I have installed Stunnel and in the configuration file, I have the section for https set as follows:-

; TLS front-end to a web server
[https]
accept  = 8899
connect = 80
cert = stunnel.pem

My web server is listening at port 8899.

Is this the correct configuration for a secure connection with the EWB web server from any device?

Frederick

Frederick Chin wrote:

> connect = 80

SSL uses port 443. Port 80 will assume insecure.

--

Matthew Jones

On 10/15/2015 4:31 AM, Frederick Chin wrote:
> I have installed Stunnel and in the configuration file, I have the section for https set as follows:-
>
> ; TLS front-end to a web server
> [https]
> accept  = 8899
> connect = 80
> cert = stunnel.pem
>
> My web server is listening at port 8899.
> Is this the correct configuration for a secure connection with the EWB web server from any device?


Possibly but without knowing few more things here's what i would suggest.

Configure for EWB Web Server to ONLY listen on IP 127.0.0.1 and whatever
port you want (80 is fine in this case) - on Connections tab enter the
IP (don't leave it blank).

Simplest way to configure stunnel is to use 443 but 8899 is OK as well
(however then users need to type in https://<yourip>:8899/ )

Once done using your config :

accept  = 8899
connect = 80

should work just fine and EWB web server would be only accessible by
localhost (which means not internet accessible)

I personally never remember that the defaults are so i prefer to specify
the host part also :

accept = 0.0.0.0:8899
connect = 127.0.0.1:80

Raul

On 10/15/2015 5:22 AM, Matthew Jones wrote:
>> connect = 80
>
> SSL uses port 443. Port 80 will assume insecure.
>

This is for EWB web server which does not support SSL so 80 is fine

Raul

On 10/15/2015 4:31 AM, Frederick Chin wrote:
> My web server is listening at port 8899.

That's what you told stunnel to listen on - run your EWB web server on
some other port.

See my other post for details.

Raul

Raul wrote:

> This is for EWB web server which does not support SSL so 80 is fine

Then the config is the wrong way around surely? Maybe I just don't
understand, but if the web server is on 8899, then the SSL must be the
other one. As your other message implies, it isn't right somehow.

(I do like that RO SDK just has SSL built in!)

--

Matthew Jones

Raul,

/*
Possibly but without knowing few more things here's what i would suggest.

Configure for EWB Web Server to ONLY listen on IP 127.0.0.1 and whatever
port you want (80 is fine in this case) - on Connections tab enter the
IP (don't leave it blank).

Simplest way to configure stunnel is to use 443 but 8899 is OK as well
(however then users need to type in https://<yourip>:8899/ )

Once done using your config :

accept  = 8899
connect = 80

should work just fine and EWB web server would be only accessible by
localhost (which means not internet accessible)

I personally never remember that the defaults are so i prefer to specify
the host part also :

accept = 0.0.0.0:8899
connect = 127.0.0.1:80
*/

I do want users to connect to the EWB web server from the Internet.

Should I leave Stunnel's default settings as

accept = 443
connect = 80

and set EWB web server to listen from port 443 and the URL to access the web server will be

https://<myip>/<default html file> ?

Frederick

On 10/15/2015 11:13 AM, Frederick Chin wrote:
> I do want users to connect to the EWB web server from the Internet.

Directly ?

If so then why bother with the stunnel at all ?


> Should I leave Stunnel's default settings as
> accept = 443
> connect = 80

Yes

> and set EWB web server to listen from port 443 and the URL to access the web server will be

NO - EWB web server should be on IP 127.0.0.1 and port 80

STunnel will listen on port 443 (that's what the accept=443 parameter
specifies).

Stunnel is a HTTP proxy at the end of the day so users will communicate
to it and only it communicates with the EWB Web server

> https://<myip>/<default html file> ?

Yes

Raul

On 10/15/2015 9:32 AM, Matthew Jones wrote:
> Then the config is the wrong way around surely? Maybe I just don't
> understand, but if the web server is on 8899, then the SSL must be the
> other one. As your other message implies, it isn't right somehow.

yes - config is wrong.

Stunnel listens for requests on hostrt specified by "accept" and
forwards them to hostrt specified by "connect"

So normal way of securing a web server that is on same host as stunnel
is simply :

accept=0.0.0.0:443
connect=127.0.0.1:80

and limit web server to only listen on 127.0.0.1 port 80.


Raul

Raul,

/*
Directly ?

If so then why bother with the stunnel at all ?
*/

With EWB Web Server <-> Stunnel <-> Internet <-> Users,

wouldn't Stunnel provide a secure connection for data passing between the web server and users?

Frederick