It must be generated on the SERVER and is optional on the CLIENT. The PEM certificate should by default exist as /etc/stunnel/stunnel.pem Ii stunnel4 3:4.22-2 Universal SSL tunnel for network daemons Ii stunnel 3:4.22-2 dummy upgrade package |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) | Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend # dpkg -l 'stunnel*' Desired=Unknown/Install/Remove/Purge/Hold The installed version of stunnel can be obtained from: Not creating home directory `/var/run/stunnel4'. Īdding new user `stunnel4' (UID 104) with group `stunnel4'. Warning: The home dir /var/run/stunnel4 you specified can't be accessed: No such file or directoryĪdding system user `stunnel4' (UID 104). Selecting previously deselected package stunnel. 19375 files and directories currently installed.) Selecting previously deselected package stunnel4. The following NEW packages will be installed:Ġ upgraded, 2 newly installed, 0 to remove and 0 not upgraded.Īfter this operation, 434kB of additional disk space will be used. The following extra packages will be installed: The following is a sample output during the install: If all goes well, you will get stunnel v4 installed. On both hosts' (SERVER and CLIENT) console, execute: (same as Remote-DB-Host's Incoming SSH Port) To be configured MySQL Client SSH Outgoing Port: 3320 To be configured MySQL Client Access Port: 3310 To be configured Incoming SSH MySQL Port: 3320 Let us assume the following for reference: We need to enable a MySQL client on the Data-Accessing-Host to access a MySQL DB in the Remote-DB-Host in a secure manner (SSH Wrapped). We further assume that each host has it's own MySQL daemon running on the normal port 3306. Sometimes it is necessary to use a SSH Wrapper - stunnel4 / stunnel3 - for example if we have a server with a MySQL daemon on it that needs to have some databases accessed from another server's MySQL client.įor the sake of simplicity, I assume that both are OpenVZ DAB generated appliances having host names Remote-DB-Host (SERVER) and Data-Accessing-Host (CLIENT). 9.1 Updated Autostart for "insserv" based containers.In the end though, if you have no other option, this should work. Packets are encrypted twice: once by ssh and once by stunnel. Finally, sshd is listening on :22 so it receives the connection from Stunnel, allowing the user to log in.Stunnel is listening on port 70 at and when it receives the connection from Apache, it sends it to port 22 on.ProxyTunnel is listening on port 70, so it takes that connection from Stunnel and sends it to :70 through :1080.Stunnel is listening on port 22 on the localhost, so it receives that connection and sends it on to port 70 also on the localhost.The ssh client connects to port 22 on the localhost.Start your ssh client and connect to 127.0.0.1:22. If not, pass the config line as a command line argument to stunnel. If the nf file is in the default location, no command line arguments are needed. Start proxytunnel using the command shown above.Restart stunnel on the server side, and open up port 70 on the firewall. On the client PC, this is the proxytunnel command line you'll need to use:Ĭ:\>proxytunnel.exe -p :1080 -d :70 -a 70 Start by creating a certificate and key to be used by Stunnel (or reuse the web server certificate if you already have one).Ĭonfigure Stunnel on the server ( /etc/stunnel/nf) as follows:Īlso on the server, configure libwrap In /etc/hosts.allow:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |