script for stunnel

This commit is contained in:
age 2006-12-13 22:04:27 +00:00
parent b16c0937f9
commit 1b05abae6c
4 changed files with 89 additions and 4 deletions

View File

@ -1,6 +1,6 @@
Running the CryptoBox cherrypy webserver behind apache
= apache in front of the cryptobox-server (cherrypy) =
The following file describes how to configure an apache2 webserver for
The following section describes how to configure an apache2 webserver for
forwarding requests to the cherrypy server of the CryptoBox.
@ -35,3 +35,34 @@ forwarding requests to the cherrypy server of the CryptoBox.
Now you should point your webserver to the proxy host and check if
the CryptoBox layout ist working properly.
-----
= lighttpd in front of the cryptobox-server (cherrypy) =
In this section we do the same as above, but with lighttpd.
Your lighttpd config should contain something like this:
# default document-root
server.document-root = "/usr/share/cryptobox-server/www-data/"
# TCP port
server.port = 443
# selecting modules
server.modules = ( "mod_access",
"mod_scgi",
"mod_accesslog",
"mod_rewrite",
"mod_staticfile" )
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/server.pem"
scgi.server = ( "/" =>
(( "host" => "127.0.0.1",
"port" => 8080,
"check-local" => "disable"
))
)

13
README.ssl Normal file
View File

@ -0,0 +1,13 @@
= https for the CryptoBox =
To secure your http connection from the box to your browser,
you may use "stunnel".
Please take a look into the "start_stunnel.sh" script. You may use it
to create a certificate and dig a tunnel.
In the case, that you already have a certificate just run this
command:
stunnel -p $YOUR_CERT -r localhost:80 -d 443

View File

@ -56,10 +56,10 @@ stateOrProvinceName = State or Province Name (full name)
# Variable name Value
#------------------------------ ------------------------------
0.organizationName_default = CryptoBox
organizationalUnitName_default = s.l.
organizationalUnitName_default = Sense.Lab
localityName_default = Kugelmugel
stateOrProvinceName_default = Metropolis
emailAddress_default = info@systemausfall.org
emailAddress_default = info@cryptobox.org

41
scripts/start_stunnel.sh Executable file
View File

@ -0,0 +1,41 @@
#!/bin/sh
#
# This script creates a stunnel certificate for https
# and starts a tunnel from :80 to :443. It's meant as en example so
# use it with care.
#
# An example for the openssl config file can be found in
# conf-examples/openssl.cnf .
#
set -eu
test $# -ne 2 && echo "Usage: $(basename $0) OPENSSL_CONF_FILE CERT_FILE" && exit 1
TMP_FILE=/tmp/cryptobox-cert.tmp
## vcert values are in openssl.conf
#OPENSSL_CONF_FILE="../conf-examples/openssl.cnf"
OPENSSL_CONF_FILE="$1"
## filename for the created cert
#CERTFILE="cryptobox.cert"
CERTFILE="$2"
## source & destination ports
SRC_PORT="8080"
DST_PORT="443"
[ ! -f "$OPENSSL_CONF_FILE" ] && echo "`basename $0`: $OPENSSL_CONF_FILE not found" && exit 2
# this command creates the certificate
# the "\n" are required, because the certbuilding asks for 5 returns
echo -ne "\n\n\n\n\n" | openssl req -new -x509 -nodes -days 3650 -config "$OPENSSL_CONF_FILE" -out "$CERTFILE" -keyout "$CERTFILE"
chmod 600 "$CERTFILE"
# next step needs a lot of randomdata
dd if=/dev/urandom of="$TMP_FILE" bs=1024 count=1024
openssl dhparam -rand "$TMP_FILE" 512 >> "$CERTFILE"
rm "$TMP_FILE"
## print out cert values
#openssl x509 -subject -dates -fingerprint -in stunnel.pem
stunnel -p ${CERTFILE} -r localhost:${SRC_PORT} -d ${DST_PORT}