Re: Adding SSL

From: Unai Rodriguez <me#u-journal.org>
Date: Fri, 03 Oct 2008 03:10:55 -0600

I have been using STUNNEL 3.26 happily for more than a year on a production environment with no issues. I just installed the precompiled debian package (apt-get install stunnel), then I wrote a little script to start/stop it (than I can provide) which basically is (with some other things):

---

# Level is a one of the syslog level names or numbers emerg (0), alert (1),
crit (2), err (3), warning (4),
# notice (5), info (6), or debug (7). All logs for the specified level and
all levels numerically less than it
# will be shown. Use -D debug or -D 7 for greatest debugging output.
LOGLEVEL="3"
LOG_FILE="/var/log/stunnel/stunnel.log"

# Where is /usr/sbin/stunnel listening?

LISTEN_HOST="10.123.16.101"
LISTEN_PORT="443"
# connect to remote service
# If no host specified, defaults to localhost
CONNECT_TO_HOST="10.123.16.101"
CONNECT_TO_PORT="80"
# File containing random input. The SSL library will use data from this
file first to seed the random number generator.
# You can leave this alone ;-) (unai)

RND_FILE="/etc/ssl/certs/stunnel.rnd"

# private key and certificate chain PEM file name.
# Probably the most important setting!!! (unai)
PEM_FILE="/etc/ssl/certs/stunnel.pem"

# Service name to use for tcpwrappers. If not specified then a tcpwrapper
# service name will be generated automatically for you. This will also be
# used when auto-generating pid filenames.
SERVICENAME="https"

# Pid directory location

PID_DIR="/var/run/stunnel"
/usr/sbin/stunnel -d $LISTEN_HOST:$LISTEN_PORT -D $LOGLEVEL \

                                -R $RND_FILE -p $PEM_FILE -o $LOG_FILE \
                                        -r
$CONNECT_TO_HOST:$CONNECT_TO_PORT \
                                                -N $SERVICENAME -P $PID_DIR
==============================================================================

It is true that I had "initial headaches" installing the SSL certificates, but once passed that stage, everything has been really smooth.

unai

On Fri, 3 Oct 2008 09:08:57 +0200, "Marcus Herou" <marcus.herou#tailsweep.com> wrote:

> Well yes I had troubles with permissions initially but I sorted that out
> and
> it worked perfectly for hours in a rowthen suddenly out of the blue it
> allocated 100% cpu.
> 
> Hmm I though kill pid.... restart service. Then again after some hours

the

> same stuff happened. Because of lacking time I just took the easy way out
> and installed lighttpd. I don't like lighttpd as a central infrastructure
> component though and will test stunnel again.
> 
> /M
> 
> 
> 
> On Fri, Oct 3, 2008 at 8:45 AM, Benoit <maverick#maverick.eu.org> wrote:
> 
>>
>>
>> Marcus Herou a écrit :
>>
>>> I used Stunnel earlier this week but the strangest things happened and
> it
>>> allocated 100% of the CPU etc. Really strange. I stopped it and just
>>> installed lighttpd with ssl support which proxies everything to
> haproxy.
>>>
>> You may have trouble with your chroot (unsufficient access right for
>> example),
>> you may check syslog
>>
>>
>>
>>
>>
> 
> 
>

Received on 2008/10/03 11:10