X-Git-Url: https://git.treefish.org/fex.git/blobdiff_plain/c65ee6f7429eff9a7f58aad7c0aec858ad473092..20160919:/doc/SSL diff --git a/doc/SSL b/doc/SSL index 14f5abd..90e01ef 100644 --- a/doc/SSL +++ b/doc/SSL @@ -2,38 +2,56 @@ # execute this as root! -# Redhat : stunnel-4 does not work! you need to install stunnel-5 -# Debian : stunnel-5.06 does not work! you need to install stunnel-5.18 +# Redhat+CentOS : stunnel does not work! you need to install stunnel-4 +# +# Debian+Ubuntu : stunnel-5 does not work! you need to install stunnel-4 +# +# apt-get install gcc make libssl-dev +# yum install gcc make openssl-devel +# cd /tmp +# wget ftp://ftp.nluug.nl/pub/networking/stunnel/archive/4.x/stunnel-4.57.tar.gz +# tar xvzf stunnel-4.57.tar.gz +# cd stunnel-4.57 +# ./configure --prefix /opt/stunnel-4.57 +# make +# make install +# ln -s /opt/stunnel-4.57/bin/stunnel /usr/local/bin/stunnel4 mkdir /home/fex/etc cd /home/fex/etc/ -openssl req -new -x509 -days 9999 -nodes -out stunnel.pem -keyout stunnel.pem +# create self-signed certificate # see http://www.infodrom.org/Debian/tips/stunnel.html +openssl req -new -x509 -days 9999 -nodes -out stunnel.pem -keyout stunnel.pem dd if=/dev/urandom count=2 | openssl dhparam -rand - 1024 >> stunnel.pem openssl x509 -text -in stunnel.pem chmod 600 stunnel.pem cat <stunnel.conf +debug = warning +output = /home/fex/spool/stunnel.log cert = /home/fex/etc/stunnel.pem sslVersion = all +fips = no TIMEOUTclose = 1 -exec = perl -execargs = perl -T /home/fex/bin/fexsrv stunnel +exec = /home/fex/bin/fexsrv +execargs = fexsrv stunnel EOD -case $(lsb_release -a 2>/dev/null) in - *CentOS*) echo 'fips = no' >>stunnel.conf;; -esac +## https://www.stunnel.org/pipermail/stunnel-users/2013-October/004414.html +#case $(lsb_release -a 2>/dev/null) in +# *CentOS*) echo 'fips = no' >>stunnel.conf;; +#esac chown -R fex . stunnel=$(which stunnel4) if [ -z "$stunnel" ]; then - echo "no stunnel found" >&2 -else + echo "no stunnel4 found" >&2 + exit +fi - cat </etc/xinetd.d/fexs +cat </etc/xinetd.d/fexs # default: on # description: fex web server with SSL # note: only possible on port 443! @@ -54,11 +72,9 @@ service fexs } EOD - /etc/init.d/xinetd restart - echo 'To enforce https, add to fex.ph:' - echo '$force_https = 1;' - -fi +/etc/init.d/xinetd restart +echo 'To enforce https, add to fex.ph:' +echo '$force_https = 1;' # Hint: on some systems stunnel works not well with xinetd # you can also run stunnel without xinetd, in server daemon mode