1. Prepare a certificate
------------------------
either: request a certificate for your elog URL from your web administrator
- the private key must not be password-protected
- the 'common name' must be the URL of your elog server
or: create a self-signed certificate yourself with the OpenSSL package
- as root user, create a self-signed certificate with the command
root@localhost:# openssl req -new -x509 -config /etc/ssl/openssl.cnf -keyout stunnel.pem -out stunnel.pem -days 365 -nodes
- this creates a self-signed certificate (-x509) whith one year validity (-days 365)
and no password protection for the private key (-nodes)
- private key and certificate are written to the same file, "stunnel.pem"
Answer all questions, making sure that the 'common name' is the URL under which users
are to reach your elog server.
For more information on how to create and/or manage SSL certificates, see e.g.
http://www.ibiblio.org/pub/Linux/docs/HOWTO/SSL-Certificates-HOWTO
Notice: Unless your web administrator can procure a certificate signed by an established
CA, your elog users will be asked if they want to accept your (unverifiable) certificate
when connecting to your elog server. This is no problem at all but can lead to
questions if your users are unsure about this.
2. Adapt the certificate file to stunnel4 conventions
-----------------------------------------------------
The certificate filename must be the MD5 checksum:
- Retrieve the MD5 checksum of your certificate with
root@localhost:# openssl x509 -hash -noout -in stunnel.pem
abcdefgh
- Rename the certificate file accordingly
root@localhost:# mv stunnel.pem abcdefgh.0
- Move the certificate file to the standard location, e.g. /etc/ssl/certs
- change the permissions of the file to -rw-------
- make sure there is a blank line between
-----END RSA PRIVATE KEY----- and -----BEGIN CERTIFICATE-----
and a blank line after
-----END CERTIFICATE-----
in your certificate file.
3. Configure stunnel4
---------------------
Install the stunnel4 package (if not already done).
Modify the configuration file (e.g. /etc/stunnel/stunnel.conf, depending on your
distribution):
- general options:
cert = /etc/ssl/certs/abcdefgh.0 ; put the name of your certificate file here
debug = 4 ; otherwise ALL connection attempts will be logged to your syslog
pid = /var/run/stunnel4/stunnel.pid ; check where the other services write their pid-files, depends
; somewhat on the distribution
- comment out all lines containing chroot options
- comment out all CA lines
- comment out all service sections except the HTTPS section, which should look as follows
[https]
accept = 443 ; i.e. stunnel listens on port 443, the standard https port
connect = 8080 ; and forwards all connections to port 8080 (use the port under which
; your elogd is running here!)
TIMEOUTclose = 0 ; for buggy MS Internet Explorers, see the stunnel4 manpage
Some Linux distributions require that in the file /etc/defaults/stunnel4 the option ENABLED be set
to ENABLED=1. If not, the stunnel will not be started at system bootup.
4. Start the stunnel4 server
----------------------------
root@localhost# stunnel4 /etc/stunnel/stunnel.conf
Your elog should now be accessible via
https://your.elog.server
|