diff --git a/slapos/recipe/generic_varnish/__init__.py b/slapos/recipe/generic_varnish/__init__.py
index 4f93407bb28d520841aff7a96f6b3de36344915e..1ede08aa8357b0c78232cd9ffa9b6f17e3c580c7 100644
--- a/slapos/recipe/generic_varnish/__init__.py
+++ b/slapos/recipe/generic_varnish/__init__.py
@@ -39,9 +39,28 @@ class Recipe(GenericSlapRecipe):
     ip = self.options['ip']
     backend_url = self.parameter_dict['tidstorage-url']
     backend_server, backend_port = self._getBackendServer(backend_url)
+    path_list = []
+    if backend_url.startswith('https://'):
+      config = dict(
+        stunnel_binary=self.options['stunnel-binary'],
+        stunnel_server=ip,
+        stunnel_port=int(self.options['stunnel-port']),
+        stunnel_pid_file=self.options['stunnel-pid-file'],
+        stunnel_conf_file=self.options['stunnel-conf-file'],
+        shell_path=self.options['shell-path'],
+        backend_server=backend_server.replace('[', '').replace(']', ''),
+        backend_port=backend_port,
+      )
+      path_list.append(self.createExecutable(self.options['stunnel-wrapper'],
+        self.substituteTemplate(self.getTemplateFilename('stunnel.in'),
+          config)))
+      path_list.append(self.createFile(self.options['stunnel-conf-file'],
+        self.substituteTemplate(self.getTemplateFilename('stunnel.conf.in'),
+          config)))
+      backend_server = ip
+      backend_port = int(self.options['stunnel-port'])
     varnishd_manager_port = int(self.options['manager-port'])
     varnishd_server_port = int(self.options['server-port'])
-    path_list = []
     config = dict(
       varnishd_binary=self.options['varnishd-binary'],
       varnish_ip=ip,
diff --git a/slapos/recipe/generic_varnish/template/stunnel.conf.in b/slapos/recipe/generic_varnish/template/stunnel.conf.in
new file mode 100644
index 0000000000000000000000000000000000000000..83f305dffe1518cc00eea83cc81a2431669a950d
--- /dev/null
+++ b/slapos/recipe/generic_varnish/template/stunnel.conf.in
@@ -0,0 +1,10 @@
+foreground = yes
+output = /dev/stdout
+pid = %(stunnel_pid_file)s
+debug = 4
+
+[remote]
+accept = %(stunnel_server)s:%(stunnel_port)s
+client = yes
+connect = %(backend_server)s:%(backend_port)s
+sni = %(stunnel_server)s
diff --git a/slapos/recipe/generic_varnish/template/stunnel.in b/slapos/recipe/generic_varnish/template/stunnel.in
new file mode 100644
index 0000000000000000000000000000000000000000..fad93d78c8fc060b071dd5f9de4af69e6ec69efe
--- /dev/null
+++ b/slapos/recipe/generic_varnish/template/stunnel.in
@@ -0,0 +1,3 @@
+#!%(shell_path)s
+DAEMON_OPTS="%(stunnel_conf_file)s"
+exec %(stunnel_binary)s ${DAEMON_OPTS} 2>&1
diff --git a/stack/erp5/buildout.cfg b/stack/erp5/buildout.cfg
index 708b8e15788cbe067aefc1623df35d3da5e75f04..ba6068267bd55f770fa3449d3cb7ba9c26e9b006 100644
--- a/stack/erp5/buildout.cfg
+++ b/stack/erp5/buildout.cfg
@@ -48,6 +48,7 @@ extends =
   ../../component/python-2.7/buildout.cfg
   ../../component/python-ldap-python/buildout.cfg
   ../../component/rdiff-backup/buildout.cfg
+  ../../component/stunnel/buildout.cfg
   ../../component/subversion/buildout.cfg
   ../../component/tesseract/buildout.cfg
   ../../component/varnish/buildout.cfg
@@ -76,6 +77,7 @@ parts =
   graphviz
   haproxy
   jsl
+  stunnel
   varnish-3.0
   w3m
   poppler
@@ -235,7 +237,7 @@ mode = 640
 # XXX: "template.cfg" is hardcoded in instanciation recipe
 filename = template.cfg
 template = ${:_profile_base_location_}/instance.cfg.in
-md5sum = fbb7ea50d7ea6d4e25725801cc3fd5f9
+md5sum = a1a5a9983207e4a8128bab331cbd3cd5
 extra-context =
     key apache_location apache:location
     key aspell_location aspell:location
@@ -274,6 +276,7 @@ extra-context =
     key openssl_location openssl:location
     key poppler_location poppler:location
     key sed_location sed:location
+    key stunnel_location stunnel:location
     key template_cloudooo template-cloudooo:target
     key template_erp5_single template-erp5-single:target
     key template_erp5_cluster template-erp5-cluster:target
@@ -316,7 +319,7 @@ mode = 640
 [template-varnish]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/instance-varnish.cfg.in
-md5sum = 728650f5d20ad637d8d824d1968865ca
+md5sum = ae0465591c22c0cb316c1706965c6b18
 mode = 640
 
 [bt5-repository]
diff --git a/stack/erp5/instance-varnish.cfg.in b/stack/erp5/instance-varnish.cfg.in
index d4f0ef5ef7fdd805536b293a9ac269d2978e20ec..7867ba1c18316e9e0d45b264848da088202ce1c5 100644
--- a/stack/erp5/instance-varnish.cfg.in
+++ b/stack/erp5/instance-varnish.cfg.in
@@ -28,18 +28,23 @@ recipe = slapos.cookbook:generic.varnish
 ip = ${slap-network-information:local-ipv4}
 server-port = 6001
 manager-port = 6002
+stunnel-port = 6003
 
 # Paths: Running wrappers
 varnishd-wrapper = ${basedirectory:services}/varnishd
 varnishlog-wrapper = ${rootdirectory:bin}/varnishlog
+stunnel-wrapper = ${basedirectory:services}/stunnel
 
 # Binary information
 varnishd-binary = {{ parameter_dict['varnish'] }}/sbin/varnishd
 varnishlog-binary = {{ parameter_dict['varnish'] }}/bin/varnishlog
 shell-path = {{ parameter_dict['dash'] }}/bin/dash
+stunnel-binary = {{ parameter_dict['stunnel'] }}/bin/stunnel
 # Configuration by VCL
 vcl-file = ${rootdirectory:etc}/default.vcl
 pid-file = ${basedirectory:run}/varnishd.pid
+stunnel-conf-file = ${rootdirectory:etc}/stunnel.conf
+stunnel-pid-file = ${basedirectory:run}/stunnel.pid
 varnish-data = ${directory:varnish-data}
 # this will pass at -n option
 varnish-instance-name = ${directory:varnish-instance}
diff --git a/stack/erp5/instance.cfg.in b/stack/erp5/instance.cfg.in
index 96357d446a7b5a21ecfa158ffb3338a050412062..945345284b1e2a0554acb828e149d4be47ef495c 100644
--- a/stack/erp5/instance.cfg.in
+++ b/stack/erp5/instance.cfg.in
@@ -99,6 +99,7 @@ dash = {{ dash_location }}
 dcron = {{ dcron_location }}
 gzip =  {{ gzip_location }}
 logrotate = {{ logrotate_location }}
+stunnel = {{ stunnel_location }}
 varnish = {{ varnish_location }}
 wget = {{ wget_location }}
 buildout-bin-directory = {{ buildout_bin_directory }}