Netgate SG-1000 microFirewall

Author Topic: HAProxy or STunnel for HTTPS proxy?  (Read 219 times)

0 Members and 1 Guest are viewing this topic.

Offline valnar

  • Sr. Member
  • ****
  • Posts: 378
  • Karma: +0/-0
    • View Profile
HAProxy or STunnel for HTTPS proxy?
« on: January 24, 2018, 03:17:40 pm »
Long time pfSense user, short time package user.

I have Blue Iris which runs the webcams in my house and the app has the ability (baked in) to use STunnel locally on the same Windows box for encryption.  The app normally only uses HTTP but this provides a HTTPS proxy to it.  However, from what I can see of STunnel, it's pretty rudimentary.

I hit a thread that said pfSense can do this instead and that sounds like a better idea.  I wasn't sure if STunnel is still the package I want or it HAProxy did some of it.  Ideally it would at least do the same as STunnel on that Windows box, but bonus points if I can wrap a 2nd layer of security around it like a certificate.

Can anyone point me in the right direction?




Offline PiBa

  • Hero Member
  • *****
  • Posts: 840
  • Karma: +133/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: HAProxy or STunnel for HTTPS proxy?
« Reply #1 on: January 24, 2018, 06:01:57 pm »
afaik STunnel is ment for 1 purpose and does that single job pretty well (decrypting ssl traffic).. As for its webgui it seems to have the minimally required options there to make it basically work..

Haproxy allows a lot more control what happens with traffic, and has options for client-certificates in the webgui as well, its needs a bit more work to get fully configured but in the end i think you will probably like the extra options. It shouldn't be to hard to get it configured into a working state. And then allows for adding stats/logs/alerts/acl's and lots of other goodies ;) . Personally i would go for haproxy, but well as the package maintainer i'm a bit biased :).

Offline valnar

  • Sr. Member
  • ****
  • Posts: 378
  • Karma: +0/-0
    • View Profile
Re: HAProxy or STunnel for HTTPS proxy?
« Reply #2 on: January 24, 2018, 06:54:58 pm »
Well stunnel doesn't work at all, or I can't figure it out since there are no instructions anywhere.  I don't see how I can put in a variable for the listening IP, which would be the WAN IP of the firewall.

I'll give HAProxy a try.  Thanks.

Offline PiBa

  • Hero Member
  • *****
  • Posts: 840
  • Karma: +133/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: HAProxy or STunnel for HTTPS proxy?
« Reply #3 on: January 25, 2018, 03:11:53 pm »
Stunnel is so simple it doesn't need instructions... For a dynamic ip fill in 0.0.0.0 to listen on.

Offline valnar

  • Sr. Member
  • ****
  • Posts: 378
  • Karma: +0/-0
    • View Profile
Re: HAProxy or STunnel for HTTPS proxy?
« Reply #4 on: January 25, 2018, 07:21:00 pm »
Is that right?  Listen on ANY IP?  That doesn't sound right. So anything that hits my firewall on that port gets redirected to that specific internal server?

Edit: It's not working anyway, or I don't have the firewall rule set right.
« Last Edit: January 25, 2018, 08:02:44 pm by valnar »

Offline PiBa

  • Hero Member
  • *****
  • Posts: 840
  • Karma: +133/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: HAProxy or STunnel for HTTPS proxy?
« Reply #5 on: January 26, 2018, 12:06:42 pm »
What does your firewall rule look like?

Offline valnar

  • Sr. Member
  • ****
  • Posts: 378
  • Karma: +0/-0
    • View Profile
Re: HAProxy or STunnel for HTTPS proxy?
« Reply #6 on: January 26, 2018, 04:06:45 pm »
The basic NAT/port-forward rule I used previously which is probably wrong since STunnel (I assume) is supposed to intercept it.  I don't understand where STunnel inserts itself into the mix though.  I tried a couple different things with my ports 3456 (ext) and 81 (int).

**NAT rule**
Interface   WAN
Protocol   TCP
Dest Address   WAN Address
Dest Ports   3456
NAT IP   192.168.1.15
NAT Ports   81


**NAT created FW rule**
Protocol   IPv4 TCP
Source   *
Destination   192.168.1.15
Port   81


Offline PiBa

  • Hero Member
  • *****
  • Posts: 840
  • Karma: +133/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: HAProxy or STunnel for HTTPS proxy?
« Reply #7 on: January 26, 2018, 04:28:11 pm »
stunnel and haproxy are both programs that open a port on either a specific ip or 'any' ip.. When using these there is in general no need anymore to use a 'portforward'. As the client will be connecting to the wanip, and stunnel/haproxy is listening on that ip.
The only thing needed to allow the connection is a regular firewall rule.. Make sure to allow 'source any' for both the source-ip and source-port..

Offline valnar

  • Sr. Member
  • ****
  • Posts: 378
  • Karma: +0/-0
    • View Profile
Re: HAProxy or STunnel for HTTPS proxy?
« Reply #8 on: January 26, 2018, 05:23:11 pm »
I just got it to work in a slightly different way.  I can probably delete my NAT rule as you surmised so I'll play with it a bit, but I wonder if it's more secure keeping the NAT as it has to follow a traditional port-forward-nat rule first.


Basically the gist of it is I point it to my internal pfSense LAN IP and I assume STunnel does the rest.

**Stunnel rule**
Listen on 192.168.1.1  (internal IP of pfSense firewall LAN)
Listen on port 3456
Redirect to 192.168.1.15  (Camera software box)
Redirects on port 81

**NAT rule**
Interface   WAN
Protocol   TCP
Dest Address   WAN Address
Dest Ports   3456
NAT IP   192.168.1.1
NAT Ports   3456


**NAT created FW rule**
Protocol   IPv4 TCP
Source   *
Destination   192.168.1.1
Port   3456