Stunnel

From Omnia
Revision as of 04:15, 29 September 2014 by Kenneth (talk | contribs) (→‎Configuration)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Configuration

Path:

/etc/stunnel

Configure /etc/stunnel/stunnel.conf example:

cert = /etc/stunnel/oeey.com.pem
[https]
  accept = 10.10.10.3:443
  connect = 127.0.0.1:80

Set certificate permissions:

chmod 600 oeey.com.pem

See #Startup Script

Common Ports

[https]
  accept = 10.10.10.3:443
  connect = 127.0.0.1:80

[smtps]
  accept = 10.10.10.3:465
  connect = 127.0.0.1:25

[pop3s]
  accept = 10.10.10.3:995
  connect = 127.0.0.1:110

[imaps]
  accept = 10.10.10.3:993
  connect = 127.0.0.1:143

client mode

client mode (remote service uses SSL)

[google]
  client = yes
  accept = 127.0.0.1:8000
  connect = google.com:443

References:

Logs

Logs get dumped to syslog under /var/log/secure.

SSL to SSH Tunnel

SSL to SSH tunneling (stunnel) | JAKERI - http://www.jakeri.net/2009/01/ssl-to-ssh-tunneling-stunnel/

Sometimes it can be handy to reach your home server even if you have all sorts of proxy servers and firewalls between you and your home server (e.g. from work).

Stunnel to the rescue!.

Server:

cert=stunnel.pem
pid=/tmp/stunnel.pid
[stunnel443]
accept = 192.168.1.7:443
connect = 192.168.1.7:22

Client:

#cert = stunnel.pem
pid=/tmp/stunnelclient.pid
#foreground=yes
client=yes
[21222]
accept=21222
connect=192.168.1.7:443

Client:

ssh -p 21222 localhost

Startup Script

#!/bin/bash
#
# Script to run stunnel in daemon mode at boot time.
#
# Check http://www.gaztronics.net/ for the
# most up-to-date version of this script.
#
# This script is realeased under the terms of the GPL.
# You can source a copy at:
# http://www.fsf.org/copyleft/copyleft.html
#
# Please feel free to modify the script to suite your own needs.
# I always welcome email feedback with suggestions for improvements.
# Please do not email for general support. I do not have time to answer
# personal help requests.

# Author: Gary Myers MIIE MBCS
# email: http://www.gaztronics.net/webform/
# Revision 1.0  -  4th March 2005

#====================================================================
# Run level information:
#
# chkconfig: 2345 99 99
# description: Secure Tunnel
# processname: stunnel
#
# Run "/sbin/chkconfig --add stunnel" to add the Run levels.
# This will setup the symlinks and set the process to run at boot.
#====================================================================

#====================================================================
# Paths and variables and system checks.

# Source function library (It's a Red Hat thing!)
. /etc/rc.d/init.d/functions

# Check that networking is up.
#
[ ${NETWORKING} ="yes" ] || exit 0

# Path to the executable.
#
SEXE=/usr/sbin/stunnel

# Path to the configuration file.
#
CONF=/etc/stunnel/stunnel.conf

# Check the configuration file exists.
#
if [ ! -f $CONF ] ; then
	echo "The configuration file cannot be found!"
exit 0
fi

# Path to the lock file.
#
LOCK_FILE=/var/lock/subsys/stunnel

#====================================================================

#====================================================================
# Run controls:

prog=$"stunnel"

RETVAL=0

# Start stunnel as daemon.
#
start() {
	if [ -f $LOCK_FILE ]; then
	  echo "stunnel is already running!"
	  exit 0
	else
	  echo -n $"Starting $prog: "
	  $SEXE $CONF
	fi

	RETVAL=$?
	[ $RETVAL -eq 0 ] && success 
	echo
	[ $RETVAL -eq 0 ] && touch $LOCK_FILE
	return $RETVAL
}


# Stop stunnel.
#
stop() {
	if [ ! -f $LOCK_FILE ]; then
	  echo "stunnel is not running!"
	  exit 0

	else

	  echo -n $"Shutting down $prog: "
	  killproc stunnel
	  RETVAL=$?
	  [ $RETVAL -eq 0 ]
	   rm -f $LOCK_FILE
	  echo
	  return $RETVAL

	fi
}

# See how we were called.
case "$1" in
   start)
	start
	;;
   stop)
	stop
	;;
   restart)
	stop
	start
	;;
   condrestart)
	if [ -f $LOCK_FILE ]; then
	   stop
	   start
	   RETVAL=$?
	fi
	;;
   status)
	status stunnel
	RETVAL=$?
	;;
   *)
    echo $"Usage: $0 {start|stop|restart|condrestart|status}"
    RETVAL=1
esac

exit $RETVAL

keywords