web service in ssl/tls.
--- /dev/null
+#!/bin/bash
+#
+# Init Script to run stunnel in daemon mode at boot time.
+#
+# Author: Riccardo Riva - RPM S.r.l.
+# Revision 1.0 - 2010 November, 11
+
+#====================================================================
+# Run level information:
+#
+# chkconfig: 2345 99 99
+# description: Secure Tunnel
+# processname: stunnel
+#
+# Run "/sbin/chkconfig --add stunnel" to add the Run levels.
+# This will setup the symlinks and set the process to run at boot.
+#====================================================================
+
+#====================================================================
+# Paths and variables and system checks.
+
+# Source function library
+. /etc/rc.d/init.d/functions
+
+# Check that networking is up.
+#
+[ ${NETWORKING} ="yes" ] || exit 0
+
+# Path to the executable.
+#
+SEXE=/usr/bin/stunnel
+
+# Path to the configuration file.
+#
+CONF=/etc/stunnel/stunnel.conf
+
+# Check the configuration file exists.
+#
+if [ ! -f $CONF ] ; then
+ echo "The configuration file cannot be found!"
+exit 0
+fi
+
+# Path to the lock file.
+#
+LOCK_FILE=/var/lock/subsys/stunnel
+
+#====================================================================
+
+# Run controls:
+
+prog=$"stunnel"
+
+RETVAL=0
+
+# Start stunnel as daemon.
+#
+start() {
+ if [ -f $LOCK_FILE ]; then
+ echo "stunnel is already running!"
+ exit 0
+ else
+ echo -n $"Starting $prog: "
+ $SEXE $CONF
+ fi
+
+ RETVAL=$?
+ [ $RETVAL -eq 0 ] && success
+ echo
+ [ $RETVAL -eq 0 ] && touch $LOCK_FILE
+ return $RETVAL
+}
+
+# Stop stunnel.
+#
+stop() {
+ if [ ! -f $LOCK_FILE ]; then
+ echo "stunnel is not running!"
+ exit 0
+
+ else
+
+ echo -n $"Shutting down $prog: "
+ killproc stunnel
+ RETVAL=$?
+ [ $RETVAL -eq 0 ]
+ rm -f $LOCK_FILE
+ echo
+ return $RETVAL
+
+ fi
+}
+
+# See how we were called.
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ restart)
+ stop
+ start
+ ;;
+ condrestart)
+ if [ -f $LOCK_FILE ]; then
+ stop
+ start
+ RETVAL=$?
+ fi
+ ;;
+ status)
+ status stunnel
+ RETVAL=$?
+ ;;
+ *)
+ echo $"Usage: $0 {start|stop|restart|condrestart|status}"
+ RETVAL=1
+esac
+
+exit $RETVAL
+
--- /dev/null
+; Sample stunnel configuration file by Michal Trojnara 2002-2009
+; Some options used here may not be adequate for your particular configuration
+; Please make sure you understand them (especially the effect of the chroot jail)
+
+; Certificate/key is needed in server mode and optional in client mode
+cert = /etc/ssl/certs/stunnel.pem
+;key = /etc/stunnel/mail.key
+
+; Protocol version (all, SSLv2, SSLv3, TLSv1)
+sslVersion = SSLv3
+
+; Some security enhancements for UNIX systems - comment them out on Win32
+chroot = /var/run/stunnel/
+setuid = nobody
+setgid = nobody
+; PID is created inside the chroot jail
+pid = /stunnel.pid
+
+; Some performance tunings
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+;compression = zlib
+
+; Workaround for Eudora bug
+;options = DONT_INSERT_EMPTY_FRAGMENTS
+
+; Authentication stuff
+;verify = 2
+; Don't forget to c_rehash CApath
+; CApath is located inside chroot jail
+;CApath = /certs
+; It's often easier to use CAfile
+;CAfile = /etc/stunnel/certs.pem
+;CAfile = /etc/pki/tls/certs/ca-bundle.crt
+; Don't forget to c_rehash CRLpath
+; CRLpath is located inside chroot jail
+;CRLpath = /crls
+; Alternatively you can use CRLfile
+;CRLfile = /etc/stunnel/crls.pem
+
+; Some debugging stuff useful for troubleshooting
+debug = 7
+output = stunnel.log
+
+; Use it for client mode
+;client = yes
+
+; Service-level configuration
+
+; [pop3s]
+;accept = 995
+;connect = 110
+
+;[imaps]
+;accept = 993
+;connect = 143
+
+;[ssmtp]
+;accept = 465
+;connect = 25
+
+;[https]
+;accept = 443
+;connect = 80
+;TIMEOUTclose = 0
+
+; vim:ft=dosini
+
+[tracd]
+accept = 8042
+connect = localhost:8000
+
+
--- /dev/null
+
+copy the included files into /etc in the same hierarchy structure, which is:
+
+ etc/
+ etc/init.d
+ etc/init.d/stunnel
+ etc/stunnel
+ etc/stunnel/stunnel.conf
+
+fix permissions:
+
+ chmod 755 /etc/init.d/stunnel
+
+fix configuration:
+
+ modify /etc/stunnel/stunnel.conf to represent your desired tunneling
+ configuration. the example turns a trac install on localhost with standard
+ http protocol into a TLS version on the https protocol.
+
+run this command to get stunnel registered:
+
+ sudo /sbin/chkconfig --add stunnel
+
+afterwards the service should start with:
+
+ /etc/init.d/stunnel start
+
+if problems result from starting the service:
+
+ + maybe you need to fix the path in the /etc/init.d/stunnel script.
+ try running:
+ "which stunnel" (or "whence stunnel")
+ and updating the script with the path shown for stunnel.
+
+ + maybe there's a port conflict from another service?
+ check with the configuration files or ask the system administrators for
+ assistance. the telnet tool will connect to an arbitrary tcp service and
+ inform you if the connection succeeded, e.g. "telnet myhost 23230".
+ if it says "Connected to ...." then the connection was successful,
+ regardless of the type of tcp protocol actually on that port. if that
+ reports instead "unable to connect to remote host", then no answer was
+ received. if the telnet session just says "Trying ...." and never comes
+ back or takes a really long time, then a firewall may be blocking the
+ port or the machine may be down.
+
projects / feisty_meow.git / commitdiff