2026-05-05 20:07:37 +00:00
2026-05-05 20:07:37 +00:00
2026-05-05 20:07:37 +00:00
2026-05-05 20:07:37 +00:00
2026-05-05 20:07:37 +00:00

WWTP Extreme Switch TLS Proxy

stunnel Docker Container — Deployment Guide

What This Does

Allows modern browsers (TLS 1.2/1.3) to reach Extreme switches running firmware 1.01.02.0005 (TLS 1.0 only) via a stunnel proxy.

Browser (TLS 1.2/1.3)
       ↓
stunnel container on 192.168.16.130
       ↓
Switch (TLS 1.0) on 10.214.0.x

Step 1 — Prepare the switches via SSH

Each switch needs HTTPS enabled before the proxy will work. SSH into each switch and run:

enable
configure
http secure-server
save configuration

wwtp-gate-sw01 (10.214.0.112) is already done and confirmed working.


Step 2 — Build the Docker image on the Portainer host

Copy the three files (Dockerfile, stunnel.conf, docker-compose.yml) to the same directory on your Portainer host, then build:

cd /path/to/stunnel-wwtp
docker build -t stunnel-wwtp:latest .

Step 3 — Deploy via Portainer

  1. Open Portainer → StacksAdd Stack
  2. Name it: stunnel-wwtp
  3. Paste the contents of docker-compose.yml into the editor
  4. Click Deploy the stack

Step 4 — Access a switch in your browser

Use: https://192.168.16.130:<port>

Port Switch Location
4500 wwtp-offc-sw01 Plant Office
4501 wwtp-srvr-sw01 Server Room
4502 wwtp-ecb1-sw01 Elec Ctrl Bldg 1
4503 wwtp-head-sw01 Head Works
4504 wwtp-ecb2-sw01 Elec Ctrl Bldg 2
4505 wwtp-ags1-sw01 AGS Tank 1
4506 wwtp-ags2-sw01 AGS Tank 2
4507 wwtp-ags3-sw01 AGS Tank 3
4508 wwtp-coag-sw01 Coag & Buffer
4509 wwtp-reuse-sw01 Reuse
4510 wwtp-ecb3-sw01 Elec Ctrl Bldg 3
4511 wwtp-yard-sw01 Yard Drain
4512 wwtp-gate-sw01 Gate TESTED
4513 wwtp-ecb1-sw02 Elec Ctrl Bldg 1
4514 wwtp-ecb2-sw02 Elec Ctrl Bldg 2
4515 wwtp-uv-sw01 UV
4516 wwtp-fitr-sw01 Filters
4517 wwtp-crn-sw01 Crane Room
4518 wwtp-bst-sw01 Beast
4519 wwtp-ecb3-sw02 Elec Ctrl Bldg 3

Your browser will warn about an invalid/self-signed certificate. Click through the warning — this is expected with old switch firmware.


Troubleshooting

Browser shows "connection refused" → The switch doesn't have http secure-server enabled yet. → SSH to the switch and run the commands in Step 1.

Browser shows "connection timed out" → The switch is offline or unreachable.

stunnel container won't start → Check Portainer logs for the container. → Verify the image was built: docker images | grep stunnel-wwtp

Test a specific switch from the host CLI:

curl -k https://192.168.16.130:4512   # should return HTML from gate switch

Notes

  • network_mode: host is required so the container inherits the host's routing table and can reach the 10.214.0.x subnet.
  • verify = 0 in stunnel.conf disables certificate validation — necessary because switch certs are self-signed and likely expired.
  • sslVersion = TLSv1 forces TLS 1.0 on the switch-facing side only. Your browser still connects to stunnel using modern TLS.
S
Description
stunnel Docker container — TLS 1.2/1.3 proxy bridging modern browsers to Extreme switches running legacy TLS 1.0 firmware.
Readme 29 KiB
Languages
Dockerfile 100%