I had some troubles to get Stunnel running myself so wrote down those working steps. I’ve tested this on Digital Ocean with CentOS 6.6 Final running on my servers.
It’s possible to setup one Stunnel server and have multiple clients connect to them. You can also add multiple services to run on one Stunnel server.
For my setup I needed 10 clients to connect to one server to direct https traffic over the internet to my varnish backend server.
yum install stunnel
nano /etc/stunnel/stunnel.conf
This is my basic configuration:
chroot = /var/run/stunnel
setuid = nobody
setgid = nobody
pid = /stunnel.pid
client = yes
[varnish]
accept = 127.0.0.1:8001
connect = REMOTEHOST:8001
Change “REMOTEHOST” to your remote Stunnel host
you might run into problems later if those directories don’t exist – what was a problem I faced that took me some time to figure out:
mkdir /var/run/stunnel
chown nobody:nobody /var/run/stunnel
If you prefer to have init.d script for Stunnel follow these steps to have ability to do “service stunnel start / stop / reload”
nano /etc/rc.d/init.d/stunnel
#!/bin/bash
#
# Init Script to run stunnel in daemon mode at boot time.
#
# Author: Riccardo Riva - RPM S.r.l.
# Revision 1.0 - 2010 November, 11
#====================================================================
# Run level information:
#
# chkconfig: 2345 99 99
# description: Secure Tunnel
# processname: stunnel
#
# Run "/sbin/chkconfig --add stunnel" to add the Run levels.
# This will setup the symlinks and set the process to run at boot.
#====================================================================
#====================================================================
# Paths and variables and system checks.
# Source function library
. /etc/rc.d/init.d/functions
# Check that networking is up.
#
[ ${NETWORKING} ="yes" ] || exit 0
# Path to the executable.
#
SEXE=/usr/bin/stunnel
# Path to the configuration file.
#
CONF=/etc/stunnel/stunnel.conf
# Check the configuration file exists.
#
if [ ! -f $CONF ] ; then
echo "The configuration file cannot be found!"
exit 0
fi
# Path to the lock file.
#
LOCK_FILE=/var/lock/subsys/stunnel
#====================================================================
# Run controls:
prog=$"stunnel"
RETVAL=0
# Start stunnel as daemon.
#
start() {
if [ -f $LOCK_FILE ]; then
echo "stunnel is already running!"
exit 0
else
echo -n $"Starting $prog: "
$SEXE $CONF
fi
RETVAL=$?
[ $RETVAL -eq 0 ] && success
echo
[ $RETVAL -eq 0 ] && touch $LOCK_FILE
return $RETVAL
}
# Stop stunnel.
#
stop() {
if [ ! -f $LOCK_FILE ]; then
echo "stunnel is not running!"
exit 0
else
echo -n $"Shutting down $prog: "
killproc stunnel
RETVAL=$?
[ $RETVAL -eq 0 ]
rm -f $LOCK_FILE
echo
return $RETVAL
fi
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
condrestart)
if [ -f $LOCK_FILE ]; then
stop
start
RETVAL=$?
fi
;;
status)
status stunnel
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
RETVAL=1
esac
exit $RETVAL
#--- End of file ---
if you are running Centos 5 you might want to change this line:
SEXE=/usr/bin/stunnel
to this:
SEXE=/usr/sbin/stunnel
chmod +x /etc/rc.d/init.d/stunnel
make the init.d script executable
/sbin/chkconfig --add stunnel
Have stunnel start up after a server reboot !
service stunnel start
That’s it.. now you have stunnel installed and running
Hello
This script (/etc/rc.d/stunnel) does not clean. I could not start correctly restart the service. It causes an error because remnants of the “old” instance remain. I have therefore supplemented and revised.
#!/bin/bash
#
# Init Script to run stunnel in daemon mode at boot time.
#
#====================================================================
# Run level information:
#
# chkconfig: 2345 99 99
# description: Secure Tunnel
# processname: stunnel
#
# Run “/sbin/chkconfig –add stunnel” to add the Run levels.
# This will setup the symlinks and set the process to run at boot.
#====================================================================
#====================================================================
# Paths and variables and system checks.
# Source function library
. /etc/rc.d/init.d/functions
# Check that networking is up.
#
[ ${NETWORKING} =”yes” ] || exit 0
# Path to the executable.
#
SEXE=/usr/bin/stunnel
# Path to the configuration file.
#
CONF=/etc/stunnel/stunnel.conf
# Check the configuration file exists.
#
if [ ! -f $CONF ] ; then
echo “The configuration file cannot be found!”
exit 0
fi
# Path to the lock file.
#
LOCK_FILE=’/var/lock/subsys/stunnel’
DEFAULT_PID_FILE=’/var/run/stunnel/stunnel.pid’
#====================================================================
# Run controls:
prog=”stunnel”
RETVAL=0
# Start stunnel as daemon.
#
start() {
if [ -f ${LOCK_FILE} ]; then
echo “${prog} is already running!”
exit 0
else
echo -n $”Starting ${prog}: ”
${SEXE} ${CONF}
RETVAL=$?
[ ${RETVAL} -eq 0 ] && success
echo
[ ${RETVAL} -eq 0 ] && touch ${LOCK_FILE}
PID=$(cat ${DEFAULT_PID_FILE})
echo “${prog} is running with PID: ${PID}”
return ${RETVAL}
fi
}
# Stop stunnel.
#
stop() {
if [ ! -f ${LOCK_FILE} ]; then
echo “${prog} is not running!”
exit 0
else
PID=$(cat ${DEFAULT_PID_FILE})
if [[ -z “${PID}” ]]; then
echo “${prog} is not running (missing PID).”
elif [[ -e ‘/proc/’${PID}’/exe’ ]]; then
echo “${prog} is running with PID: ${PID}”
echo -n $”Shutting down ${prog}: ”
killproc ${prog}
kill $1 ${PID}
RETVAL=$?
[ ${RETVAL} -eq 0 ]
rm -f ${LOCK_FILE} && rm -f ${DEFAULT_PID_FILE}
echo
return ${RETVAL}
else
echo “${prog} is not running (tested PID: ${PID}).”
fi
fi
}
# See how we were called.
case “$1″ in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
condrestart)
if [ -f ${LOCK_FILE} ]; then
stop
start
RETVAL=$?
fi
;;
status)
ps -ef | grep ${prog}
status ${prog}
RETVAL=$?
;;
*)
echo $”Usage: $0 {start|stop|restart|condrestart|status}”
RETVAL=1
esac
exit ${RETVAL}
LikeLike