Home » Categories » Linux

Stunnel Setup

Article Number: 388 | Rating: Unrated | Last Updated: Fri, Sep 28, 2018 8:24 PM

Stunnel Setup

 

Contents

 

Overview

Stunnel is a SSL proxy designed to add TLS encryption to existing clients and servers without changes to the daemon's themselves. One (or more) endpoint is run in server mode, the other endpoint is run in client mode. The daemon software connects to a localhost port, the connection is proxied over the SSL tunnel, then handed to the server localhost port as defined.

Wiki Conventions

In this wiki, a traditional MariaDB replication configuration will be used to exemplify use as compatible version 5.5.x is available on both distributions. One server is located in one area of the USA, the second server in another USA region, and standard public IPv4 networking to connect the two servers. Two different Linux distributions will be used to verify the technology is agnostic.

  • s1 = CentOS 7 as server, IP 1.2.3.4
  • s2 = Ubuntu 14 as client, IP 9.8.7.6

Actual public IPs would be used in implementation as appropriate. This wiki will not cover setting up MariaDB replication as it's a standard, by the book process however two notes:

  1. On the MariaDB master GRANT REPLICATION SLAVE ON ... stanza for the user, use <user>@localhost not the actual IP of the remote slave like you would normally.
  2. For both master and slave MariaDB instances, implement bind-address = 127.0.0.1 to lock the daemons to localhost.
  3. Remember to use MASTER_HOST='localhost' in your CHANGE MASTER TO ... stanza on the slave to match the user created in note 1

MariaDB traffic will travel over the stunnel proxy, so they should not listen on the public IPs for security best practices.

 

Installation

The stunnel package may be a part of the base distribution or it may be required to use a third party repository such as EPEL or a PPA to obtain. In these examples with CentOS 7 and Ubuntu 14 the package is readily available for both in the base repositories.

RHEL / CentOS 7 as Server

First install the base package:

yum install stunnel

Next, create a user and directories to run the software - on this platform the RPM package does not create the user or directories:

# the user and directory for immediate use:
useradd -r -m -d /var/run/stunnel -s /bin/false stunnel

# the tmpfiles.d configuration to recreate the directory on reboot:
echo "d /var/run/stunnel 0770 stunnel stunnel -" > /etc/tmpfiles.d/stunnel.conf

Lastly, create the systemd unit file to run stunnel as a service:

cat << XYZZY > /etc/systemd/system/stunnel.service
[Unit]
Description=SSL tunnel for network daemons
After=syslog.target

[Service]
ExecStart=/usr/bin/stunnel
Type=forking

[Install]
WantedBy=multi-user.target
XYZZY

Ubuntu 14 as Client

First install the base package:

apt-get update && apt-get install stunnel

Next, update /etc/default/stunnel4 to enable it at boot:

sed -i -e 's/^ENABLED=0/ENABLED=1/' /etc/default/stunnel4

Ubuntu creates the stunnel4 user and group, and /var/run/stunnel4 directory as part of the package.

 

Server Configuration

First, create a basic self-signed certificate to use on the server; if a real SSL cert is available from a certificate authority it can be used, however a self-signed cert works for the basic point-to-point setup.

openssl req -new -newkey rsa:2048 -days 3650 \
  -nodes -x509 -sha256 \
  -subj '/CN=127.0.0.1/O=localhost/C=US' \
  -keyout /etc/stunnel/stunnel.pem \
  -out /etc/stunnel/stunnel.pem

Next, create the stunnel server oriented config file; in our example we're using MariaDB so we'll choose the ports accordingly to have stunnel accept the connection on the public IP port 3307, then pass the connection to the localhost port 3306:

/etc/stunnel/stunnel.conf
chroot = /var/run/stunnel
setuid = stunnel
setgid = stunnel
pid    = /stunnel.pid
fips   = no

[mysql]
client     = no
accept     = 1.2.3.4:3307
connect    = 127.0.0.1:3306
cert       = /etc/stunnel/stunnel.pem
key        = /etc/stunnel/stunnel.pem
# stunnel 4.53 (Ubuntu 14) only supports TSLv1 not TLSv1.2
# stunnel 4.56 (CentOS 7) supports both TLSv1 and TSLv1.2
sslVersion = TLSv1

Last, as appropriate open up an iptables/firewalld/ufw rule that allows the client to connect on port 3307; a very basic iptables rule with no port restrictions would look like:

-A INPUT -p tcp -m tcp -s 9.8.7.6 --dport 3307 -j ACCEPT

Tailor the ACL on your firewall(s) as needed to meet your desired security posture. Assuming MariaDB is up and running, start and enable the stunnel service:

systemctl start stunnel

 

Client Configuration

The client does not require a SSL certificate; create the client oriented config file that accepts a connection on local port 3307 and talks to the remote stunnel on 3307:

/etc/stunnel/stunnel.conf
chroot = /var/run/stunnel4
setuid = stunnel4
setgid = stunnel4
pid    = /stunnel.pid

[mysql]
client     = yes
accept     = 127.0.0.1:3307
connect    = 1.2.3.4:3307
# stunnel 4.53 (Ubuntu 14) only supports TSLv1 not TLSv1.2
# stunnel 4.56 (CentOS 7) supports both TLSv1 and TSLv1.2
sslVersion = TLSv1

Once again, assuming the basic MariaDB is up and running, start the stunnel service:

service stunnel start

 

Testing

From the Ubuntu client, use the standard mysql command to connect to remote instance and observe the hostname (or some other test of your design) to ensure you're connecting to the remote MariaDB, not local:

root@s2:~# mysql -p --host=127.0.0.1 --port=3307 -e "show variables like '%hostname%';"
Enter password: 
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| hostname      | s1.local |
+---------------+----------+

Given that it connected, you are clear to proceed with configuring normal replication between the two instances.

 
Posted - Fri, Sep 28, 2018 8:24 PM. This article has been viewed 17179 times.
Filed Under: Linux
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
18 Quick ‘lsof’ command examples for Linux Geeks
Viewed 10933 times since Sun, Jun 30, 2019
Using Official Redhat DVD as repository
Viewed 10828 times since Mon, Oct 29, 2018
What is OS Watcher Utility and How to use it for Database Troubleshooting ?
Viewed 29479 times since Thu, Jun 21, 2018
Use inotify-tools on CentOS 7 or RHEL 7 to watch files and directories for events
Viewed 13540 times since Fri, Jul 27, 2018
Inxi – A Powerful Feature-Rich Commandline System Information Tool for Linux
Viewed 18678 times since Sat, Jun 2, 2018
RHEL: Allowing users to ’su’ to "root" / Allowing ’root’ to login directly to the system using ’ssh’
Viewed 2503 times since Sat, Jun 2, 2018
Easily Find Bugs In Shell Scripts With ShellCheck
Viewed 3039 times since Thu, Apr 18, 2019
How to create stunnel with systemd? stunnel
Viewed 8583 times since Thu, Jan 16, 2020
How to Clear RAM Memory Cache, Buffer and Swap Space on Linux
Viewed 2028 times since Mon, Nov 23, 2020
LVM: Reduce SWAP size by removing a Logical Volume
Viewed 1747 times since Sat, Jun 2, 2018