X-Git-Url: https://git.treefish.org/fex.git/blobdiff_plain/e60096926213ce02293a261254ff065cae44c1c8..20160919:/doc/SSL?ds=inline diff --git a/doc/SSL b/doc/SSL index d0e95f6..90e01ef 100644 --- a/doc/SSL +++ b/doc/SSL @@ -2,37 +2,56 @@ # execute this as root! -# Redhat : stunnel-4 does not work! you need to install stunnel-5 +# Redhat+CentOS : stunnel does not work! you need to install stunnel-4 +# +# Debian+Ubuntu : stunnel-5 does not work! you need to install stunnel-4 +# +# apt-get install gcc make libssl-dev +# yum install gcc make openssl-devel +# cd /tmp +# wget ftp://ftp.nluug.nl/pub/networking/stunnel/archive/4.x/stunnel-4.57.tar.gz +# tar xvzf stunnel-4.57.tar.gz +# cd stunnel-4.57 +# ./configure --prefix /opt/stunnel-4.57 +# make +# make install +# ln -s /opt/stunnel-4.57/bin/stunnel /usr/local/bin/stunnel4 mkdir /home/fex/etc cd /home/fex/etc/ -openssl req -new -x509 -days 9999 -nodes -out stunnel.pem -keyout stunnel.pem +# create self-signed certificate # see http://www.infodrom.org/Debian/tips/stunnel.html +openssl req -new -x509 -days 9999 -nodes -out stunnel.pem -keyout stunnel.pem dd if=/dev/urandom count=2 | openssl dhparam -rand - 1024 >> stunnel.pem openssl x509 -text -in stunnel.pem chmod 600 stunnel.pem cat <stunnel.conf +debug = warning +output = /home/fex/spool/stunnel.log cert = /home/fex/etc/stunnel.pem sslVersion = all +fips = no TIMEOUTclose = 1 -exec = perl -execargs = perl -T /home/fex/bin/fexsrv stunnel +exec = /home/fex/bin/fexsrv +execargs = fexsrv stunnel EOD -case $(lsb_release -a 2>/dev/null) in - *CentOS*) echo 'fips = no' >>stunnel.conf;; -esac +## https://www.stunnel.org/pipermail/stunnel-users/2013-October/004414.html +#case $(lsb_release -a 2>/dev/null) in +# *CentOS*) echo 'fips = no' >>stunnel.conf;; +#esac chown -R fex . stunnel=$(which stunnel4) if [ -z "$stunnel" ]; then - echo "no stunnel found" >&2 -else + echo "no stunnel4 found" >&2 + exit +fi - cat </etc/xinetd.d/fexs +cat </etc/xinetd.d/fexs # default: on # description: fex web server with SSL # note: only possible on port 443! @@ -43,7 +62,7 @@ service fexs type = unlisted protocol = tcp port = 443 - cps = 5 10 + cps = 10 2 user = fex groups = yes server = $stunnel @@ -53,11 +72,9 @@ service fexs } EOD - /etc/init.d/xinetd restart - echo 'To enforce https, add to fex.ph:' - echo '$force_https = 1;' - -fi +/etc/init.d/xinetd restart +echo 'To enforce https, add to fex.ph:' +echo '$force_https = 1;' # Hint: on some systems stunnel works not well with xinetd # you can also run stunnel without xinetd, in server daemon mode