First, why apache? Stunnel is a program dedicated to it. Apache shouldn't even be visible directly from the internet, it's bugged piece of shit. If you really want to use apache for any reason put varnish or haproxy in front of it.
reverse is simple:
Code
visitor(443) -> stunnel(443) -> httpd(80)
visitor(80) -> httpd(80)
forward, what's the point of putting plain through apache or any other service? You can do something like
Code
service -> stunnel(80) -> external(443)
service -> external(80)
Now if you really want to force all outgoing traffic to some local service you could use something like
Code
/sbin/iptables -t nat -A PREROUTING -s 127.0.0.1/255.255.255.0 -p tcp -m tcp --dport 443 -m owner --uid-owner yourservicesuserdifferentthantheproxy -j DNAT --to-destination 127.0.0.1
then all connections by user "yourservicesuserdifferentthantheproxy" to port 443 anywhere will be redirected to localhost instead. Something like this should work, but instead I'd prefer to disallow any external access from your services, and if yuo need to contact external sites - whitelist them, possibly write the wrapper for them in stunnel.
also2: I strongly suggest to put your "services" into some kind of jail (lxc > openvz > etc) and have it on loopback ip, for example 10.0.0.2. NAT them. Then edit iptables above accordingly. I'm not even sure if it is possible without NAT in this case
This post was edited by nuvo on May 8 2013 01:06pm