1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
# http://www.stunnel.org/faq/certs.html
# execute this as root!
# Redhat+CentOS : yum install gcc make openssl-devel
#
# Debian+Ubuntu : apt-get install gcc make libssl-dev
# check for fexsend
openssl s_client -help 2>&1 |grep 'use TLS'
mkdir -p /opt/src
cd /opt/src/
STUNNEL=stunnel-5.53
wget https://ftp.nluug.nl/pub/networking/stunnel/archive/5.x/$STUNNEL.tar.gz
tar xvf $STUNNEL.tar.gz
cd $STUNNEL
./configure --disable-fips --disable-libwrap --prefix=/opt/$STUNNEL
make
make install
mkdir /home/fex/etc
cd /home/fex/etc/
# create self-signed certificate
# see http://www.infodrom.org/Debian/tips/stunnel.html
openssl req -new -x509 -days 9999 -nodes -out stunnel.pem -keyout stunnel.pem
dd if=/dev/urandom count=2 | openssl dhparam -rand - 1024 >> stunnel.pem
openssl x509 -text -in stunnel.pem
chmod 600 stunnel.pem
cat <<EOD>stunnel.conf
debug = warning
output = /home/fex/spool/stunnel.log
cert = /home/fex/etc/stunnel.pem
;sslVersion = all
sslVersionMin = TLSv1.2
fips = no
TIMEOUTclose = 1
exec = /usr/bin/perl
execargs = perl -T /home/fex/bin/fexsrv stunnel
EOD
## https://www.stunnel.org/pipermail/stunnel-users/2013-October/004414.html
#case $(lsb_release -a 2>/dev/null) in
# *CentOS*) echo 'fips = no' >>stunnel.conf;;
#esac
chown -R fex .
cat <<EOD>/etc/xinetd.d/fexs
# default: on
# description: fex web server with SSL
# note: only possible on port 443!
service fexs
{
socket_type = stream
wait = no
type = unlisted
protocol = tcp
port = 443
cps = 10 2
user = fex
groups = yes
server = /opt/$STUNNEL/bin/stunnel
server_args = /home/fex/etc/stunnel.conf
nice = 0
disable = no
}
EOD
/etc/init.d/xinetd restart
echo 'To enforce https, add to fex.ph:'
echo '$force_https = 1;'
# Hint: on some systems stunnel works not well with xinetd
# you can also run stunnel without xinetd, in server daemon mode
|
