Stunnel
Jump to navigation
Jump to search
Installation
To install stunnel from source:
rsync -av --delete rsync.stunnel.org::stunnel stunnel-rsync cd stunnel-rsync
Or, to sync only part of the tree:
rsync -av --delete rsync.stunnel.org::stunnel/archive/5.x/stunnel-5.5* stunnel-5 cd stunnel-5
Select a version and fetch their PGP key and verify:
VER=5.56 curl https://www.stunnel.org/pgp.asc | gpg --import gpg --verify stunnel-${VER}.tar.gz.asc sha256sum -c stunnel-${VER}.tar.gz.sha256
Extract and compile:
tar -xzf stunnel-${VER}.tar.gz cd stunnel-${VER} ./configure --prefix=/opt/stunnel && make && sudo make install
HTTP Proxy
Generate an SSL certificate:
openssl req -new -x509 -nodes -days 365 -subj '/CN=localhost/O=Foobar Inc/OU=AYB/C=PL' -newkey rsa:4096 -sha512 -out stunnel.pem -keyout stunnel.pem
stunnel3
For stunnel3, all parameters can be given on the command line:
stunnel3 -f -D 4 -P $TMPDIR/stunnel.pid -p stunnel.pem -d 8443 -r 8080
- -f - run in foreground
- -D - log only warning and higher messages
- -P - PID file
- -p - certificate file
- -d - network port to listen on
- -r - network port to forward to
stunnel4
For stunnel4, a configuration file is needed. Example stunnel.conf:
cert = /etc/stunnel/stunnel.pem key = /etc/stunnel/stunnel.pem output = /var/log/stunnel/stunnel.log pid = /var/log/stunnel/stunnel.pid syslog = no ; foreground = yes debug = 4 ; See SSL_CTX_set_options(3ssl) ; https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html ; ; options = NO_SSLv2 ; options = NO_SSLv3 sslVersion = TLSv1.2 ; options = SINGLE_ECDH_USE ; options = SINGLE_DH_USE ; Turn off the Nagle algorithm for local & remote sockets ; socket = l:TCP_NODELAY=1 ; socket = r:TCP_NODELAY=1 ; Stunnel listens to port 8443 (HTTPS) on any IP and connects to ; port 80 (HTTP) on localhost. ; ; NOTE: we act as a server here and the cert and key ; options above are being used! [https] client = no accept = 0.0.0.0:8443 connect = 127.0.0.1:80 ; Stunnel listens on port 2025 (SMTP) on localhost ; and connects to the mailhub via SMTP. [smtp] client = yes accept = localhost:2025 connect = mail.example.org:25 protocol = smtp ; ciphers = AES256-SHA
Note: The connect address needs to be the same address where the HTTP server's (virtual) host is configured to. Using 127.0.0.1 might not work as expected.
Start stunnel with:
stunnel4 /etc/stunnel/stunnel.conf