Stunnel can be a multi-host incoming router

Discussion in 'Blue Iris' started by Martin Paul Sr, Feb 26, 2019.

Share This Page

  1. Martin Paul Sr

    Martin Paul Sr Young grasshopper

    Joined:
    Jun 6, 2018
    Messages:
    42
    Likes Received:
    14
    Location:
    San Jose
    I recently started using stunnel, which is the web proxy server supported by Blue Iris settings to provide an encrypted (HTTPS) incoming connection to the Blue Iris web server.
    My motivation for this was to enable the Android app Chromecast feature, which only worked for me with this HTTPS connection along with a real trusted CA encryption certificate
    (see this post for details: Chromecast working...!)
    A big bonus to having this HTTPS service: The UI3 web interface is also using the same encrypted connection and you need only to open port 443 on your home router to have secure remote web and mobile device access.

    But... what if you want to access other web servers on your PC/LAN (such as IIS, Apache, various web-enabled devices like cameras or any device with a web interface...)?
    After Googling for hours, I kept learning that stunnel will not connect multiple "virtual" hosts (all from old articles and posts, I guess stunnel has been around a long time).
    I kept finding that only high-end web servers like IIS , Apache, Nginx, can multi-home by incoming domain name.
    I guess some routers can do it, but I couldn't find it on my ASUS RT-AC68P.
    And... I already have my home router port 443 pointing to my stunnel, which I like very much, and I'm not sure if those other web servers would give me the same Blue Iris interaction.
    I also don't know if those other servers would allow connecting to a bunch of different web servers around the house vs. maybe just hosting multiple home directories on the server.

    Ha... Lucky again!
    Finally... I simply searched the help file for stunnel for "virtual" and found that indeed you can have it provide multiple connections to any number of servers/ports based on the incoming domain name.
    It supports a TLS extension called SNI (Server Name Indication) and uses an option "sni =" to define additional "slave" hosts.
    So services in the stunnel.conf file use the option format "sni = master:host" where "master' is the name of the service that contains the "accept = 443" option and "host" is the domain name of the CA-signed certificate in the .pem file.

    I am now successfully using stunnel to direct incoming https connections to either the Blue Iris web server or to a personal website running on the same PC with IIS, simply depending on the domain name from the browser.
    I can further use it to provide secure remote access to any other web site or web-enabled device on my network.
    I use a different sub-domain name and signed certificate (and therefore different .pem file) for each host.
    BTW signed certs are easy and free from Let's Encrypt/ ZeroSSL)

    Here's an example stunnel config with a master service [default] that will allow a couple of remote "slave" connections... one to a different port on the host PC, and one to an IP cam web interface on the LAN.

    [default]
    ; HTTPS for Blue Iris access on localhost
    accept = 443
    cert = cams.mydomain.com.pem
    connect = 81

    [sni1]
    ; HTTPS for personal home IIS website on localhost
    sni = default:www.mydomain.com
    cert = www.mydomain.com.pem
    connect = 80

    [sni2]
    ; HTTPS for doorbell camera web interface on LAN address
    sni = default:doorbell.mydomain.com
    cert = doorbell.mydomain.com.pem
    connect = 192.168.1.182:80


    Just open port 443 to your stunnel host and then from outside use the correct domain name preceded by https:// and you can access any of your sites/devices securely from internet.
    You can certainly have any number of slave services configured under the one "master".

    I haven't tried it yet, but the spec indicates you can have any number of "sni =" options listed in one "slave" service.
    I guess the latter would require that the multiple domains (all "sni =" hosts) are covered in one CA-signed cert in the "cert =" .pem file.
    I'll check out how to do that later... probably easy with that Let's Encrypt/ ZeroSSL tool.
     
    Last edited: Feb 26, 2019
    looney2ns likes this.