Stunnel

From Segfault
Jump to: navigation, search

Installation

To install stunnel from source:

$ rsync -av --delete rsync.stunnel.org::stunnel stunnel-rsync
$ cd $_

$ curl https://www.stunnel.org/pgp.asc | gpg --import
$ gpg --verify *.tar.gz.asc
gpg: assuming signed data in `stunnel-5.31.tar.gz'
gpg: Signature made Tue 01 Mar 2016 08:20:22 AM PST using RSA key ID D416E014       # Or use 0xDD3AAAA3
[...]

$ sha256sum *.tar.gz.sha256
7112cb244b4c233ab4688bfea3785f2cd5a3122173620062f89d77e10596020b  stunnel-5.31.tar.gz.sha256

Extract and compile:

tar -xzf *.tar.gz
cd stunnel-*
./configure --prefix=/opt/stunnel && make && sudo make install

HTTP Proxy

Generate an SSL certificate:

openssl req -new -x509 -nodes -days 365 -subj '/CN=localhost/O=Foobar Inc/OU=AYB/C=PL' -newkey rsa:4096 -sha512 -out stunnel.pem -keyout stunnel.pem

stunnel3

For stunnel3, all parameters can be given on the command line:

stunnel3 -f -D 4 -P $TMPDIR/stunnel.pid -p stunnel.pem -d 8443 -r 8080
  • -f - run in foreground
  • -D - log only warning and higher messages
  • -P - PID file
  • -p - certificate file
  • -d - network port to listen on
  • -r - network port to forward to

stunnel4

For stunnel4, a configuration file is needed. Example stunnel.conf:

cert          = /etc/stunnel/stunnel.pem
key           = /etc/stunnel/stunnel.pem

output        = /var/log/stunnel/stunnel.log
pid           = /var/log/stunnel/stunnel.pid
syslog        = no
; foreground  = yes
debug         = 4

; See SSL_CTX_set_options(3ssl)
; https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_options.html
;
; options     = NO_SSLv2
; options     = NO_SSLv3
sslVersion    = TLSv1.2

; options     = SINGLE_ECDH_USE
; options     = SINGLE_DH_USE

; Turn off the Nagle algorithm for local & remote sockets
; socket      = l:TCP_NODELAY=1
; socket      = r:TCP_NODELAY=1

; Stunnel listens to port 8443 (HTTPS) on any IP and connects to 
; port 80 (HTTP) on localhost.
;
; NOTE: we act as a server here and the cert and key
; options above are being used!
[https]
client        = no
accept        = 0.0.0.0:8443
connect       = 127.0.0.1:80

; Stunnel listens on port 2025 (SMTP) on localhost
; and connects to the mailhub via SMTP.
[smtp]
client        = yes
accept        = localhost:2025
connect       = mail.example.org:25
protocol      = smtp
; ciphers     = AES256-SHA

Note: The connect address needs to be the same address where the HTTP server's (virtual) host is configured to. Using 127.0.0.1 might not work as expected.

Start stunnel with:

stunnel4 /etc/stunnel/stunnel.conf

Links

References