesn't work for all OSs.
The purpose is to allow any program launched
or socket connected to believe that the Stunnel
process is actually the true SSL client, thus preserving IP addresses.
This allows you to continue to use TCP wrappers, etc.
There are only two ways in which this will work:
- -l | -L (process/args)
- The Stunnel daemon launches a local process with
-l or -L
Known to work on Linux 2.2, Solaris, Tru64, and possibly other
systems that support LD_PRELOAD. If you have success with other
systems, let us know. See man ld.so or
man ld.so.1 for details.
or
- -r (destination machine/port)
- The Stunnel daemon connects to a port on a different machine.
The destination machine must believe that the route to the
actual SSL client is through the Stunnel machine. This would
be the case when the Stunnel machine is the default route for
the destination machine, for example. This does not work for
destination of localhost. If it's localhost you're looking
for, consider using the -l option if possible.
- Known to work on Linux 2.2 when Transparent Proxy
option is compiled into the kernel.
- References for 2.4 kernel that say it's not possible:
- Reference for 2.4 kernel that say it is possible:
- See http://www.unxsoft.com/TransparentProxy.html
- Use the cttproxy patch. According to
http://www.balabit.hu/en/downloads/tproxy/README.txt:
In Linux 2.2 this was accomplished by bind()-ing to a foreign address
prior calling connect(), and it worked. In this tproxy patch it is done
somewhat similar to the case 2 outlined above.
* the proxy binds to a local address first
* the proxy then issues an IP_TPROXY_ASSIGN setsockopt.
IP_TPROXY_ASSIGN registers the local address the proxy bound to,
with the foreign address it wants its source address to be changed
to. This relationship is stored in a hash table within the
iptable_tproxy module.
* as a final step the proxy instructs the kernel that it wants to
initiate a connection, this is done by calling an IP_TPROXY_FLAGS
setsockopt with a flags value of ITP_CONNECT.
This error indicates that you're trying to use '-T' on a Linux
machine that doesn't have transparent proxy option enabled in
the kernel.
The stunnel.so file is only used when you are using Stunnel
in local mode with transparent proxy mode (ie
"-T -l ... "). If you're using Stunnel in any
other manner, this file isn't needed. You may ignore any
compile-time errors related to this file if you don't want
this functionality.
|