Hello all,
I have seen some questions over the last week about adding SSL (secure
sockets layer) support to standard plaintext services. This is something
for which the package stunnel is perfect.
If you are interested in offering SSL services for your currently
plaintext daemons, you can use stunnel independently of the plaintext
service to provide SSL service.
For further information on the package, check out the stunnel page:
http://mike.daewoo.com.pl/computer/stunnel/
The beauty of stunnel (IMHO) is that you can run it in client or server
mode, and it can listen on one IP and forward to another (local or
remote). (You can also listen on INADDR_ANY, or INADDR_LOOPBACKD.)
I hope the die-hard list readers will forgive that I have attached two
scripts I wrote to work as a drop in service startup script for as many
wrappers as you'd like. My script assumes that you are running tcpserver,
and (unfortunately) assumes the old-style supervise (daemontools 0.53).
(If we ever migrate to the newer model, I'll rewrite these scripts a bit.)
One last kicker, and that is that stunnel can run in "transparent
proxying" mode which allows you to use it for SMTPS (port 465) without
changing your tcprules for your SMTP service. All you need is to have
transparent proxying support in your kernel.
One could certainly run stunnel in ``-d'' mode without tcpserver, but I'm
so accustomed to runinng things under tcpserver (I like the process model)
that I have included it in the script.
I hope it proves useful to somebody besides me,
-Martin
--
Martin A. Brown --- Wonderfrog Enterprises --- [EMAIL PROTECTED]
#!/bin/sh
#
# stunnel starts/stops stunnel
#
# chkconfig: 345 72 38
#
# -- generic stunnel startup script
# + WRAPNAME = key for tcp_wrapper lookup in /etc/hosts.allow file
# + LISTENIP = INADDR_ANY by default or user-specified
# + TARGETIP = INADDR_LOOPBACK by default or user-specified
# + LISTENPORT = yep. the port we are listening for connections on
# + TARGETPORT = boy, these names almost make sense
# + SWITCH = leave empty for server mode, make "-c" for client mode
# + RULES = tcprules.cdb file to call from tcpserver
# + PEMFILE = another very important, obviously named variable
#
# -- I'd like to compile a version of stunnel which doesn't do the
# tcp_wrappers in the /etc/hosts.allow file--because having tcpserver
# and stunnel doing IP checking doesn't make a whole lot of sense to me
#
## -- die and complain if we don't /at least/ get these two
TARGETPORT=${TARGETPORT:?}
LISTENPORT=${LISTENPORT:?}
## -- define all of the variables first
SUPERVISEDIR=/var/lock/svc
LISTENIP=${LISTENIP:=0.0.0.0}
TARGETIP=${TARGETIP:=127.0.0.1}
WRAPNAME=${WRAPNAME:=stunnel}
PEMFILE=${PEMFILE:=/var/openssl/certs/trusted/stunnel.pem}
## set the service name for supervise
SERVICE=stunnel${LISTENPORT}
# See how we were called
case "$1" in
start)
mkdir -p ${SUPERVISEDIR}/${SERVICE}
echo -n "Starting stunnel on ${LISTENIP}:${LISTENPORT}: "
env - supervise ${SUPERVISEDIR}/${SERVICE} \
tcpserver -RH -c 40 \
${LISTENIP} ${LISTENPORT} \
/usr/sbin/stunnel ${WRAPNAME} ${SWITCH} -f \
-r ${TARGETIP}:${TARGETPORT} \
-p ${PEMFILE} &
echo done
;;
stop)
echo -n "Shutting down stunnel on ${LISTENIP}:${LISTENPORT}"
svc -dx ${SUPERVISEDIR}/${SERVICE}
echo
;;
status)
echo -n "stunnel on port ${LISTENIP}:${LISTENPORT}"
svstat ${SUPERVISEDIR}/${SERVICE} | tailocal
;;
restart)
"$0" stop
sleep 1
"$0" start
exit 0
;;
*)
echo "Usage: stunnel {start|stop|status|restart}"
exit 1
esac
#!/bin/bash
#
#
# -- the first service...define what you need and call the script
# which sets some defaults....
#
# DON'T GET BITTEN BY THE PATH PROBLEM IN THIS SCRIPT
# CHANGE IT TO YOUR NEED FOR YOUR SYSTEM. :-)
#
# -- now just redefine and call the startup script again....
#
#
LISTENIP=127.0.0.1
TARGETIP=remote.mailserver
LISTENPORT=143
TARGETPORT=993
SWITCH="-c"
. ./stunnel-startup
LISTENIP=my.ethernet.interface
TARGETIP=127.0.0.1
LISTENPORT=465
TARGETPORT=25
#. ./stunnel-startup
