stunnel Howto A Guide to create SSL access to a HTTP-only webserver with stunnel

1. Get the stunnel software


Source is available at http://stunnel.mirt.net/, but many distributions already provide a precompiled package. In this example, I compiled it from scratch.

 

fm@susie:/home/devel> zcat ../software/stunnel-4.15.tar.gz | tar xf -
fm@susie:/home/devel> ls stunnel-4

2. Prepare the home if not /usr/local/xxx


susie:/home/devel # mkdir /home/stunnel-4.15
susie:/home/devel # ln -s /home/stunnel-4.15 /home/stunnel

3. Compile the software


There is a bug in stunnel when Diffie Hellman support is enabled with --enable-dh in src/ctx.c

fm@susie:/home/devel/stunnel-4.15> ./configure --prefix=/home/stunnel
 --with-ssl=/home/openssl --enable-dh --disable-libwrap

susie:/home/devel/stunnel-4.15 # make

...
ctx.c: In function `init_dh':
ctx.c:170: error: `section' undeclared (first use in this fu
ctx.c:170: error: (Each undeclared identifier is reported on
ctx.c:170: error: for each function it appears in.)
ctx.c:198: error: `ctx' undeclared (first use in this functi
make[1]: *** [ctx.o] Error 1
make[1]: Leaving directory `/home/devel/stunnel-4.15/src'
make: *** [all-recursive] Error 1

Reasons are two missing pointer declarations in src/ctx.c:
SSL_CTX *ctx;
LOCAL_OPTIONS *section;

Since I do not plan to use DH, I removed the option and compilation worked with out any trouble.

fm@susie:/home/devel/stunnel-4.15> ./configure --prefix=/home/stunnel
 --with-ssl=/home/openssl --disable-libwrap
fm@susie:/home/devel/stunnel-4.15> make; su; make install

"make install" calls OpenSSL routines and generates a self-signed certificate together with the private key in a single file. The certificate and key can be displayed with openssl:

susie:~ # openssl x509 -in /home/stunnel/etc/stunnel/stunnel.pem -noout -text
susie:~ # openssl rsa -in /home/stunnel/etc/stunnel/stunnel.pem -noout -text

4. Adjust the stunnel configuration file


For more information, see the stunnel manpage.

susie:~ # vi /home/stunnel/etc/stunnel/stunnel.conf

; ==== stunnel configuration for https to http forwarding ====

; Certificate/key is needed in server mode and optional in client mode
cert = /home/stunnel/etc/stunnel/stunnel.pem

; since private key and certificate are in one file, we don't need
; to specify the key file. Since we do not use authentication with
; client certs, we don't need the CA certificate for verification.
;key = /home/stunnel/etc/stunnel/stunnel-privkey.pem
;CAfile = /home/stunnel/etc/stunnel/cacert.pem

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /home/stunnel/var/lib/stunnel/
setuid = nobody
setgid = nogroup
; PID is created inside chroot jail
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Some debugging stuff useful for troubleshooting
;debug = 7
;output = stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0

; ==== end of stunnel.conf ====

5. Verify the webserver is running on port 80 and the SSL port 443 is free


 

susie:~ # lsof -i
COMMAND   PID   USER   FD   TYPE DEVICE SIZE NODE NAME
sshd     1153   root    5u  IPv6   2949       TCP *:ssh (LISTEN)
master   1339   root   11u  IPv4   3741       TCP localhost:smtp (LISTEN)
xinetd   1444   root    5u  IPv4   5968       UDP *:tftp
httpd   15216   root   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15217 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15218 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15219 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15220 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15221 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)

6. Start stunnel and verify it is listening on port 443


 

susie:/home/stunnel # sbin/stunnel
susie:/home/stunnel # lsof -i
COMMAND   PID   USER   FD   TYPE DEVICE SIZE NODE NAME
sshd     1153   root    5u  IPv6   2949       TCP *:ssh (LISTEN)
master   1339   root   11u  IPv4   3741       TCP localhost:smtp (LISTEN)
xinetd   1444   root    5u  IPv4   5968       UDP *:tftp
httpd   15216   root   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15217 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15218 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15219 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15220 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15221 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
stunnel 15229 nobody    6u  IPv4  67679       TCP *:https (LISTEN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

7. Stop stunnel


 

susie:~ # kill `cat /home/stunnel/var/lib/stunnel/stunnel.pid`

8. verifying function in syslog logfile


 

susie:/home/stunnel # tail -f /var/log/messages

May  6 00:24:18 susie stunnel: LOG5[21440:16384]: stunnel 4.15 on
 i686-pc-linux-gnu with OpenSSL 0.9.7e 25 Oct 2004
May  6 00:24:18 susie stunnel: LOG5[21440:16384]: Threading:PTHREAD
 SSL:ENGINE Sockets:POLL,IPv4
May  6 00:24:18 susie stunnel: LOG5[21440:16384]: 500 clients allowed
...
May  6 00:24:35 susie stunnel: LOG5[21445:16386]: https connected from
 127.0.0.1:33108
May  6 00:24:36 susie stunnel: LOG5[21445:16386]: Connection closed: 13079
 bytes sent to SSL, 930 bytes sent to socket

The 'debug' option increases the log level, 0 = no logging, 7 = full logging plus console output. 'debug = 5' logs everything including informational this is the default.

0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
debian Install a newer kernel in Debian 9 (stretch) stable
Viewed 825 times since Sun, Sep 23, 2018
socat: Linux / UNIX TCP Port Forwarder
Viewed 2987 times since Tue, Aug 6, 2019
logrotate How log rotation works with logrotate
Viewed 7712 times since Sun, Jan 12, 2020
Linux Customizing Bash
Viewed 444 times since Sun, Dec 6, 2020
RHEL: GPT/MBR partition tables (using disks larger than 2 TiB)
Viewed 10346 times since Sun, May 27, 2018
How To Ping Specific Port Number
Viewed 1516 times since Mon, Jun 1, 2020
RHEL: Building a custom kernel on RHEL 6
Viewed 1524 times since Sat, Jun 2, 2018
RHEL: Display swap/RAM size
Viewed 1698 times since Sat, Jun 2, 2018
YUM CRON Enabling automatic updates in Centos 7 and RHEL 7
Viewed 10737 times since Fri, Oct 26, 2018
Linux PAM configuration that allows or deny login via the sshd server
Viewed 806 times since Wed, Oct 3, 2018