Setting up Stunnel

Installation

get the latest release, extract and

./configure
make
make install

Setup

less /usr/local/etc/stunnel/stunnel.conf-sample

grep nobody /etc/passwd
grep nogroup /etc/group

touch /var/log/stunnel.log
#chown nobody:nogroup /var/log/stunnel.log
chown stunnel:stunnel /var/log/stunnel.log

We need a dedicated folder for the PID, as /var/run/ sub-folder get deleted automatically at every boot

mkdir -p /var/stunnel/
chown stunnel:stunnel /var/stunnel/

Here’s an attempt for the SNI and HTTP Host header to match

vi /etc/stunnel.conf

#w/o chroot
#pid = /var/stunnel/stunnel.pid
#output = /var/log/stunnel.log

#w/ chroot
chroot = /var/stunnel
pid = /stunnel.pid
output = /stunnel.log

setuid = stunnel
setgid = stunnel
debug = info

sslVersionMin = TLSv1.2
#ciphers = CIPHERS-HERE-SEE-BELOW
#default ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
renegotiation = yes

sessionCacheSize = 1000
sessionCacheTimeout = 300
TIMEOUTclose = 0

[https]
accept  = 443
connect = 80
cert = /usr/pkg/etc/letsencrypt/live/os3.su/fullchain.pem
key = /usr/pkg/etc/letsencrypt/live/os3.su/privkey.pem

[nethence]
sni = https:nethence.com
connect = nethence.com:80
cert = /usr/pkg/etc/letsencrypt/live/nethence.com/fullchain.pem
key = /usr/pkg/etc/letsencrypt/live/nethence.com/privkey.pem

[os3]
sni = https:os3.su
connect = os3.su:80
cert = /usr/pkg/etc/letsencrypt/live/os3.su/fullchain.pem
key = /usr/pkg/etc/letsencrypt/live/os3.su/privkey.pem

and avoid useless DNS requests on locally hosted sites

vi /etc/hosts

x.x.x.x nethence.com
x.x.x.x os3.su

Ciphers

See Ciphers and here we go (as of Oct 2019)

ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ARIA128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305

Operations

#w/o chroot
#tail -F /var/log/stunnel.log

#w/ chroot
tail -F /var/stunnel/stunnel.log

start

vi /etc/rc.local

echo -n starting stunnel...
/usr/local/bin/stunnel /etc/stunnel.conf && echo done

restart

vi RESTART-STUNNEL

#!/bin/ksh

pgrep -l stunnel
#pgrep -a stunnel
echo -n killing stunnel...
pkill stunnel && echo done

echo -n starting stunnel...
/usr/local/bin/stunnel /etc/stunnel.conf && echo done
date
ls -lF /var/stunnel/
pgrep -l stunnel 
#pgrep -a stunnel

chmod +x RESTART-STUNNEL

Acceptance

openssl s_client -connect DOMAIN.TLD:443
curl -I https://DOMAIN.TLD

openssl s_client -servername ALTERNATE.TLD -connect ALTERNATE.TLD:443

Resources

stunnel TLS Proxy https://www.stunnel.org/static/stunnel.html

Stunnel HOWTO https://www.stunnel.org/howto.html

Stunnel FAQ https://www.stunnel.org/faq.html

Secure Communication with Stunnel https://linuxgazette.net/107/odonovan.html

Using Certificates with Stunnel https://ftp.icm.edu.pl/packages/replay.old/ssl/stunnel/faq/certs.html

[stunnel-users] Use SNI https://www.stunnel.org/pipermail/stunnel-users/2016-November/005651.html

stunnel client uses improper SNI when talking to Apache https://www.stunnel.org/pipermail/stunnel-users/2016-November/005651.html

[stunnel-users] Using SNI in stunnel server https://www.stunnel.org/pipermail/stunnel-users/2014-June/004636.html

stunnel client uses improper SNI when talking to Apache https://serverfault.com/questions/548920/stunnel-client-uses-improper-sni-when-talking-to-apache

[stunnel-users] Server-side SNI support https://groups.google.com/forum/#!topic/mailing.unix.stunnel-users/Ix3ehOoAiW8

Не работает stunnel c IIS - соединение stunnel с IIS внезапно закрывается на чтении https://www.cryptopro.ru/forum2/default.aspx?g=posts&t=13848

Stunnel only for specific domain https://serverfault.com/questions/558657/stunnel-only-for-specific-domain

[stunnel-users] stunnel transparent mode https://www.stunnel.org/pipermail/stunnel-users/2011-August/003210.html

[stunnel-users] Stunnel exits with timeout https://www.mail-archive.com/stunnel-users@stunnel.org/msg01373.html

Stunnel только для определенного домена http://server.bilee.com/stunnel-5.html

Securing Redis Client and Server with Stunnel https://redislabs.com/blog/stunnel-secure-redis-ssl/

the competition

TLS termination proxy https://en.wikipedia.org/wiki/TLS_termination_proxy

Benchmarking SSL Performance https://www.haproxy.com/blog/benchmarking_ssl_performance/

Hitch – A Scalable TLS Proxy by Varnish (github.com) https://news.ycombinator.com/item?id=9687330

TLS termination: stunnel, nginx & stud https://vincent.bernat.ch/en/blog/2011-ssl-benchmark


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml