Stunnel/Server: Difference between revisions
From charlesreid1
(→Flags) |
|||
| Line 79: | Line 79: | ||
Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds | Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds | ||
</pre> | </pre> | ||
==Now Start the Client== | |||
See [[Stunnel/Client]] | |||
==Flags== | ==Flags== | ||
Revision as of 17:02, 28 March 2017
Stunnel Server
Stunnel running as a server will open two ports: one to listen for incoming traffic, and one to forward the (unencrypted) traffic onto.
Ports/Arrangement
Typically, stunnel is listening on port 443, open to external traffic, and is listening for SSL traffic.
Typically, stunnel is forwarding that traffic on to a local port, something like 8443. (Useful if you have a service only exposed to LOCAL traffic from localhost or 127.0.0.1 and not bound to an EXTERNAL ip address like 0.0.0.0).
Stunnel Config File
To set this up, we use the stunnel.conf configuration file. This is what a simple stunnel config looks like:
output = /etc/stunnel/stunnel.log cert=/etc/stunnel/stunnel.fullchain.pem key=/etc/stunnel/stunnel.key.pem pid=/var/run/stunnel4/stunnel.pid client=yes [http] accept = 443 connect = 127.0.0.1:8443
Starting Stunnel
Starting stunnel is really simple. Just run the stunnel command.
If there are problems, you'll see them; if not, you won't.
Here's an example of a failed startup:
$ stunnel [ ] Clients allowed=500 [.] stunnel 5.30 on x86_64-pc-linux-gnu platform [.] Compiled with OpenSSL 1.0.2e 3 Dec 2015 [.] Running with OpenSSL 1.0.2g 1 Mar 2016 [.] Update OpenSSL shared libraries or rebuild stunnel [.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP [ ] errno: (*__errno_location ()) [.] Reading configuration from file /etc/stunnel/stunnel.conf [.] UTF-8 byte order mark not detected [.] FIPS mode disabled [ ] Compression disabled [ ] PRNG seeded successfully [ ] Initializing service [http] [ ] Loading certificate from file: /etc/stunnel/stunnel.fullchain.pem [ ] Certificate loaded from file: /etc/stunnel/stunnel.fullchain.pem [ ] Loading private key from file: /etc/stunnel/stunnel.key.pem [!] error queue: 140B0002: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib [!] error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib [!] SSL_CTX_use_PrivateKey_file: 200100D: error:0200100D:system library:fopen:Permission denied [!] Service [http]: Failed to initialize SSL context
Once stunnel is running properly, you won't see any startup message:
$ sudo stunnel
You can verify that stunnel is running using nmap to check if the stunnel port is open:
$ sudo nmap localhost Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-28 17:00 UTC Nmap scan report for localhost (127.0.0.1) Host is up (0.000016s latency). Other addresses for localhost (not scanned): ::1 Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds
Now Start the Client
See Stunnel/Client
Flags
 |
stunnel secure tunnel - create secure encrypted connections on any port to wrap any protocol
Using: Client: Stunnel/Client Server: Stunnel/Server Stunnel Over Docker: Stunnel/Docker Certificates: Stunnel/Certificates
Protocols: Stunnel/Rsync · Stunnel/SSH · Stunnel/Scp · Stunnel/HTTP · Stunnel/OpenVPN
Other Links: RaspberryPi/Headless · RaspberryPi/Reverse SSH Category:Stunnel · Category:SSH · Category:Networking
|