Initial commit
This commit is contained in:
@@ -0,0 +1,112 @@
|
||||
# WWTP Extreme Switch TLS Proxy
|
||||
## stunnel Docker Container — Deployment Guide
|
||||
|
||||
### What This Does
|
||||
Allows modern browsers (TLS 1.2/1.3) to reach Extreme switches
|
||||
running firmware 1.01.02.0005 (TLS 1.0 only) via a stunnel proxy.
|
||||
|
||||
```
|
||||
Browser (TLS 1.2/1.3)
|
||||
↓
|
||||
stunnel container on 192.168.16.130
|
||||
↓
|
||||
Switch (TLS 1.0) on 10.214.0.x
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### Step 1 — Prepare the switches via SSH
|
||||
Each switch needs HTTPS enabled before the proxy will work.
|
||||
SSH into each switch and run:
|
||||
|
||||
```
|
||||
enable
|
||||
configure
|
||||
http secure-server
|
||||
save configuration
|
||||
```
|
||||
|
||||
> wwtp-gate-sw01 (10.214.0.112) is already done and confirmed working.
|
||||
|
||||
---
|
||||
|
||||
### Step 2 — Build the Docker image on the Portainer host
|
||||
|
||||
Copy the three files (Dockerfile, stunnel.conf, docker-compose.yml)
|
||||
to the same directory on your Portainer host, then build:
|
||||
|
||||
```bash
|
||||
cd /path/to/stunnel-wwtp
|
||||
docker build -t stunnel-wwtp:latest .
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### Step 3 — Deploy via Portainer
|
||||
|
||||
1. Open Portainer → **Stacks** → **Add Stack**
|
||||
2. Name it: `stunnel-wwtp`
|
||||
3. Paste the contents of `docker-compose.yml` into the editor
|
||||
4. Click **Deploy the stack**
|
||||
|
||||
---
|
||||
|
||||
### Step 4 — Access a switch in your browser
|
||||
|
||||
Use: `https://192.168.16.130:<port>`
|
||||
|
||||
| Port | Switch | Location |
|
||||
|-------|-----------------|-----------------|
|
||||
| 4500 | wwtp-offc-sw01 | Plant Office |
|
||||
| 4501 | wwtp-srvr-sw01 | Server Room |
|
||||
| 4502 | wwtp-ecb1-sw01 | Elec Ctrl Bldg 1 |
|
||||
| 4503 | wwtp-head-sw01 | Head Works |
|
||||
| 4504 | wwtp-ecb2-sw01 | Elec Ctrl Bldg 2 |
|
||||
| 4505 | wwtp-ags1-sw01 | AGS Tank 1 |
|
||||
| 4506 | wwtp-ags2-sw01 | AGS Tank 2 |
|
||||
| 4507 | wwtp-ags3-sw01 | AGS Tank 3 |
|
||||
| 4508 | wwtp-coag-sw01 | Coag & Buffer |
|
||||
| 4509 | wwtp-reuse-sw01 | Reuse |
|
||||
| 4510 | wwtp-ecb3-sw01 | Elec Ctrl Bldg 3 |
|
||||
| 4511 | wwtp-yard-sw01 | Yard Drain |
|
||||
| 4512 | wwtp-gate-sw01 | Gate ✅ TESTED |
|
||||
| 4513 | wwtp-ecb1-sw02 | Elec Ctrl Bldg 1 |
|
||||
| 4514 | wwtp-ecb2-sw02 | Elec Ctrl Bldg 2 |
|
||||
| 4515 | wwtp-uv-sw01 | UV |
|
||||
| 4516 | wwtp-fitr-sw01 | Filters |
|
||||
| 4517 | wwtp-crn-sw01 | Crane Room |
|
||||
| 4518 | wwtp-bst-sw01 | Beast |
|
||||
| 4519 | wwtp-ecb3-sw02 | Elec Ctrl Bldg 3 |
|
||||
|
||||
> Your browser will warn about an invalid/self-signed certificate.
|
||||
> Click through the warning — this is expected with old switch firmware.
|
||||
|
||||
---
|
||||
|
||||
### Troubleshooting
|
||||
|
||||
**Browser shows "connection refused"**
|
||||
→ The switch doesn't have `http secure-server` enabled yet.
|
||||
→ SSH to the switch and run the commands in Step 1.
|
||||
|
||||
**Browser shows "connection timed out"**
|
||||
→ The switch is offline or unreachable.
|
||||
|
||||
**stunnel container won't start**
|
||||
→ Check Portainer logs for the container.
|
||||
→ Verify the image was built: `docker images | grep stunnel-wwtp`
|
||||
|
||||
**Test a specific switch from the host CLI:**
|
||||
```bash
|
||||
curl -k https://192.168.16.130:4512 # should return HTML from gate switch
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
### Notes
|
||||
- `network_mode: host` is required so the container inherits the
|
||||
host's routing table and can reach the 10.214.0.x subnet.
|
||||
- `verify = 0` in stunnel.conf disables certificate validation —
|
||||
necessary because switch certs are self-signed and likely expired.
|
||||
- `sslVersion = TLSv1` forces TLS 1.0 on the switch-facing side only.
|
||||
Your browser still connects to stunnel using modern TLS.
|
||||
Reference in New Issue
Block a user