Use that as your setuid/ setgid parameter. setuid/setgidĪ dedicated user called stunnel4, is already created by the package and ready to use. No foreground option should be used when you want to use the built-in init script. This is your typical stunnel config file and should adhere to the stunnel conf file format.īut to make the stunnel play nicely with the init script, there are couple of rules that you should follow while making the conf file: foreground We’re going to use a config file called nf, placed in /etc/stunnel/. But I will give you the information necessary to be able to make the init script to spawn multiple instances if its required (as there are couple of global options which can only be set once per instance). The rest of this article assumes we are using a single nf file. A single stunnel instance could be used to provide both client and server functionalities for different services at the same time. While at the time of writing, spawning different instances of stunnel for each conf file it is still supported, it appears that in most cases it might not be necessary. You should use a single file called nf and add include = in that instead. stunnel can be run as a non-root user (assuming that it doesn’t try to write anything to privileged places 2, or open some privileged ports), but there is a better way to do it:Īccording to the stunnel author, with the planned introduction of a control interface (conceptually similar to apache2ctl), running separate processes for each *.conf will become obsolete. Note that in this example, we are running stunnel as root. Stunnel can be manually called with the config file as its argument and it will work.įor example, assuming the file is located at /etc/stunnel/nf, the following command would run it: 1 sudo stunnel /etc/stunnel/nf Moreover, couple of scripts are included in the package to deal with the ppp connections (to handle ppp status changes gracefully by restarting the stunnel process). The installation process also comes with its own stunnel4 user, init script, and logrotate config (which we’ll take advantage of soon). We’ll be using Ubuntu’s own repository: sudo sh -c 'apt-get update & apt-get install stunnel4' Please share your results with me so I can update this post. There is a good chance however that the same procedure (maybe with slight adjustments), could work on other Ubuntu versions (or even other distros) as well. This post is dedicated to show you how to properly install and configure this magnificent piece of software on Ubuntu.įor this, I’ll be using Ubuntu 18.04 Server. Configuring a newsreader with Stunnel SSL - all know how awesome stunnel is, but setting it up properly on Ubuntu (and on most other distros, really), can be a little tricky. Use Pan with Stunnel4 Secure Sockets Layer (SSL) - Ubuntu forums How to use ssl with pan the newsreader - OpenSUSE forum Start stunnel: #/etc/init.d/stunnel restart #openssl req -new -x509 -key priv.pem -out stunnel.pem -days 1095Įdit the /etc/stunnel/nf and set the key-path key = /etc/stunnel/stunnel.pemĬhange the path /etc/stunnel/stunnel.pem according to your key path. Optionally, to generate a RSA Private Key Example: :443Ĭertificate/key is needed in server mode and optional in client mode Configure Pan to use localhost and port 119Ĭonnect - Remote SSL connection using Stunnel. #cp /usr/share/doc/stunnel4/examples/nf-sample /etc/stunnel/nfĮdit the /etc/stunnel/nf and add the following nntp option for UsenetĬonnect = YOUR_SSL_URL_USENET_PROVIDER:PORTĪccept - Pan will connect locally. Copy the sample configuration for stunnel and place it to: In Debian Wheezy/Sid there is no configuration by default. To enable Stunnel edit /etc/default/stunnel4 ENABLED=1 Unfortunately, Pan does not support SSL encryption yet (Pan 0.135), so we are going to use stunnel for SSL tunneling. Pan is a Usenet newsreader which is good at both text and binaries.
0 Comments
Leave a Reply. |