stunnel Howto A Guide to create SSL access to a HTTP-only webserver with stunnel

1. Get the stunnel software


Source is available at http://stunnel.mirt.net/, but many distributions already provide a precompiled package. In this example, I compiled it from scratch.

 

fm@susie:/home/devel> zcat ../software/stunnel-4.15.tar.gz | tar xf -
fm@susie:/home/devel> ls stunnel-4

2. Prepare the home if not /usr/local/xxx


susie:/home/devel # mkdir /home/stunnel-4.15
susie:/home/devel # ln -s /home/stunnel-4.15 /home/stunnel

3. Compile the software


There is a bug in stunnel when Diffie Hellman support is enabled with --enable-dh in src/ctx.c

fm@susie:/home/devel/stunnel-4.15> ./configure --prefix=/home/stunnel
 --with-ssl=/home/openssl --enable-dh --disable-libwrap

susie:/home/devel/stunnel-4.15 # make

...
ctx.c: In function `init_dh':
ctx.c:170: error: `section' undeclared (first use in this fu
ctx.c:170: error: (Each undeclared identifier is reported on
ctx.c:170: error: for each function it appears in.)
ctx.c:198: error: `ctx' undeclared (first use in this functi
make[1]: *** [ctx.o] Error 1
make[1]: Leaving directory `/home/devel/stunnel-4.15/src'
make: *** [all-recursive] Error 1

Reasons are two missing pointer declarations in src/ctx.c:
SSL_CTX *ctx;
LOCAL_OPTIONS *section;

Since I do not plan to use DH, I removed the option and compilation worked with out any trouble.

fm@susie:/home/devel/stunnel-4.15> ./configure --prefix=/home/stunnel
 --with-ssl=/home/openssl --disable-libwrap
fm@susie:/home/devel/stunnel-4.15> make; su; make install

"make install" calls OpenSSL routines and generates a self-signed certificate together with the private key in a single file. The certificate and key can be displayed with openssl:

susie:~ # openssl x509 -in /home/stunnel/etc/stunnel/stunnel.pem -noout -text
susie:~ # openssl rsa -in /home/stunnel/etc/stunnel/stunnel.pem -noout -text

4. Adjust the stunnel configuration file


For more information, see the stunnel manpage.

susie:~ # vi /home/stunnel/etc/stunnel/stunnel.conf

; ==== stunnel configuration for https to http forwarding ====

; Certificate/key is needed in server mode and optional in client mode
cert = /home/stunnel/etc/stunnel/stunnel.pem

; since private key and certificate are in one file, we don't need
; to specify the key file. Since we do not use authentication with
; client certs, we don't need the CA certificate for verification.
;key = /home/stunnel/etc/stunnel/stunnel-privkey.pem
;CAfile = /home/stunnel/etc/stunnel/cacert.pem

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /home/stunnel/var/lib/stunnel/
setuid = nobody
setgid = nogroup
; PID is created inside chroot jail
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Some debugging stuff useful for troubleshooting
;debug = 7
;output = stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0

; ==== end of stunnel.conf ====

5. Verify the webserver is running on port 80 and the SSL port 443 is free


 

susie:~ # lsof -i
COMMAND   PID   USER   FD   TYPE DEVICE SIZE NODE NAME
sshd     1153   root    5u  IPv6   2949       TCP *:ssh (LISTEN)
master   1339   root   11u  IPv4   3741       TCP localhost:smtp (LISTEN)
xinetd   1444   root    5u  IPv4   5968       UDP *:tftp
httpd   15216   root   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15217 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15218 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15219 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15220 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15221 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)

6. Start stunnel and verify it is listening on port 443


 

susie:/home/stunnel # sbin/stunnel
susie:/home/stunnel # lsof -i
COMMAND   PID   USER   FD   TYPE DEVICE SIZE NODE NAME
sshd     1153   root    5u  IPv6   2949       TCP *:ssh (LISTEN)
master   1339   root   11u  IPv4   3741       TCP localhost:smtp (LISTEN)
xinetd   1444   root    5u  IPv4   5968       UDP *:tftp
httpd   15216   root   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15217 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15218 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15219 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15220 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15221 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
stunnel 15229 nobody    6u  IPv4  67679       TCP *:https (LISTEN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

7. Stop stunnel


 

susie:~ # kill `cat /home/stunnel/var/lib/stunnel/stunnel.pid`

8. verifying function in syslog logfile


 

susie:/home/stunnel # tail -f /var/log/messages

May  6 00:24:18 susie stunnel: LOG5[21440:16384]: stunnel 4.15 on
 i686-pc-linux-gnu with OpenSSL 0.9.7e 25 Oct 2004
May  6 00:24:18 susie stunnel: LOG5[21440:16384]: Threading:PTHREAD
 SSL:ENGINE Sockets:POLL,IPv4
May  6 00:24:18 susie stunnel: LOG5[21440:16384]: 500 clients allowed
...
May  6 00:24:35 susie stunnel: LOG5[21445:16386]: https connected from
 127.0.0.1:33108
May  6 00:24:36 susie stunnel: LOG5[21445:16386]: Connection closed: 13079
 bytes sent to SSL, 930 bytes sent to socket

The 'debug' option increases the log level, 0 = no logging, 7 = full logging plus console output. 'debug = 5' logs everything including informational this is the default.

0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
debian How to Upgrade Debian 8 Jessie to Debian 9 Stretch
Viewed 1065 times since Sun, Sep 23, 2018
LVM: Extend SWAP size by adding a new Logical Volume
Viewed 977 times since Sat, Jun 2, 2018
RHEL: Remove existing SAN LUNs
Viewed 1257 times since Sat, Jun 2, 2018
Jak znaleźć najszybszy publiczny serwer DNS w Polsce?
Viewed 1377 times since Mon, May 21, 2018
How to maximise SSD performance with Linux
Viewed 3522 times since Fri, May 15, 2020
What UUIDs can do for you
Viewed 692 times since Tue, Jul 17, 2018
A Simple Guide to Oracle Cluster File System (OCFS2) using iSCSI on Oracle Cloud Infrastructure
Viewed 1782 times since Sat, Jun 2, 2018
Linux - How to shutdown or reboot
Viewed 712 times since Fri, Jun 8, 2018
RHEL: Display swap/RAM size
Viewed 1330 times since Sat, Jun 2, 2018
3 Ways to Check Linux Kernel Version in Command Line
Viewed 1365 times since Fri, Apr 19, 2019