# Extreme Switch TLS Proxy ## stunnel Docker Container — Deployment Guide ### What This Does Allows modern browsers (TLS 1.2/1.3) to reach Extreme switches running firmware 1.01.02.0005 (TLS 1.0 only) via a stunnel proxy. ``` Browser (TLS 1.2/1.3) ↓ stunnel container on 192.168.16.130 ↓ Switch (TLS 1.0) on 10.214.0.x ``` --- ### Step 1 — Prepare the switches via SSH Each switch needs HTTPS enabled before the proxy will work. SSH into each switch and run: ``` enable configure http secure-server save configuration ``` > wwtp-gate-sw01 (10.214.0.112) is already done and confirmed working. --- ### Step 2 — Build the Docker image on the Portainer host Copy the three files (Dockerfile, stunnel.conf, docker-compose.yml) to the same directory on your Portainer host, then build: ```bash cd /path/to/stunnel-wwtp docker build -t stunnel-wwtp:latest . ``` --- ### Step 3 — Deploy via Portainer 1. Open Portainer → **Stacks** → **Add Stack** 2. Name it: `stunnel-wwtp` 3. Paste the contents of `docker-compose.yml` into the editor 4. Click **Deploy the stack** --- ### Step 4 — Access a switch in your browser Use: `https://192.168.16.130:` | Port | Switch | Location | |-------|-----------------|-----------------| | 4500 | wwtp-offc-sw01 | Plant Office | | 4501 | wwtp-srvr-sw01 | Server Room | | 4502 | wwtp-ecb1-sw01 | Elec Ctrl Bldg 1 | | 4503 | wwtp-head-sw01 | Head Works | | 4504 | wwtp-ecb2-sw01 | Elec Ctrl Bldg 2 | | 4505 | wwtp-ags1-sw01 | AGS Tank 1 | | 4506 | wwtp-ags2-sw01 | AGS Tank 2 | | 4507 | wwtp-ags3-sw01 | AGS Tank 3 | | 4508 | wwtp-coag-sw01 | Coag & Buffer | | 4509 | wwtp-reuse-sw01 | Reuse | | 4510 | wwtp-ecb3-sw01 | Elec Ctrl Bldg 3 | | 4511 | wwtp-yard-sw01 | Yard Drain | | 4512 | wwtp-gate-sw01 | Gate ✅ TESTED | | 4513 | wwtp-ecb1-sw02 | Elec Ctrl Bldg 1 | | 4514 | wwtp-ecb2-sw02 | Elec Ctrl Bldg 2 | | 4515 | wwtp-uv-sw01 | UV | | 4516 | wwtp-fitr-sw01 | Filters | | 4517 | wwtp-crn-sw01 | Crane Room | | 4518 | wwtp-bst-sw01 | Beast | | 4519 | wwtp-ecb3-sw02 | Elec Ctrl Bldg 3 | > Your browser will warn about an invalid/self-signed certificate. > Click through the warning — this is expected with old switch firmware. --- ### Troubleshooting **Browser shows "connection refused"** → The switch doesn't have `http secure-server` enabled yet. → SSH to the switch and run the commands in Step 1. **Browser shows "connection timed out"** → The switch is offline or unreachable. **stunnel container won't start** → Check Portainer logs for the container. → Verify the image was built: `docker images | grep stunnel-wwtp` **Test a specific switch from the host CLI:** ```bash curl -k https://192.168.16.130:4512 # should return HTML from gate switch ``` --- ### Notes - `network_mode: host` is required so the container inherits the host's routing table and can reach the 10.214.0.x subnet. - `verify = 0` in stunnel.conf disables certificate validation — necessary because switch certs are self-signed and likely expired. - `sslVersion = TLSv1` forces TLS 1.0 on the switch-facing side only. Your browser still connects to stunnel using modern TLS.