script for stunnel

README.proxy

@@ -1,6 +1,6 @@
-Running the CryptoBox cherrypy webserver behind apache
+= apache in front of the cryptobox-server (cherrypy) =
 
-The following file describes how to configure an apache2 webserver for
+The following section describes how to configure an apache2 webserver for
 forwarding requests to the cherrypy server of the CryptoBox.
 
 
@@ -35,3 +35,34 @@ forwarding requests to the cherrypy server of the CryptoBox.
 	Now you should point your webserver to the proxy host and check if
 	the CryptoBox layout ist working properly.
 
+-----
+
+= lighttpd in front of the cryptobox-server (cherrypy) =
+
+In this section we do the same as above, but with lighttpd.
+
+Your lighttpd config should contain something like this:
+
+	# default document-root
+	server.document-root = "/usr/share/cryptobox-server/www-data/"
+
+	# TCP port
+	server.port = 443
+
+	# selecting modules
+	server.modules = ( "mod_access",
+					"mod_scgi",
+					"mod_accesslog",
+                    "mod_rewrite",
+                    "mod_staticfile" )
+
+	ssl.engine = "enable"
+	ssl.pemfile = "/etc/lighttpd/server.pem"
+
+	scgi.server = ( "/" =>
+		((  "host" => "127.0.0.1",
+			"port" => 8080,
+			"check-local" => "disable"
+		))
+	)
+

README.ssl

@@ -0,0 +1,13 @@
+= https for the CryptoBox =
+
+To secure your http connection from the box to your browser, 
+you may use "stunnel".
+
+Please take a look into the "start_stunnel.sh" script. You may use it
+to create a certificate and dig a tunnel.
+
+In the case, that you already have a certificate just run this
+command:
+
+	stunnel -p $YOUR_CERT -r localhost:80 -d 443
+

conf-examples/openssl.cnf

@@ -56,10 +56,10 @@ stateOrProvinceName = State or Province Name (full name)
 # Variable name   Value
 #------------------------------   ------------------------------
 0.organizationName_default = CryptoBox
-organizationalUnitName_default = s.l.
+organizationalUnitName_default = Sense.Lab
 localityName_default = Kugelmugel
 stateOrProvinceName_default = Metropolis
-emailAddress_default = info@systemausfall.org
+emailAddress_default = info@cryptobox.org
 
 
 

scripts/start_stunnel.sh

@@ -0,0 +1,41 @@
+#!/bin/sh
+#
+# This script creates a stunnel certificate for https
+# and starts a tunnel from :80 to :443. It's meant as en example so
+# use it with care.
+#
+# An example for the openssl config file can be found in
+# conf-examples/openssl.cnf .
+#
+
+set -eu
+
+test $# -ne 2 && echo "Usage: $(basename $0) OPENSSL_CONF_FILE CERT_FILE" && exit 1
+
+TMP_FILE=/tmp/cryptobox-cert.tmp
+## vcert values are in openssl.conf
+#OPENSSL_CONF_FILE="../conf-examples/openssl.cnf"
+OPENSSL_CONF_FILE="$1"
+## filename for the created cert
+#CERTFILE="cryptobox.cert"
+CERTFILE="$2"
+## source & destination ports
+SRC_PORT="8080"
+DST_PORT="443"
+
+
+[ ! -f "$OPENSSL_CONF_FILE" ] && echo "`basename $0`: $OPENSSL_CONF_FILE not found" && exit 2
+# this command creates the certificate
+# the "\n" are required, because the certbuilding asks for 5 returns
+echo -ne "\n\n\n\n\n" | openssl req -new -x509 -nodes -days 3650 -config "$OPENSSL_CONF_FILE" -out "$CERTFILE" -keyout "$CERTFILE"
+chmod 600 "$CERTFILE"
+
+# next step needs a lot of randomdata
+dd if=/dev/urandom of="$TMP_FILE" bs=1024 count=1024
+openssl dhparam -rand "$TMP_FILE" 512 >> "$CERTFILE"
+rm "$TMP_FILE"
+
+## print out cert values
+#openssl x509 -subject -dates -fingerprint -in stunnel.pem
+
+stunnel -p ${CERTFILE} -r localhost:${SRC_PORT} -d ${DST_PORT}