# http://www.stunnel.org/faq/certs.html
# execute this as root!
# Redhat+CentOS : stunnel does not work! you need to install stunnel-4
#
# Debian+Ubuntu : stunnel-5 does not work! you need to install stunnel-4
#
# apt-get install gcc make libssl-dev
# yum install gcc make openssl-devel
# cd /tmp
# wget ftp://ftp.nluug.nl/pub/networking/stunnel/archive/4.x/stunnel-4.57.tar.gz
# tar xvzf stunnel-4.57.tar.gz
# cd stunnel-4.57
# ./configure --prefix /opt/stunnel-4.57
# make
# make install
# ln -s /opt/stunnel-4.57/bin/stunnel /usr/local/bin/stunnel4
mkdir /home/fex/etc
cd /home/fex/etc/
# create self-signed certificate
# see http://www.infodrom.org/Debian/tips/stunnel.html
openssl req -new -x509 -days 9999 -nodes -out stunnel.pem -keyout stunnel.pem
dd if=/dev/urandom count=2 | openssl dhparam -rand - 1024 >> stunnel.pem
openssl x509 -text -in stunnel.pem
chmod 600 stunnel.pem
cat <stunnel.conf
debug = warning
output = /home/fex/spool/stunnel.log
cert = /home/fex/etc/stunnel.pem
sslVersion = all
fips = no
TIMEOUTclose = 1
exec = /home/fex/bin/fexsrv
execargs = fexsrv stunnel
EOD
## https://www.stunnel.org/pipermail/stunnel-users/2013-October/004414.html
#case $(lsb_release -a 2>/dev/null) in
# *CentOS*) echo 'fips = no' >>stunnel.conf;;
#esac
chown -R fex .
stunnel=$(which stunnel4)
if [ -z "$stunnel" ]; then
echo "no stunnel4 found" >&2
exit
fi
cat </etc/xinetd.d/fexs
# default: on
# description: fex web server with SSL
# note: only possible on port 443!
service fexs
{
socket_type = stream
wait = no
type = unlisted
protocol = tcp
port = 443
cps = 10 2
user = fex
groups = yes
server = $stunnel
server_args = /home/fex/etc/stunnel.conf
nice = 0
disable = no
}
EOD
/etc/init.d/xinetd restart
echo 'To enforce https, add to fex.ph:'
echo '$force_https = 1;'
# Hint: on some systems stunnel works not well with xinetd
# you can also run stunnel without xinetd, in server daemon mode