stunnel是个功能很简单的软件,就是进行ssl加密。可以帮助我们把http加密为https,也可以对普通的tcp链接进行ssl加密。stunnel的安装非常简单,就想详细写了。在centos下是只用用yum安装的,debian下就直接aptitude安装了。使用stunnel的配置如果不对客户端进行证书校验的话那么主要是2方面的配置。
1.配置ssl证书。stunnel配置证书有两种方式。老的方式是使用http://www.stunnel.org/static/stunnel.html介绍的先把key放最前面,然后依次放证书链。类似
-----BEGIN RSA PRIVATE KEY----- [encoded key] -----END RSA PRIVATE KEY----- [empty line] -----BEGIN CERTIFICATE----- [encoded certificate] -----END CERTIFICATE----- [empty line]
这种形式,如果服务器证书不是由根CA签发的,那么就需要类型nginx配置证书链那样把后面中间证书都逆序依次追加在后面。每个证书之间预留一个空行(不过我自己测试时不需要空行也是可以的)。这时的配置文件如下:
[bash]
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/test.crt
; Some security enhancements for UNIX systems – comment them out on Win32
chroot = /var/run/stunnel/
setuid = nobody
setgid = nobody
; PID is created inside chroot jail
pid = /stunnel.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = rle
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don’t forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It’s often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
;CAfile = /usr/share/ssl/certs/ca-bundle.crt
; Don’t forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting
;debug = 7
output = stunnel.log
; Use it for client mode
;client = yes
; Service-level configuration
#[pop3s]
#accept = 995
#connect = 110
#[imaps]
#accept = 993
#connect = 143
#[ssmtp]
#accept = 465
#connect = 25
[https]
accept = 443
connect = 80
;TIMEOUTclose = 0
; vim:ft=dosini
[/bash]
2.使用key和cert分成2个文件的形式,这个形式就和现在nginx的配置完全一样了。配置文件如下
[bash]
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/cert.crt
key = /etc/stunnel/cert.key
; Some security enhancements for UNIX systems – comment them out on Win32
chroot = /var/run/stunnel/
setuid = nobody
setgid = nobody
; PID is created inside chroot jail
pid = /stunnel.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = rle
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don’t forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It’s often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
;CAfile = /usr/share/ssl/certs/ca-bundle.crt
; Don’t forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting
;debug = 7
output = stunnel.log
; Use it for client mode
;client = yes
; Service-level configuration
#[pop3s]
#accept = 995
#connect = 110
#[imaps]
#accept = 993
#connect = 143
#[ssmtp]
#accept = 465
#connect = 25
[https]
accept = 443
connect = 80
;TIMEOUTclose = 0
; vim:ft=dosini
[/bash]
需要注意有key的文件的权限都要是600才行。如果有其他的需求就对应地改一下配置文件好了,比如对客户端进行证书校验,参考模板修改就行了。