1. Prepare a certificate ------------------------ either: request a certificate for your elog URL from your web administrator - the private key must not be password-protected - the 'common name' must be the URL of your elog server or: create a self-signed certificate yourself with the OpenSSL package - as root user, create a self-signed certificate with the command root@localhost:# openssl req -new -x509 -config /etc/ssl/openssl.cnf -keyout stunnel.pem -out stunnel.pem -days 365 -nodes - this creates a self-signed certificate (-x509) whith one year validity (-days 365) and no password protection for the private key (-nodes) - private key and certificate are written to the same file, "stunnel.pem" Answer all questions, making sure that the 'common name' is the URL under which users are to reach your elog server. For more information on how to create and/or manage SSL certificates, see e.g. http://www.ibiblio.org/pub/Linux/docs/HOWTO/SSL-Certificates-HOWTO Notice: Unless your web administrator can procure a certificate signed by an established CA, your elog users will be asked if they want to accept your (unverifiable) certificate when connecting to your elog server. This is no problem at all but can lead to questions if your users are unsure about this. 2. Adapt the certificate file to stunnel4 conventions ----------------------------------------------------- The certificate filename must be the MD5 checksum: - Retrieve the MD5 checksum of your certificate with root@localhost:# openssl x509 -hash -noout -in stunnel.pem abcdefgh - Rename the certificate file accordingly root@localhost:# mv stunnel.pem abcdefgh.0 - Move the certificate file to the standard location, e.g. /etc/ssl/certs - change the permissions of the file to -rw------- - make sure there is a blank line between -----END RSA PRIVATE KEY----- and -----BEGIN CERTIFICATE----- and a blank line after -----END CERTIFICATE----- in your certificate file. 3. Configure stunnel4 --------------------- Install the stunnel4 package (if not already done). Modify the configuration file (e.g. /etc/stunnel/stunnel.conf, depending on your distribution): - general options: cert = /etc/ssl/certs/abcdefgh.0 ; put the name of your certificate file here debug = 4 ; otherwise ALL connection attempts will be logged to your syslog pid = /var/run/stunnel4/stunnel.pid ; check where the other services write their pid-files, depends ; somewhat on the distribution - comment out all lines containing chroot options - comment out all CA lines - comment out all service sections except the HTTPS section, which should look as follows [https] accept = 443 ; i.e. stunnel listens on port 443, the standard https port connect = 8080 ; and forwards all connections to port 8080 (use the port under which ; your elogd is running here!) TIMEOUTclose = 0 ; for buggy MS Internet Explorers, see the stunnel4 manpage Some Linux distributions require that in the file /etc/defaults/stunnel4 the option ENABLED be set to ENABLED=1. If not, the stunnel will not be started at system bootup. 4. Start the stunnel4 server ---------------------------- root@localhost# stunnel4 /etc/stunnel/stunnel.conf Your elog should now be accessible via https://your.elog.server