Stunnel

From Segfault
Jump to navigation Jump to search

Installation

To install stunnel from source: 

rsync -av --delete rsync.stunnel.org::stunnel stunnel-rsync
cd stunnel-rsync

Or, to sync only part of the tree: 

rsync -av --delete rsync.stunnel.org::stunnel/archive/5.x/stunnel-5.5* stunnel-5
cd stunnel-5

Select a version and fetch their PGP key and verify: 

VER=5.56

curl https://www.stunnel.org/pgp.asc | gpg --import
gpg --verify stunnel-${VER}.tar.gz.asc 
sha256sum -c stunnel-${VER}.tar.gz.sha256

Extract and compile: 

tar -xzf stunnel-${VER}.tar.gz
cd stunnel-${VER}
./configure --prefix=/opt/stunnel && make && sudo make install

HTTP Proxy

Generate an SSL certificate: 

openssl req -new -x509 -nodes -days 365 -subj '/CN=localhost/O=Foobar Inc/OU=AYB/C=PL' -newkey rsa:4096 -sha512 -out stunnel.pem -keyout stunnel.pem

stunnel3

For stunnel3, all parameters can be given on the command line: 

stunnel3 -f -D 4 -P $TMPDIR/stunnel.pid -p stunnel.pem -d 8443 -r 8080
  • -f - run in foreground
  • -D - log only warning and higher messages
  • -P - PID file
  • -p - certificate file
  • -d - network port to listen on
  • -r - network port to forward to

stunnel4

For stunnel4, a configuration file is needed. Example stunnel.conf: 

cert          = /etc/stunnel/stunnel.pem
key           = /etc/stunnel/stunnel.pem

output        = /var/log/stunnel/stunnel.log
pid           = /var/log/stunnel/stunnel.pid
syslog        = no
; foreground  = yes
debug         = 4

; See SSL_CTX_set_options(3ssl)
; https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
;
; options     = NO_SSLv2
; options     = NO_SSLv3
sslVersion    = TLSv1.2

; options     = SINGLE_ECDH_USE
; options     = SINGLE_DH_USE

; Turn off the Nagle algorithm for local & remote sockets
; socket      = l:TCP_NODELAY=1
; socket      = r:TCP_NODELAY=1

; Stunnel listens to port 8443 (HTTPS) on any IP and connects to 
; port 80 (HTTP) on localhost.
;
; NOTE: we act as a server here and the cert and key
; options above are being used!
[https]
client        = no
accept        = 0.0.0.0:8443
connect       = 127.0.0.1:80

; Stunnel listens on port 2025 (SMTP) on localhost
; and connects to the mailhub via SMTP.
[smtp]
client        = yes
accept        = localhost:2025
connect       = mail.example.org:25
protocol      = smtp
; ciphers     = AES256-SHA

Note: The connect address needs to be the same address where the HTTP server's (virtual) host is configured to. Using 127.0.0.1 might not work as expected.

Start stunnel with: 

stunnel4 /etc/stunnel/stunnel.conf

Links

Retrieved from "https://trent.utfs.org/mediawiki/index.php?title=Stunnel&oldid=14370"