Although there are lot of the document available for Stunnel, but personally i got little bit difficulty to find and implement this. I am describing here step by step how to implement stunnel.
I did it for ubuntu so i am giving the example of ubuntu.
I am showing here how i connected remote postgres database through stunnel.you can use it for :-
[pop3s]
,[imaps]
,[ssmtp]
etc.
Section 1:
Suppose here are the database server details.
public ip of server : 1.1.1.1
port of server : 1234 (this port should be open from firewall, only for cleint ip access with stunnel)
use /etc/hosts.allow for it.
database server port: 5432
Suppose here are the client details from where we want to access database
public ip of server : 2.2.2.2
port of server : 4321 (this port should be open from firewall, only for cleint ip access with stunnel)
remider use /etc/hosts.allow use for it
Section 2:
follow this steps in both machine
install openssl and stunnel in your system;
here are the commands to install them
-> sudo apt-get install openssl
->sudo apt-get install stunnel4
Section 3:
Follow these steps in both machines
create stunnel directory where you can place your all configuration file and log files.
use this command to generate pem file , this is needed for certificate.
->sudo openssl req -new -x509 -days 3650 -nodes -out stunnel.pem -keyout stunnel.pem
prompt will ask some parameter leave it blank and press enter.
create stunnel.master.conf file
This file should be in server side side that is 1.1.1.1
->sudo vim stunnel.master.conf
and put following data over there
*************************************************************
cert = /home/stunnel/stunnel.pem
key = /home/stunnel/stunnel.pem
pid = /home/stunnel/stunnel_master.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = /home/stunnel/master_stunnel.log
; Use it for client mode
client = no
; Service-level configuration
[edb-psql]
accept = 1234
connect = 127.0.0.1:5432
;TIMEOUTclose = 0
; vim:ft=dosini
*********************************************
you will find line [edb-psql] is written. So you have to enter following line in hots.allow
edb-psql: 2.2.2.2
create stunnel.client.conf file
This file should be in server side side that is 2.2.2.2
->sudo vim stunnel.client.conf
and put following data over there
*************************************************************
cert = /home/stunnel/stunnel.pem
key = /home/stunnel/stunnel.pem
pid = /home/stunnel/stunnel_client.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = /home/stunnel/client_stunnel.log
; Use it for client mode
client = yes
; Service-level configuration
[edb-psql]
accept = 4321
connect = 1.1.1.1:1234
;TIMEOUTclose = 0
; vim:ft=dosini
*********************************************
you will find line [edb-psql] is written. So you have to enter following line in hots.allow
edb-psql: 1.1.1.1
Section 4
Run stunnel in 1.1.1.1
->sudo stunnel stunnel.master.conf
check stunnel running or not running in system by
->ps -ef|grep stunnel
Run stunnel in 2.2.2.2
->sudo stunnel stunnel.master.conf
check stunnel running or not running in system by
->ps -ef|grep stunnel
Run this command from 1.1.1.1 to check service is running and having access of from 2.2.2.2
->telnet 127.0.0.1 4321
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
That means your connection is working fine
if telnet is not working for this host and port check both master and clint stunnel.log files.
if every this is fine then:-
now you can connect 1.1.1.1 database from 2.2.2.2
like this
edb-psql -U [username] -h 127.0.0.1 -p 4321 -d [databasename]
Here is the refrrence which i used for stunnel: -
http://www.stunnel.org/
if you are still not able to implement stunnel mail me jdformail@aol.com
Thanks,
Jaydeep Vishwakarma
Friday, September 4, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment