From 8bc215589e5c27812b9b3842b9051abbfa2b920f Mon Sep 17 00:00:00 2001 From: Chris Koeritz Date: Sun, 25 Nov 2012 16:46:48 -0500 Subject: [PATCH] new configuration example, for running stunnel to map a local, unencrypted web service in ssl/tls. --- .../configuration/stunnel/etc/init.d/stunnel | 123 ++++++++++++++++++ .../stunnel/etc/stunnel/stunnel.conf | 73 +++++++++++ .../stunnel/run_command_as_root.txt | 45 +++++++ 3 files changed, 241 insertions(+) create mode 100755 database/configuration/stunnel/etc/init.d/stunnel create mode 100644 database/configuration/stunnel/etc/stunnel/stunnel.conf create mode 100644 database/configuration/stunnel/run_command_as_root.txt diff --git a/database/configuration/stunnel/etc/init.d/stunnel b/database/configuration/stunnel/etc/init.d/stunnel new file mode 100755 index 00000000..e406ccd5 --- /dev/null +++ b/database/configuration/stunnel/etc/init.d/stunnel @@ -0,0 +1,123 @@ +#!/bin/bash +# +# Init Script to run stunnel in daemon mode at boot time. +# +# Author: Riccardo Riva - RPM S.r.l. +# Revision 1.0 - 2010 November, 11 + +#==================================================================== +# Run level information: +# +# chkconfig: 2345 99 99 +# description: Secure Tunnel +# processname: stunnel +# +# Run "/sbin/chkconfig --add stunnel" to add the Run levels. +# This will setup the symlinks and set the process to run at boot. +#==================================================================== + +#==================================================================== +# Paths and variables and system checks. + +# Source function library +. /etc/rc.d/init.d/functions + +# Check that networking is up. +# +[ ${NETWORKING} ="yes" ] || exit 0 + +# Path to the executable. +# +SEXE=/usr/bin/stunnel + +# Path to the configuration file. +# +CONF=/etc/stunnel/stunnel.conf + +# Check the configuration file exists. +# +if [ ! -f $CONF ] ; then + echo "The configuration file cannot be found!" +exit 0 +fi + +# Path to the lock file. +# +LOCK_FILE=/var/lock/subsys/stunnel + +#==================================================================== + +# Run controls: + +prog=$"stunnel" + +RETVAL=0 + +# Start stunnel as daemon. +# +start() { + if [ -f $LOCK_FILE ]; then + echo "stunnel is already running!" + exit 0 + else + echo -n $"Starting $prog: " + $SEXE $CONF + fi + + RETVAL=$? + [ $RETVAL -eq 0 ] && success + echo + [ $RETVAL -eq 0 ] && touch $LOCK_FILE + return $RETVAL +} + +# Stop stunnel. +# +stop() { + if [ ! -f $LOCK_FILE ]; then + echo "stunnel is not running!" + exit 0 + + else + + echo -n $"Shutting down $prog: " + killproc stunnel + RETVAL=$? + [ $RETVAL -eq 0 ] + rm -f $LOCK_FILE + echo + return $RETVAL + + fi +} + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + stop + start + ;; + condrestart) + if [ -f $LOCK_FILE ]; then + stop + start + RETVAL=$? + fi + ;; + status) + status stunnel + RETVAL=$? + ;; + *) + echo $"Usage: $0 {start|stop|restart|condrestart|status}" + RETVAL=1 +esac + +exit $RETVAL + diff --git a/database/configuration/stunnel/etc/stunnel/stunnel.conf b/database/configuration/stunnel/etc/stunnel/stunnel.conf new file mode 100644 index 00000000..dfcd81b0 --- /dev/null +++ b/database/configuration/stunnel/etc/stunnel/stunnel.conf @@ -0,0 +1,73 @@ +; Sample stunnel configuration file by Michal Trojnara 2002-2009 +; Some options used here may not be adequate for your particular configuration +; Please make sure you understand them (especially the effect of the chroot jail) + +; Certificate/key is needed in server mode and optional in client mode +cert = /etc/ssl/certs/stunnel.pem +;key = /etc/stunnel/mail.key + +; Protocol version (all, SSLv2, SSLv3, TLSv1) +sslVersion = SSLv3 + +; Some security enhancements for UNIX systems - comment them out on Win32 +chroot = /var/run/stunnel/ +setuid = nobody +setgid = nobody +; PID is created inside the chroot jail +pid = /stunnel.pid + +; Some performance tunings +socket = l:TCP_NODELAY=1 +socket = r:TCP_NODELAY=1 +;compression = zlib + +; Workaround for Eudora bug +;options = DONT_INSERT_EMPTY_FRAGMENTS + +; Authentication stuff +;verify = 2 +; Don't forget to c_rehash CApath +; CApath is located inside chroot jail +;CApath = /certs +; It's often easier to use CAfile +;CAfile = /etc/stunnel/certs.pem +;CAfile = /etc/pki/tls/certs/ca-bundle.crt +; Don't forget to c_rehash CRLpath +; CRLpath is located inside chroot jail +;CRLpath = /crls +; Alternatively you can use CRLfile +;CRLfile = /etc/stunnel/crls.pem + +; Some debugging stuff useful for troubleshooting +debug = 7 +output = stunnel.log + +; Use it for client mode +;client = yes + +; Service-level configuration + +; [pop3s] +;accept = 995 +;connect = 110 + +;[imaps] +;accept = 993 +;connect = 143 + +;[ssmtp] +;accept = 465 +;connect = 25 + +;[https] +;accept = 443 +;connect = 80 +;TIMEOUTclose = 0 + +; vim:ft=dosini + +[tracd] +accept = 8042 +connect = localhost:8000 + + diff --git a/database/configuration/stunnel/run_command_as_root.txt b/database/configuration/stunnel/run_command_as_root.txt new file mode 100644 index 00000000..414290fa --- /dev/null +++ b/database/configuration/stunnel/run_command_as_root.txt @@ -0,0 +1,45 @@ + +copy the included files into /etc in the same hierarchy structure, which is: + + etc/ + etc/init.d + etc/init.d/stunnel + etc/stunnel + etc/stunnel/stunnel.conf + +fix permissions: + + chmod 755 /etc/init.d/stunnel + +fix configuration: + + modify /etc/stunnel/stunnel.conf to represent your desired tunneling + configuration. the example turns a trac install on localhost with standard + http protocol into a TLS version on the https protocol. + +run this command to get stunnel registered: + + sudo /sbin/chkconfig --add stunnel + +afterwards the service should start with: + + /etc/init.d/stunnel start + +if problems result from starting the service: + + + maybe you need to fix the path in the /etc/init.d/stunnel script. + try running: + "which stunnel" (or "whence stunnel") + and updating the script with the path shown for stunnel. + + + maybe there's a port conflict from another service? + check with the configuration files or ask the system administrators for + assistance. the telnet tool will connect to an arbitrary tcp service and + inform you if the connection succeeded, e.g. "telnet myhost 23230". + if it says "Connected to ...." then the connection was successful, + regardless of the type of tcp protocol actually on that port. if that + reports instead "unable to connect to remote host", then no answer was + received. if the telnet session just says "Trying ...." and never comes + back or takes a really long time, then a firewall may be blocking the + port or the machine may be down. + -- 2.34.1