Showing posts with label Jaydeep. Show all posts
Showing posts with label Jaydeep. Show all posts

Friday, September 4, 2009

Stunnel

Although there are lot of the document available for Stunnel, but personally i got little bit difficulty to find and implement this. I am describing here step by step how to implement stunnel.

I did it for ubuntu so i am giving the example of ubuntu.
I am showing here how i connected remote postgres database through stunnel.you can use it for :-
[pop3s]
,[imaps]
,[ssmtp]
etc.

Section 1:

Suppose here are the database server details.

public ip of server : 1.1.1.1

port of server : 1234 (this port should be open from firewall, only for cleint ip access with stunnel)
use /etc/hosts.allow for it.

database server port: 5432

Suppose here are the client details from where we want to access database

public ip of server : 2.2.2.2

port of server : 4321 (this port should be open from firewall, only for cleint ip access with stunnel)
remider use /etc/hosts.allow use for it

Section 2:
follow this steps in both machine

install openssl and stunnel in your system;
here are the commands to install them
-> sudo apt-get install openssl
->sudo apt-get install stunnel4

Section 3:
Follow these steps in both machines
create stunnel directory where you can place your all configuration file and log files.

use this command to generate pem file , this is needed for certificate.

->sudo openssl req -new -x509 -days 3650 -nodes -out stunnel.pem -keyout stunnel.pem
prompt will ask some parameter leave it blank and press enter.


create stunnel.master.conf file
This file should be in server side side that is 1.1.1.1
->sudo vim stunnel.master.conf
and put following data over there
*************************************************************
cert = /home/stunnel/stunnel.pem
key = /home/stunnel/stunnel.pem

pid = /home/stunnel/stunnel_master.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = /home/stunnel/master_stunnel.log

; Use it for client mode
client = no

; Service-level configuration

[edb-psql]
accept = 1234
connect = 127.0.0.1:5432
;TIMEOUTclose = 0

; vim:ft=dosini

*********************************************
you will find line [edb-psql] is written. So you have to enter following line in hots.allow
edb-psql: 2.2.2.2


create stunnel.client.conf file
This file should be in server side side that is 2.2.2.2
->sudo vim stunnel.client.conf
and put following data over there
*************************************************************
cert = /home/stunnel/stunnel.pem
key = /home/stunnel/stunnel.pem

pid = /home/stunnel/stunnel_client.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = /home/stunnel/client_stunnel.log

; Use it for client mode
client = yes

; Service-level configuration

[edb-psql]
accept = 4321
connect = 1.1.1.1:1234
;TIMEOUTclose = 0

; vim:ft=dosini

*********************************************
you will find line [edb-psql] is written. So you have to enter following line in hots.allow
edb-psql: 1.1.1.1


Section 4

Run stunnel in 1.1.1.1

->sudo stunnel stunnel.master.conf

check stunnel running or not running in system by
->ps -ef|grep stunnel


Run stunnel in 2.2.2.2

->sudo stunnel stunnel.master.conf

check stunnel running or not running in system by
->ps -ef|grep stunnel

Run this command from 1.1.1.1 to check service is running and having access of from 2.2.2.2
->telnet 127.0.0.1 4321
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

That means your connection is working fine
if telnet is not working for this host and port check both master and clint stunnel.log files.
if every this is fine then:-
now you can connect 1.1.1.1 database from 2.2.2.2
like this
edb-psql -U [username] -h 127.0.0.1 -p 4321 -d [databasename]

Here is the refrrence which i used for stunnel: -

http://www.stunnel.org/

if you are still not able to implement stunnel mail me jdformail@aol.com

Thanks,
Jaydeep Vishwakarma
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)