Changeset 47274444 for postlfs/security/stunnel.xml
- Timestamp:
- 03/24/2020 07:19:44 PM (4 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- fa3edfef
- Parents:
- 914049f6
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/stunnel.xml
r914049f6 r47274444 33 33 <title>Introduction to stunnel</title> 34 34 35 <para>The <application>stunnel</application> package contains a program 36 that allows you to encrypt arbitrary TCP connections inside SSL (Secure 37 Sockets Layer) so you can easily communicate with clients over secure 38 channels. <application>stunnel</application> can be used to add SSL 39 functionality to commonly used <application>Inetd</application> daemons 40 such as POP-2, POP-3, and IMAP servers, along with standalone daemons such 41 as NNTP, SMTP, and HTTP. <application>stunnel</application> can also be 42 used to tunnel PPP over network sockets without changes to the server 43 package source code.</para> 35 <para> 36 The <application>stunnel</application> package contains a program 37 that allows you to encrypt arbitrary TCP connections inside SSL (Secure 38 Sockets Layer) so you can easily communicate with clients over secure 39 channels. <application>stunnel</application> can be used to add SSL 40 functionality to commonly used <application>Inetd</application> daemons 41 such as POP-2, POP-3, and IMAP servers, along with standalone daemons 42 such as NNTP, SMTP, and HTTP. <application>stunnel</application> can 43 also be used to tunnel PPP over network sockets without changes to the 44 server package source code. 45 </para> 44 46 45 47 &lfs91_checked; … … 48 50 <itemizedlist spacing="compact"> 49 51 <listitem> 50 <para>Download (HTTP): <ulink url="&stunnel-download-http;"/></para> 51 </listitem> 52 <listitem> 53 <para>Download (FTP): <ulink url="&stunnel-download-ftp;"/></para> 54 </listitem> 55 <listitem> 56 <para>Download MD5 sum: &stunnel-md5sum;</para> 57 </listitem> 58 <listitem> 59 <para>Download size: &stunnel-size;</para> 60 </listitem> 61 <listitem> 62 <para>Estimated disk space required: &stunnel-buildsize;</para> 63 </listitem> 64 <listitem> 65 <para>Estimated build time: &stunnel-time;</para> 52 <para> 53 Download (HTTP): <ulink url="&stunnel-download-http;"/> 54 </para> 55 </listitem> 56 <listitem> 57 <para> 58 Download (FTP): <ulink url="&stunnel-download-ftp;"/> 59 </para> 60 </listitem> 61 <listitem> 62 <para> 63 Download MD5 sum: &stunnel-md5sum; 64 </para> 65 </listitem> 66 <listitem> 67 <para> 68 Download size: &stunnel-size; 69 </para> 70 </listitem> 71 <listitem> 72 <para> 73 Estimated disk space required: &stunnel-buildsize; 74 </para> 75 </listitem> 76 <listitem> 77 <para> 78 Estimated build time: &stunnel-time; 79 </para> 66 80 </listitem> 67 81 </itemizedlist> … … 71 85 <bridgehead renderas="sect4">Optional</bridgehead> 72 86 <para role="optional"> 73 <ulink url="http://netcat.sourceforge.net/">netcat</ulink> (required for tests), 74 <ulink url="ftp://ftp.porcupine.org/pub/security/">tcpwrappers</ulink> and 87 <ulink url="http://netcat.sourceforge.net/">netcat</ulink> 88 (required for tests), 89 <ulink url="ftp://ftp.porcupine.org/pub/security/">tcpwrappers</ulink>, 90 and 75 91 <ulink url="https://dist.torproject.org/">TOR</ulink> 76 92 </para> … … 84 100 <title>Installation of stunnel</title> 85 101 86 <para>The <command>stunnel</command> daemon will be run in a 87 <command>chroot</command> jail by an unprivileged user. Create the 88 new user and group using the following commands as the 89 <systemitem class="username">root</systemitem> user:</para> 102 <para> 103 The <command>stunnel</command> daemon will be run in a 104 <command>chroot</command> jail by an unprivileged user. Create the 105 new user and group using the following commands as the 106 <systemitem class="username">root</systemitem> user: 107 </para> 90 108 91 109 <screen role="root"><userinput>groupadd -g 51 stunnel && … … 94 112 95 113 <note> 96 <para>A signed SSL Certificate and a Private Key is necessary to run the 97 <command>stunnel</command> daemon. After