stunnel Howto A Guide to create SSL access to a HTTP-only webserver with stunnel

1. Get the stunnel software


Source is available at http://stunnel.mirt.net/, but many distributions already provide a precompiled package. In this example, I compiled it from scratch.

 

fm@susie:/home/devel> zcat ../software/stunnel-4.15.tar.gz | tar xf -
fm@susie:/home/devel> ls stunnel-4

2. Prepare the home if not /usr/local/xxx


susie:/home/devel # mkdir /home/stunnel-4.15
susie:/home/devel # ln -s /home/stunnel-4.15 /home/stunnel

3. Compile the software


There is a bug in stunnel when Diffie Hellman support is enabled with --enable-dh in src/ctx.c

fm@susie:/home/devel/stunnel-4.15> ./configure --prefix=/home/stunnel
 --with-ssl=/home/openssl --enable-dh --disable-libwrap

susie:/home/devel/stunnel-4.15 # make

...
ctx.c: In function `init_dh':
ctx.c:170: error: `section' undeclared (first use in this fu
ctx.c:170: error: (Each undeclared identifier is reported on
ctx.c:170: error: for each function it appears in.)
ctx.c:198: error: `ctx' undeclared (first use in this functi
make[1]: *** [ctx.o] Error 1
make[1]: Leaving directory `/home/devel/stunnel-4.15/src'
make: *** [all-recursive] Error 1

Reasons are two missing pointer declarations in src/ctx.c:
SSL_CTX *ctx;
LOCAL_OPTIONS *section;

Since I do not plan to use DH, I removed the option and compilation worked with out any trouble.

fm@susie:/home/devel/stunnel-4.15> ./configure --prefix=/home/stunnel
 --with-ssl=/home/openssl --disable-libwrap
fm@susie:/home/devel/stunnel-4.15> make; su; make install

"make install" calls OpenSSL routines and generates a self-signed certificate together with the private key in a single file. The certificate and key can be displayed with openssl:

susie:~ # openssl x509 -in /home/stunnel/etc/stunnel/stunnel.pem -noout -text
susie:~ # openssl rsa -in /home/stunnel/etc/stunnel/stunnel.pem -noout -text

4. Adjust the stunnel configuration file


For more information, see the stunnel manpage.

susie:~ # vi /home/stunnel/etc/stunnel/stunnel.conf

; ==== stunnel configuration for https to http forwarding ====

; Certificate/key is needed in server mode and optional in client mode
cert = /home/stunnel/etc/stunnel/stunnel.pem

; since private key and certificate are in one file, we don't need
; to specify the key file. Since we do not use authentication with
; client certs, we don't need the CA certificate for verification.
;key = /home/stunnel/etc/stunnel/stunnel-privkey.pem
;CAfile = /home/stunnel/etc/stunnel/cacert.pem

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /home/stunnel/var/lib/stunnel/
setuid = nobody
setgid = nogroup
; PID is created inside chroot jail
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Some debugging stuff useful for troubleshooting
;debug = 7
;output = stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0

; ==== end of stunnel.conf ====

5. Verify the webserver is running on port 80 and the SSL port 443 is free


 

susie:~ # lsof -i
COMMAND   PID   USER   FD   TYPE DEVICE SIZE NODE NAME
sshd     1153   root    5u  IPv6   2949       TCP *:ssh (LISTEN)
master   1339   root   11u  IPv4   3741       TCP localhost:smtp (LISTEN)
xinetd   1444   root    5u  IPv4   5968       UDP *:tftp
httpd   15216   root   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15217 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15218 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15219 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15220 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15221 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)

6. Start stunnel and verify it is listening on port 443


 

susie:/home/stunnel # sbin/stunnel
susie:/home/stunnel # lsof -i
COMMAND   PID   USER   FD   TYPE DEVICE SIZE NODE NAME
sshd     1153   root    5u  IPv6   2949       TCP *:ssh (LISTEN)
master   1339   root   11u  IPv4   3741       TCP localhost:smtp (LISTEN)
xinetd   1444   root    5u  IPv4   5968       UDP *:tftp
httpd   15216   root   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15217 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15218 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15219 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15220 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15221 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
stunnel 15229 nobody    6u  IPv4  67679       TCP *:https (LISTEN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

7. Stop stunnel


 

susie:~ # kill `cat /home/stunnel/var/lib/stunnel/stunnel.pid`

8. verifying function in syslog logfile


 

susie:/home/stunnel # tail -f /var/log/messages

May  6 00:24:18 susie stunnel: LOG5[21440:16384]: stunnel 4.15 on
 i686-pc-linux-gnu with OpenSSL 0.9.7e 25 Oct 2004
May  6 00:24:18 susie stunnel: LOG5[21440:16384]: Threading:PTHREAD
 SSL:ENGINE Sockets:POLL,IPv4
May  6 00:24:18 susie stunnel: LOG5[21440:16384]: 500 clients allowed
...
May  6 00:24:35 susie stunnel: LOG5[21445:16386]: https connected from
 127.0.0.1:33108
May  6 00:24:36 susie stunnel: LOG5[21445:16386]: Connection closed: 13079
 bytes sent to SSL, 930 bytes sent to socket

The 'debug' option increases the log level, 0 = no logging, 7 = full logging plus console output. 'debug = 5' logs everything including informational this is the default.

0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Linux ssh Hide OpenSSH Version Banner
Viewed 662 times since Wed, Apr 22, 2020
RHEL: Displaying/setting kernel parameters - ’sysctl’
Viewed 1174 times since Sat, Jun 2, 2018
LVM: Reduce root PV/VG
Viewed 991 times since Sat, Jun 2, 2018
ZFS: Verify/change properties of a zfs filesystem
Viewed 786 times since Sun, Jun 3, 2018
An easier way to manage disk decryption at boot with Red Hat Enterprise Linux 7.5 using NBDE
Viewed 2296 times since Mon, Aug 6, 2018
How to mount software RAID1 member using mdadm
Viewed 694 times since Wed, Oct 3, 2018
www.unixarena.com
Viewed 615 times since Fri, Jul 27, 2018
debian How to check Debian CVE status using python script
Viewed 582 times since Sun, Sep 23, 2018
LUKS List available methods of encryption for LUKS
Viewed 620 times since Fri, Jul 13, 2018
Installing and Configuring an OCFS2 Clustered File System
Viewed 1128 times since Sat, Jun 2, 2018