The principal need for an SSL tunnel is when a client wishes to securely communicate with a non-secure daemon. In this case, a middle layer is required, which will negotiate the encryption parameters (public key/certificate) with the client, and will communicate with the non-secure daemon in a non-secure way, after decrypting the data that was sent by the client. While earlier versions of Parallels Pro used stunnel
, a universal SSL tunnel wrapper, it now uses a more powerful redirection using Apache and mod_rewrite.
The problem with the new approach is that the configuration file eplhttpd.conf
actually contains the IP address of the server to which it should communicate when using the non-secure port. In a NAT environment, if you are accessing Parallels Pro from outside your network, the IP address of the server, for example, https://1.2.3.4:19638/isp/
, may get translated to an internal IP address, https://10.12.3.4:19638/isp/
. In this case, although the HTTPS URL contains the IP address 1.2.3.4, the Parallels Pro daemon eplhttpd
should fetch the non-secure page from 10.12.3.4
. Similarly, any absolute links that refer to the same Parallels Pro server should refer to 1.2.3.4
, as that is the IP address from which the server will be accessed.
To ensure successful secure connections to the Parallels Pro Control Panel interface, you must modify the eplhttpd_ipaddress
directive in the configuration file /usr/lib/ensim/frontend/httpd/conf/eplhttpd.conf
as required. The default vale of this directive is set to the server's IP address.