the package is installed, there 98 are instructions to generate them. However, if you own or have already 99 created a signed SSL Certificate you wish to use, copy it to 100 <filename>/etc/stunnel/stunnel.pem</filename> before starting the build 101 (ensure only <systemitem class="username">root</systemitem> has read and 102 write access). The <filename class="extension">.pem</filename> file must 103 be formatted as shown below:</para> 114 <para> 115 A signed SSL Certificate and a Private Key is necessary to run the 116 <command>stunnel</command> daemon. After the package is installed, 117 there are instructions to generate them. However, if you own or have 118 already created a signed SSL Certificate you wish to use, copy it to 119 <filename>/etc/stunnel/stunnel.pem</filename> before starting the 120 build (ensure only <systemitem class="username">root</systemitem> has 121 read and write access). The <filename class="extension">.pem</filename> 122 file must be formatted as shown below: 123 </para> 104 124 105 125 <screen><literal>-----BEGIN PRIVATE KEY----- … … 112 132 <replaceable><encrypted lines of dh parms></replaceable> 113 133 -----END DH PARAMETERS-----</literal></screen> 134 114 135 </note> 115 136 116 <para>Install <application>stunnel</application> by running the following 117 commands:</para> 137 <para> 138 Install <application>stunnel</application> by running the following 139 commands: 140 </para> 118 141 119 142 <note> 120 <para>For some systems with <application>binutils</application> 121 versions prior to 2.25, <command>configure</command> may fail. If 122 necessary, fix it either with:</para> 143 <para> 144 For some systems with <application>binutils</application> 145 versions prior to 2.25, <command>configure</command> may fail. If 146 necessary, fix it either with: 147 </para> 123 148 124 149 <screen><userinput>sed -i '/LDFLAGS.*static_flag/ s/^/#/' configure</userinput></screen> 125 150 126 <para>or, if <xref linkend="llvm"/> with Clang is installed, you can 127 replace <command>./configure ...</command> with <command>CC=clang 128 ./configure ...</command> in the first command below.</para> 151 <para> 152 or, if <xref linkend="llvm"/> with Clang is installed, you can 153 replace <command>./configure ...</command> with <command>CC=clang 154 ./configure ...</command> in the first command below. 155 </para> 129 156 </note> 130 157 … … 140 167 make</userinput></screen> 141 168 142 <para>If you have installed the optional netcat application, the 143 regression tests can be run with <command>make check</command>.</para> 144 145 <para>Now, as the <systemitem class="username">root</systemitem> user:</para> 169 <para> 170 If you have installed the optional netcat application, the 171 regression tests can be run with <command>make check</command>. 172 </para> 173 174 <para> 175 Now, as the <systemitem class="username">root</systemitem> user: 176 </para> 146 177 147 178 <screen role="root"><userinput>make docdir=/usr/share/doc/stunnel-&stunnel-version; install</userinput></screen> … … 154 185 <screen role="root" revision="systemd"><userinput>install -v -m644 tools/stunnel.service /lib/systemd/system</userinput></screen> 155 186 156 <para>If you do not already have a signed SSL Certificate and Private Key, 157 create the <filename>stunnel.pem</filename> file in the 158 <filename class="directory">/etc/stunnel</filename> directory using the 159 command below. You will be prompted to enter the necessary 160 information. Ensure you reply to the</para> 187 <para> 188 If you do not already have a signed SSL Certificate and Private Key, 189 create the <filename>stunnel.pem</filename> file in the 190 <filename class="directory">/etc/stunnel</filename> directory using the 191 command below. You will be prompted to enter the necessary 192 information. Ensure you reply to the 193 </para> 161 194 162 195 <screen><prompt>Common Name (FQDN of your server) [localhost]:</prompt></screen> 163 196 164 <para>prompt with the name or IP address you will be using 165 to access the service(s).