From owner-freebsd-questions@FreeBSD.ORG  Thu May 22 08:15:04 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D307237B401
	for <freebsd-questions@freebsd.org>;
	Thu, 22 May 2003 08:15:04 -0700 (PDT)
Received: from ns2.wananchi.com (ns2.wananchi.com [62.8.64.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 65BF543FA3
	for <freebsd-questions@freebsd.org>;
	Thu, 22 May 2003 08:14:59 -0700 (PDT)
	(envelope-from wash@wananchi.com)
Received: from wash by ns2.wananchi.com with local (Exim 4.20 #5 (FreeBSD))
	id 19IrmA-0000Lh-Ly; Thu, 22 May 2003 18:14:38 +0300
Date: Thu, 22 May 2003 18:14:38 +0300
From: ODHIAMBO Washington <wash@wananchi.com>
To: Jan Grant <Jan.Grant@bristol.ac.uk>
Message-ID: <20030522151438.GM96496@ns2.wananchi.com>
Mail-Followup-To: ODHIAMBO Washington <wash@wananchi.com>,
	Jan Grant <Jan.Grant@bristol.ac.uk>,
	FBSD-Q <freebsd-questions@freebsd.org>
References: <20030522134300.GH96496@ns2.wananchi.com>
	<Pine.GSO.4.44.0305221540580.9794-100000@mail.ilrt.bris.ac.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.GSO.4.44.0305221540580.9794-100000@mail.ilrt.bris.ac.uk>
X-Disclaimer: Any views expressed in this message,where not explicitly
	attributed otherwise, are mine alone!.
X-Fortune: Broad-mindedness, n.: The result of flattening high-mindedness out.
X-Operating-System: FreeBSD 4.8-STABLE i386
X-Best-Window-Manager: Blackbox
X-Mailer: Mutt 1.5.3i (2002-12-17)
X-Designation: Systems Administrator, Wananchi Online Ltd.
X-Location: Nairobi, KE, East Africa.
X-Uptime: 6:06PM  up 5 days, 18:15, 4 users, load averages: 0.48, 0.28, 0.25
User-Agent: Mutt/1.5.3i
X-SA-Exim-Mail-From: wash@wananchi.com
X-SA-Exim-Scanned: No; SAEximRunCond expanded to false
cc: FBSD-Q <freebsd-questions@freebsd.org>
Subject: Re: For the experienced - stunnel and port 80
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 May 2003 15:15:05 -0000

* Jan Grant <Jan.Grant@bristol.ac.uk> [20030522 17:46]: wrote:
> On Thu, 22 May 2003, ODHIAMBO Washington wrote:
> 
> > For those who have lived in the world of paranoia long enough, please welcome
> > me to that side of life ;)
> >
> > I am running apache+modssl on port 443. I want stunnel to listen on port 80,
> > and then connect to port 443 instead, so that the users can just type
> > www.domain.tld and not https://www.domain.tld.
> >
> > I have put this in stunnel.conf
> >
> > [https]
> > accept  = 80
> > connect = localhost:443
> >
> >
> > sockstat -l shows stunnel listening on port 80, but in the life of me, I
> > cannot just connect to that box if I do not use https://....
> >
> > Can someone bail me out here with advise??
> 
> Your browser is trying to talk HTTP because it thinks it's connecting to
> an SSL-less socket.
> 
> If you want this to behave properly you ought to configure your apache
> to redirect non-SSL (ie, port 80) requests to your SSL site.
> 
> There are a number of ways you can do this (preserving any path passed
> as part of the request or redirecting to the root of
> https://www.blah.../) - the httpd documentation for mod_alias and the
> "Redirect" directive are what you're after.

I have achieved that already - with the redirect. Without stunnel and with
apache listening to ports 80 and 443, I get to connect to the SSL-socket
when I use HTTP and HTTPS.See below.

www# httpd -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:80                   gw.kensi.org (/usr/local/etc/apache/httpd.conf:376)
*:443                  is a NameVirtualHost
                       default server www.kensi.org (/usr/local/etc/apache/httpd.conf:450)
                       port 443 namevhost www.kensi.org (/usr/local/etc/apache/httpd.conf:450)
www# telnet 0 80
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
GET /
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="https://www.kensi.org">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.27 Server at gw.kensi.org Port 80</ADDRESS>
</BODY></HTML>
Connection closed by foreign host.


Now what I want is apache should _not_ listen on port 80, but leave this to
stunnel. That is where I get lost, because once I hash out the "Listen 80"
I try to connect and get the error that the "document contains no data"

And of course when I telnet 0 80 and do a GET /, I get nothing!!


Thanks in advance.


-Wash

-- 
Odhiambo Washington   <wash@wananchi.com>  "The box said 'Requires
Wananchi Online Ltd.  www.wananchi.com      Windows 95, NT, or better,'
Tel: +254 2 313985-9  +254 2 313922         so I installed FreeBSD."   
GSM: +254 72 743223   +254 733 744121       This sig is McQ!  :-)


The average woman would rather have beauty than brains, because the
average man can see better than he can think.