stunnel Howto A Guide to create SSL access to a HTTP-only webserver with stunnel

1. Get the stunnel software


Source is available at http://stunnel.mirt.net/, but many distributions already provide a precompiled package. In this example, I compiled it from scratch.

 

fm@susie:/home/devel> zcat ../software/stunnel-4.15.tar.gz | tar xf -
fm@susie:/home/devel> ls stunnel-4

2. Prepare the home if not /usr/local/xxx


susie:/home/devel # mkdir /home/stunnel-4.15
susie:/home/devel # ln -s /home/stunnel-4.15 /home/stunnel

3. Compile the software


There is a bug in stunnel when Diffie Hellman support is enabled with --enable-dh in src/ctx.c

fm@susie:/home/devel/stunnel-4.15> ./configure --prefix=/home/stunnel
 --with-ssl=/home/openssl --enable-dh --disable-libwrap

susie:/home/devel/stunnel-4.15 # make

...
ctx.c: In function `init_dh':
ctx.c:170: error: `section' undeclared (first use in this fu
ctx.c:170: error: (Each undeclared identifier is reported on
ctx.c:170: error: for each function it appears in.)
ctx.c:198: error: `ctx' undeclared (first use in this functi
make[1]: *** [ctx.o] Error 1
make[1]: Leaving directory `/home/devel/stunnel-4.15/src'
make: *** [all-recursive] Error 1

Reasons are two missing pointer declarations in src/ctx.c:
SSL_CTX *ctx;
LOCAL_OPTIONS *section;

Since I do not plan to use DH, I removed the option and compilation worked with out any trouble.

fm@susie:/home/devel/stunnel-4.15> ./configure --prefix=/home/stunnel
 --with-ssl=/home/openssl --disable-libwrap
fm@susie:/home/devel/stunnel-4.15> make; su; make install

"make install" calls OpenSSL routines and generates a self-signed certificate together with the private key in a single file. The certificate and key can be displayed with openssl:

susie:~ # openssl x509 -in /home/stunnel/etc/stunnel/stunnel.pem -noout -text
susie:~ # openssl rsa -in /home/stunnel/etc/stunnel/stunnel.pem -noout -text

4. Adjust the stunnel configuration file


For more information, see the stunnel manpage.

susie:~ # vi /home/stunnel/etc/stunnel/stunnel.conf

; ==== stunnel configuration for https to http forwarding ====

; Certificate/key is needed in server mode and optional in client mode
cert = /home/stunnel/etc/stunnel/stunnel.pem

; since private key and certificate are in one file, we don't need
; to specify the key file. Since we do not use authentication with
; client certs, we don't need the CA certificate for verification.
;key = /home/stunnel/etc/stunnel/stunnel-privkey.pem
;CAfile = /home/stunnel/etc/stunnel/cacert.pem

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /home/stunnel/var/lib/stunnel/
setuid = nobody
setgid = nogroup
; PID is created inside chroot jail
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Some debugging stuff useful for troubleshooting
;debug = 7
;output = stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0

; ==== end of stunnel.conf ====

5. Verify the webserver is running on port 80 and the SSL port 443 is free


 

susie:~ # lsof -i
COMMAND   PID   USER   FD   TYPE DEVICE SIZE NODE NAME
sshd     1153   root    5u  IPv6   2949       TCP *:ssh (LISTEN)
master   1339   root   11u  IPv4   3741       TCP localhost:smtp (LISTEN)
xinetd   1444   root    5u  IPv4   5968       UDP *:tftp
httpd   15216   root   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15217 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15218 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15219 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15220 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15221 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)

6. Start stunnel and verify it is listening on port 443


 

susie:/home/stunnel # sbin/stunnel
susie:/home/stunnel # lsof -i
COMMAND   PID   USER   FD   TYPE DEVICE SIZE NODE NAME
sshd     1153   root    5u  IPv6   2949       TCP *:ssh (LISTEN)
master   1339   root   11u  IPv4   3741       TCP localhost:smtp (LISTEN)
xinetd   1444   root    5u  IPv4   5968       UDP *:tftp
httpd   15216   root   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15217 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15218 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15219 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15220 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15221 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
stunnel 15229 nobody    6u  IPv4  67679       TCP *:https (LISTEN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

7. Stop stunnel


 

susie:~ # kill `cat /home/stunnel/var/lib/stunnel/stunnel.pid`

8. verifying function in syslog logfile


 

susie:/home/stunnel # tail -f /var/log/messages

May  6 00:24:18 susie stunnel: LOG5[21440:16384]: stunnel 4.15 on
 i686-pc-linux-gnu with OpenSSL 0.9.7e 25 Oct 2004
May  6 00:24:18 susie stunnel: LOG5[21440:16384]: Threading:PTHREAD
 SSL:ENGINE Sockets:POLL,IPv4
May  6 00:24:18 susie stunnel: LOG5[21440:16384]: 500 clients allowed
...
May  6 00:24:35 susie stunnel: LOG5[21445:16386]: https connected from
 127.0.0.1:33108
May  6 00:24:36 susie stunnel: LOG5[21445:16386]: Connection closed: 13079
 bytes sent to SSL, 930 bytes sent to socket

The 'debug' option increases the log level, 0 = no logging, 7 = full logging plus console output. 'debug = 5' logs everything including informational this is the default.

0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Using renice and taskset to manage process priority and CPU affinity with Linux OEL 6.4
Viewed 3856 times since Mon, Feb 17, 2020
RHEL: Crash kernel dumps configuration and analysis on RHEL 5
Viewed 7512 times since Sat, Jun 2, 2018
Transform XML to CSV Format | Unix String Pattern Manipulation The Ugly Way
Viewed 6137 times since Sun, Jan 9, 2022
RHEL: Extending a multipath LUN
Viewed 5367 times since Sun, May 27, 2018
Deskshare TLS over Stunnel
Viewed 2981 times since Fri, Sep 28, 2018
RHEL: Displaying/setting kernel parameters - ’sysctl’
Viewed 3257 times since Sat, Jun 2, 2018
LOGROTATE – ARCHIWIAZACJA LOGÓW
Viewed 2236 times since Fri, Nov 30, 2018
LVM: Extend an existing Logical Volume / Filesystem
Viewed 2741 times since Sat, Jun 2, 2018
ubuntu How to Reset Forgotten Root Password in Ubuntu
Viewed 3162 times since Tue, Dec 8, 2020
Setting up encrypted tunnel using stunnel
Viewed 2779 times since Fri, Sep 28, 2018