1. Get the stunnel software
Source is available at http://stunnel.mirt.net/, but many distributions already provide a precompiled package. In this example, I compiled it from scratch.
fm@susie:/home/devel> zcat ../software/stunnel-4.15.tar.gz | tar xf - fm@susie:/home/devel> ls stunnel-4
2. Prepare the home if not /usr/local/xxx
susie:/home/devel # mkdir /home/stunnel-4.15 susie:/home/devel # ln -s /home/stunnel-4.15 /home/stunnel
3. Compile the software
There is a bug in stunnel when Diffie Hellman support is enabled with --enable-dh in src/ctx.c
fm@susie:/home/devel/stunnel-4.15> ./configure --prefix=/home/stunnel --with-ssl=/home/openssl --enable-dh --disable-libwrap susie:/home/devel/stunnel-4.15 # make ... ctx.c: In function `init_dh': ctx.c:170: error: `section' undeclared (first use in this fu ctx.c:170: error: (Each undeclared identifier is reported on ctx.c:170: error: for each function it appears in.) ctx.c:198: error: `ctx' undeclared (first use in this functi make[1]: *** [ctx.o] Error 1 make[1]: Leaving directory `/home/devel/stunnel-4.15/src' make: *** [all-recursive] Error 1
Reasons are two missing pointer declarations in src/ctx.c:
SSL_CTX *ctx;
LOCAL_OPTIONS *section;
Since I do not plan to use DH, I removed the option and compilation worked with out any trouble.
fm@susie:/home/devel/stunnel-4.15> ./configure --prefix=/home/stunnel --with-ssl=/home/openssl --disable-libwrap fm@susie:/home/devel/stunnel-4.15> make; su; make install
"make install" calls OpenSSL routines and generates a self-signed certificate together with the private key in a single file. The certificate and key can be displayed with openssl:
susie:~ # openssl x509 -in /home/stunnel/etc/stunnel/stunnel.pem -noout -text susie:~ # openssl rsa -in /home/stunnel/etc/stunnel/stunnel.pem -noout -text
4. Adjust the stunnel configuration file
For more information, see the stunnel manpage.
susie:~ # vi /home/stunnel/etc/stunnel/stunnel.conf ; ==== stunnel configuration for https to http forwarding ==== ; Certificate/key is needed in server mode and optional in client mode cert = /home/stunnel/etc/stunnel/stunnel.pem ; since private key and certificate are in one file, we don't need ; to specify the key file. Since we do not use authentication with ; client certs, we don't need the CA certificate for verification. ;key = /home/stunnel/etc/stunnel/stunnel-privkey.pem ;CAfile = /home/stunnel/etc/stunnel/cacert.pem ; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /home/stunnel/var/lib/stunnel/ setuid = nobody setgid = nogroup ; PID is created inside chroot jail pid = /stunnel.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = rle ; Some debugging stuff useful for troubleshooting ;debug = 7 ;output = stunnel.log ; Use it for client mode ;client = yes ; Service-level configuration [https] accept = 443 connect = 80 TIMEOUTclose = 0 ; ==== end of stunnel.conf ====
5. Verify the webserver is running on port 80 and the SSL port 443 is free
susie:~ # lsof -i COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME sshd 1153 root 5u IPv6 2949 TCP *:ssh (LISTEN) master 1339 root 11u IPv4 3741 TCP localhost:smtp (LISTEN) xinetd 1444 root 5u IPv4 5968 UDP *:tftp httpd 15216 root 18u IPv4 64750 TCP *:http (LISTEN) httpd 15217 wwwrun 18u IPv4 64750 TCP *:http (LISTEN) httpd 15218 wwwrun 18u IPv4 64750 TCP *:http (LISTEN) httpd 15219 wwwrun 18u IPv4 64750 TCP *:http (LISTEN) httpd 15220 wwwrun 18u IPv4 64750 TCP *:http (LISTEN) httpd 15221 wwwrun 18u IPv4 64750 TCP *:http (LISTEN)
6. Start stunnel and verify it is listening on port 443
susie:/home/stunnel # sbin/stunnel susie:/home/stunnel # lsof -i COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME sshd 1153 root 5u IPv6 2949 TCP *:ssh (LISTEN) master 1339 root 11u IPv4 3741 TCP localhost:smtp (LISTEN) xinetd 1444 root 5u IPv4 5968 UDP *:tftp httpd 15216 root 18u IPv4 64750 TCP *:http (LISTEN) httpd 15217 wwwrun 18u IPv4 64750 TCP *:http (LISTEN) httpd 15218 wwwrun 18u IPv4 64750 TCP *:http (LISTEN) httpd 15219 wwwrun 18u IPv4 64750 TCP *:http (LISTEN) httpd 15220 wwwrun 18u IPv4 64750 TCP *:http (LISTEN) httpd 15221 wwwrun 18u IPv4 64750 TCP *:http (LISTEN) stunnel 15229 nobody 6u IPv4 67679 TCP *:https (LISTEN) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
7. Stop stunnel
susie:~ # kill `cat /home/stunnel/var/lib/stunnel/stunnel.pid`
8. verifying function in syslog logfile
susie:/home/stunnel # tail -f /var/log/messages May 6 00:24:18 susie stunnel: LOG5[21440:16384]: stunnel 4.15 on i686-pc-linux-gnu with OpenSSL 0.9.7e 25 Oct 2004 May 6 00:24:18 susie stunnel: LOG5[21440:16384]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4 May 6 00:24:18 susie stunnel: LOG5[21440:16384]: 500 clients allowed ... May 6 00:24:35 susie stunnel: LOG5[21445:16386]: https connected from 127.0.0.1:33108 May 6 00:24:36 susie stunnel: LOG5[21445:16386]: Connection closed: 13079 bytes sent to SSL, 930 bytes sent to socket
The 'debug' option increases the log level, 0 = no logging, 7 = full logging plus console output. 'debug = 5' logs everything including informational this is the default.