doc/SSL

   1 # http://www.stunnel.org/faq/certs.html
   2
   3 # execute this as root!
   4
   5 # Redhat+CentOS : stunnel does not work! you need to install stunnel-4
   6 #
   7 # Debian+Ubuntu : stunnel-5 does not work! you need to install stunnel-4
   8 #
   9 # apt-get install gcc make libssl-dev
  10 # yum install gcc make openssl-devel
  11 # cd /tmp
  12 # wget ftp://ftp.nluug.nl/pub/networking/stunnel/archive/4.x/stunnel-4.57.tar.gz
  13 # tar xvzf stunnel-4.57.tar.gz
  14 # cd stunnel-4.57
  15 # ./configure --prefix /opt/stunnel-4.57
  16 # make
  17 # make install
  18 # ln -s /opt/stunnel-4.57/bin/stunnel /usr/local/bin/stunnel4
  19
  20 mkdir /home/fex/etc
  21 cd /home/fex/etc/
  22
  23 # create self-signed certificate
  24 # see http://www.infodrom.org/Debian/tips/stunnel.html
  25 openssl req -new -x509 -days 9999 -nodes -out stunnel.pem -keyout stunnel.pem
  26 dd if=/dev/urandom count=2 | openssl dhparam -rand - 1024 >> stunnel.pem
  27 openssl x509 -text -in stunnel.pem
  28 chmod 600 stunnel.pem
  29
  30 cat <<EOD>stunnel.conf
  31 debug = warning
  32 output = /home/fex/spool/stunnel.log
  33 cert = /home/fex/etc/stunnel.pem
  34 sslVersion = all
  35 fips = no
  36 TIMEOUTclose = 1
  37 exec = /home/fex/bin/fexsrv
  38 execargs = fexsrv stunnel
  39 EOD
  40
  41 ## https://www.stunnel.org/pipermail/stunnel-users/2013-October/004414.html
  42 #case $(lsb_release -a 2>/dev/null) in
  43 #  *CentOS*) echo 'fips = no' >>stunnel.conf;;
  44 #esac
  45
  46 chown -R fex .
  47
  48 stunnel=$(which stunnel4)
  49 if [ -z "$stunnel" ]; then
  50   echo "no stunnel4 found" >&2
  51   exit
  52 fi
  53
  54 cat <<EOD>/etc/xinetd.d/fexs
  55 # default: on
  56 # description: fex web server with SSL
  57 # note: only possible on port 443!
  58 service fexs
  59 {
  60         socket_type     = stream
  61         wait            = no
  62         type            = unlisted
  63         protocol        = tcp
  64         port            = 443
  65         cps             = 10 2
  66         user            = fex
  67         groups          = yes
  68         server          = $stunnel
  69         server_args     = /home/fex/etc/stunnel.conf
  70         nice            = 0
  71         disable         = no
  72 }
  73 EOD
  74
  75 /etc/init.d/xinetd restart
  76 echo 'To enforce https, add to fex.ph:'
  77 echo '$force_https = 1;'
  78
  79 # Hint: on some systems stunnel works not well with xinetd
  80 #       you can also run stunnel without xinetd, in server daemon mode