使用stunnel进行ssl加密

stunnel是个功能很简单的软件,就是进行ssl加密。可以帮助我们把http加密为https,也可以对普通的tcp链接进行ssl加密。stunnel的安装非常简单,就想详细写了。在centos下是只用用yum安装的,debian下就直接aptitude安装了。使用stunnel的配置如果不对客户端进行证书校验的话那么主要是2方面的配置。

1.配置ssl证书。stunnel配置证书有两种方式。老的方式是使用http://www.stunnel.org/static/stunnel.html介绍的先把key放最前面,然后依次放证书链。类似

    -----BEGIN RSA PRIVATE KEY-----
    [encoded key]
    -----END RSA PRIVATE KEY-----
    [empty line]
    -----BEGIN CERTIFICATE-----
    [encoded certificate]
    -----END CERTIFICATE-----
    [empty line]

这种形式,如果服务器证书不是由根CA签发的,那么就需要类型nginx配置证书链那样把后面中间证书都逆序依次追加在后面。每个证书之间预留一个空行(不过我自己测试时不需要空行也是可以的)。这时的配置文件如下:

[bash]

; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)

; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/test.crt
; Some security enhancements for UNIX systems – comment them out on Win32
chroot = /var/run/stunnel/
setuid = nobody
setgid = nobody
; PID is created inside chroot jail
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = rle

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don’t forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It’s often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
;CAfile = /usr/share/ssl/certs/ca-bundle.crt
; Don’t forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
;debug = 7
output = stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration

#[pop3s]
#accept  = 995
#connect = 110

#[imaps]
#accept  = 993
#connect = 143

#[ssmtp]
#accept  = 465
#connect = 25

[https]
accept  = 443
connect = 80
;TIMEOUTclose = 0

; vim:ft=dosini

[/bash]

2.使用key和cert分成2个文件的形式,这个形式就和现在nginx的配置完全一样了。配置文件如下

 

[bash]

; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)

; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/cert.crt
key = /etc/stunnel/cert.key

; Some security enhancements for UNIX systems – comment them out on Win32
chroot = /var/run/stunnel/
setuid = nobody
setgid = nobody
; PID is created inside chroot jail
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = rle

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don’t forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It’s often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
;CAfile = /usr/share/ssl/certs/ca-bundle.crt
; Don’t forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
;debug = 7
output = stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration

#[pop3s]
#accept  = 995
#connect = 110

#[imaps]
#accept  = 993
#connect = 143

#[ssmtp]
#accept  = 465
#connect = 25

[https]
accept  = 443
connect = 80
;TIMEOUTclose = 0

; vim:ft=dosini

[/bash]

需要注意有key的文件的权限都要是600才行。如果有其他的需求就对应地改一下配置文件好了,比如对客户端进行证书校验,参考模板修改就行了。

此条目发表在Web server分类目录。将固定链接加入收藏夹。

发表回复