get the latest release, extract and
./configure make make install
less /usr/local/etc/stunnel/stunnel.conf-sample grep nobody /etc/passwd grep nogroup /etc/group ls -lF /var/log/stunnel.log touch /var/log/stunnel.log #chown nobody:nogroup /var/log/stunnel.log chown stunnel:stunnel /var/log/stunnel.log
We need a dedicated folder for the PID, as /var/run/ sub-folder get deleted automatically at every boot
ls -ldF /var/stunnel/ ls -lF /var/stunnel/ mkdir -p /var/stunnel/ chown stunnel:stunnel /var/stunnel/
Here’s an attempt for the SNI and HTTP Host header to match, eventually see tuning ciphers. Not we choose a default cert to be used w/o SNI while still adding that one as SNI in the end.
vi /etc/stunnel.conf #w/o chroot #pid = /var/stunnel/stunnel.pid #output = /var/log/stunnel.log #w/ chroot chroot = /var/stunnel pid = /stunnel.pid output = /stunnel.log setuid = stunnel setgid = stunnel debug = warning sslVersionMin = TLSv1.2 ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ARIA128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305 renegotiation = yes #sessionCacheSize = #sessionCacheTimeout = #we don't care about IE, right? #TIMEOUTclose = 0 [https] accept = 443 connect = 80 cert = /usr/pkg/etc/letsencrypt/live/os3.su/fullchain.pem key = /usr/pkg/etc/letsencrypt/live/os3.su/privkey.pem [nethence] sni = https:nethence.com connect = nethence.com:80 cert = /usr/pkg/etc/letsencrypt/live/nethence.com/fullchain.pem key = /usr/pkg/etc/letsencrypt/live/nethence.com/privkey.pem [pub] sni = https:pub.nethence.com connect = pub.nethence.com:80 cert = /usr/pkg/etc/letsencrypt/live/pub.nethence.com/fullchain.pem key = /usr/pkg/etc/letsencrypt/live/pub.nethence.com/privkey.pem [os3] sni = https:os3.su connect = os3.su:80 cert = /usr/pkg/etc/letsencrypt/live/os3.su/fullchain.pem key = /usr/pkg/etc/letsencrypt/live/os3.su/privkey.pem
note for TLS v1.3 there is a specific one, here’s the default
#ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
and avoid useless DNS requests on locally hosted sites
vi /etc/hosts x.x.x.x pub.nethence.com x.x.x.x nethence.com x.x.x.x os3.su
#w/o chroot #tail -F /var/log/stunnel.log #w/ chroot tail -F /var/stunnel/stunnel.log
start
vi /etc/rc.local echo -n starting stunnel... /usr/local/bin/stunnel /etc/stunnel.conf && echo done
restart
vi RESTART-STUNNEL #!/bin/ksh pgrep -l stunnel #pgrep -a stunnel echo -n killing stunnel... pkill stunnel && echo done echo -n starting stunnel... /usr/local/bin/stunnel /etc/stunnel.conf && echo done date ls -lF /var/stunnel/ pgrep -l stunnel #pgrep -a stunnel chmod +x RESTART-STUNNEL
openssl s_client -connect DOMAIN.TLD:443 curl -I https://DOMAIN.TLD openssl s_client -servername ALTERNATE.TLD -connect ALTERNATE.TLD:443
stunnel TLS Proxy https://www.stunnel.org/static/stunnel.html
Documentation https://www.stunnel.org/docs.html
Unix Config https://www.stunnel.org/config_unix.html
Stunnel HOWTO https://www.stunnel.org/howto.html
Stunnel FAQ https://www.stunnel.org/faq.html
Secure Communication with Stunnel https://linuxgazette.net/107/odonovan.html
Using Certificates with Stunnel https://ftp.icm.edu.pl/packages/replay.old/ssl/stunnel/faq/certs.html
[stunnel-users] Use SNI https://www.stunnel.org/pipermail/stunnel-users/2016-November/005651.html
stunnel client uses improper SNI when talking to Apache https://www.stunnel.org/pipermail/stunnel-users/2016-November/005651.html
[stunnel-users] Using SNI in stunnel server https://www.stunnel.org/pipermail/stunnel-users/2014-June/004636.html
stunnel client uses improper SNI when talking to Apache https://serverfault.com/questions/548920/stunnel-client-uses-improper-sni-when-talking-to-apache
[stunnel-users] Server-side SNI support https://groups.google.com/forum/#!topic/mailing.unix.stunnel-users/Ix3ehOoAiW8
Не работает stunnel c IIS - соединение stunnel с IIS внезапно закрывается на чтении https://www.cryptopro.ru/forum2/default.aspx?g=posts&t=13848
Stunnel only for specific domain https://serverfault.com/questions/558657/stunnel-only-for-specific-domain
[stunnel-users] stunnel transparent mode https://www.stunnel.org/pipermail/stunnel-users/2011-August/003210.html
[stunnel-users] Stunnel exits with timeout https://www.mail-archive.com/stunnel-users@stunnel.org/msg01373.html
Stunnel только для определенного домена http://server.bilee.com/stunnel-5.html
Securing Redis Client and Server with Stunnel https://redislabs.com/blog/stunnel-secure-redis-ssl/
TLS termination proxy https://en.wikipedia.org/wiki/TLS_termination_proxy
Benchmarking SSL Performance https://www.haproxy.com/blog/benchmarking_ssl_performance/
Hitch – A Scalable TLS Proxy by Varnish (github.com) https://news.ycombinator.com/item?id=9687330
TLS termination: stunnel, nginx & stud https://vincent.bernat.ch/en/blog/2011-ssl-benchmark
[stunnel-users] SSL Labs: Session resumption IDs assigned but not accepted https://www.stunnel.org/pipermail/stunnel-users/2016-May/005504.html