[stunnel-users] Stunnel over a separate proxy?

[Alex Gottschalk]

I've successfully deployed stunnel4 to wrap rsync for transferring data between remote sites and a central repository. The issue I'm running into, is that some of these sites mandate use of a proxy (HTTP or SOCKS5 usually) for outbound network connections. It seems like there is some proxy support in stunnel with the protocol{Host,Authentication,etc} configuration options, but I have had zero luck getting them to work. For example, I've tried making a simple SOCKS5 proxy using ssh, that I'm successfully able to send HTTP traffic over:

ssh -g -D1080 proxy-host # create the proxy, open port 1080 on a public interface

then in the client stunnel.conf:

[rsync]
protocol = connect
protocolHost = proxy-host:1080
accept = 127.0.0.1:873
connect = rsync-destination:443

Keep in mind this is an already-working stunnel - the only difference is the addition of the protocol and protocolHost lines above. When I run stunnel in the foreground with that configuration change, I get the following error trying to run rsync:

$ rsync -v dev.inst.kvpdata rsync://localhost/putdata/
rsync: read error: Connection reset by peer (104)
rsync error: error in rsync protocol data stream (code 12) at io.c(605) [sender=2.6.9]

And no log messages appear in stunnel's stderr whatsoever.

What am I doing wrong? I get identical results using an HTTP proxy with squid, instead of the socks5 proxy.

Thanks, please let me know if there's any more information I should include to help with figuring this out.

Alex Gottschalk


_______________________________________________
stunnel-users mailing list
stunne...@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

[Michal Trojnara]

Alex Gottschalk wrote:
> I've successfully deployed stunnel4 to wrap rsync for transferring
> data between remote sites and a central repository. The issue I'm
> running into, is that some of these sites mandate use of a proxy
> (HTTP
> or SOCKS5 usually) for outbound network connections. It seems like
> there is some proxy support in stunnel with the
> protocol{Host,Authentication,etc} configuration options, but I have
> had zero luck getting them to work. For example, I've tried making a
> simple SOCKS5 proxy using ssh, that I'm successfully able to send
> HTTP
> traffic over:
>
> ssh -g -D1080 proxy-host # create the proxy, open port 1080 on a
> public interface

There is no SOCKS proxy support in stunnel.

> [rsync]
> protocol = connect
> protocolHost = proxy-host:1080
> accept = 127.0.0.1:873
> connect = rsync-destination:443

You have reversed "protocolHost" and "connect" values. "connect" is
the host *stunnel* connects to while "protocolHost" is the final
destination requested from this host. It may be unintuitive compared to
other services (like web browsers), but for stunnel proxy support is a
part of SSL protocol negotiations rather than a separate feature.

From the fine manual of stunnel:

connect = address

connect to a remote address

If no host is specified, the host defaults to localhost.

Multiple connect options are allowed in a single service section.

If host resolves to multiple addresses and/or if multiple connect
options are specified, then the remote address is chosen using a
round-robin algorithm.

protocolHost = host:port

destination address for protocol negotiations

Mike

[John A. Wallace]

> -----Original Message-----
> From: stunnel-us...@stunnel.org [mailto:stunnel-users-
> bou...@stunnel.org] On Behalf Of Michal Trojnara
> Sent: Friday, February 08, 2013 2:25 AM
> To: stunne...@stunnel.org
> Subject: Re: [stunnel-users] Stunnel over a separate proxy?
>
> Alex Gottschalk wrote:
> > I've successfully deployed stunnel4 to wrap rsync for transferring
> > data between remote sites and a central repository. The issue I'm
> > running into, is that some of these sites mandate use of a proxy
> (HTTP
> > or SOCKS5 usually) for outbound network connections. It seems like
> > there is some proxy support in stunnel with the
> > protocol{Host,Authentication,etc} configuration options, but I have
> > had zero luck getting them to work. For example, I've tried making a
> > simple SOCKS5 proxy using ssh, that I'm successfully able to send
> HTTP
> > traffic over:
> >
> > ssh -g -D1080 proxy-host # create the proxy, open port 1080 on a
> > public interface
>
> There is no SOCKS proxy support in stunnel.

You can send stunnel over socks proxy using socat easily enough, and this
works on both Windows and Linux.

[Alex Gottschalk]

> > > ssh -g -D1080 proxy-host # create the proxy, open port 1080 on a
> > > public interface
> >
> > There is no SOCKS proxy support in stunnel.
>
> You can send stunnel over socks proxy using socat easily enough, and
> this
> works on both Windows and Linux.

Ah, that's good information - thanks!

--Alex

[John A. Wallace]

socat -lf z:\socat.log -d -d tcp4-listen:<local-port>,fork
socks4a:localhost:<remote-IP>:<remote-port>,socksport=9050

In Windows this command at the prompt of a machine with socat installed
would make socat listen for tcp4 data on <local-port>, which it then sends
to localhost, but which you can replace with any IP, where the socks proxy
is running and accepting data on port 9050, for instance; it then sends the
data to <remote-IP> and <remote-port>. The part at the beginning of this
command ( -lf z:\socat.log -d -d ) causes a log file to be created at
directory location z:\socat.log, but you can change the location of course,
and adding more of the "-d", plus space, adds levels of verbosity to the
log. I hope this helps you. The current stable version of socat accepts
socks 4 and 4a, but there is a newer beta version that is supposed to accept
socks 5, though I have not used it yet.

I use socat with great success, but every so often I have to restart the
program once or twice initially. After that is done, it stays connected
well, at least in my experience it remains quite stable. It is an amazing
program.