</para> 166 167 <para>To generate a certificate, as the 168 <systemitem class="username">root</systemitem> user, issue:</para> 197 <para> 198 prompt with the name or IP address you will be using 199 to access the service(s). 200 </para> 201 202 <para> 203 To generate a certificate, as the 204 <systemitem class="username">root</systemitem> user, issue: 205 </para> 169 206 170 207 <screen role="root"><userinput>make cert</userinput></screen> … … 175 212 <title>Command Explanations</title> 176 213 177 <para revision="sysv"><parameter>--disable-systemd</parameter>: This switch 178 disables systemd socket activation support which is not available in 179 BLFS.</para> 180 181 <para><command>make docdir=... install</command>: This command installs the 182 package and changes the documentation installation directory to standard 183 naming conventions.</para> 214 <para revision="sysv"> 215 <parameter>--disable-systemd</parameter>: This switch disables systemd 216 socket activation support which is not available in BLFS. 217 </para> 218 219 <para> 220 <command>make docdir=... install</command>: This command installs the 221 package and changes the documentation installation directory to standard 222 naming conventions. 223 </para> 184 224 185 225 </sect2> … … 191 231 <title>Config Files</title> 192 232 193 <para><filename>/etc/stunnel/stunnel.conf</filename></para> 233 <para> 234 <filename>/etc/stunnel/stunnel.conf</filename> 235 </para> 194 236 195 237 <indexterm zone="stunnel stunnel-config"> … … 202 244 <title>Configuration Information</title> 203 245 204 <para>As the <systemitem class="username">root</systemitem> user, 205 create the directory used for the 206 <filename class="extension">.pid</filename> file created 207 when the <application>stunnel</application> daemon starts:</para> 246 <para> 247 As the <systemitem class="username">root</systemitem> user, 248 create the directory used for the 249 <filename class="extension">.pid</filename> file created 250 when the <application>stunnel</application> daemon starts: 251 </para> 208 252 209 253 <screen role="root"><userinput>install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run && 210 254 chown stunnel:stunnel /var/lib/stunnel</userinput></screen> 211 255 212 <para>Next, create a basic <filename>/etc/stunnel/stunnel.conf</filename> 213 configuration file using the following commands as the 214 <systemitem class="username">root</systemitem> user:</para> 256 <para> 257 Next, create a basic <filename>/etc/stunnel/stunnel.conf</filename> 258 configuration file using the following commands as the 259 <systemitem class="username">root</systemitem> user: 260 </para> 215 261 216 262 <screen role="root"><userinput>cat >/etc/stunnel/stunnel.conf << "EOF" … … 239 285 EOF</userinput></screen> 240 286 241 <para>Finally, add the service(s) you wish to encrypt to the 242 configuration file. The format is as follows:</para> 287 <para> 288 Finally, add the service(s) you wish to encrypt to the 289 configuration file. The format is as follows: 290 </para> 243 291 244 292 <screen><literal>[<replaceable><service></replaceable>] … … 246 294 connect = <replaceable><hostname:portnumber></replaceable></literal></screen> 247 295 248 <para>If you use <application>stunnel</application> to encrypt a daemon 249 started from <command>[x]inetd</command>, you may need to disable that 250 daemon in the <filename>/etc/[x]inetd.conf</filename> file and enable a 251 corresponding <replaceable><service></replaceable>_stunnel service. You 252 may have to add an appropriate entry in <filename>/etc/services</filename> 253 as well.</para> 254 255 <para>For a full explanation of the commands and syntax used in the 256 configuration file, issue <command>man stunnel</command>.</para> 296 <para> 297 If you use <application>stunnel</application> to encrypt a daemon 298 started from <command>[x]inetd</command>, you may need to disable that 299 daemon in the <filename>/etc/[x]inetd.conf</filename> file and enable a 300 corresponding <replaceable><service></replaceable>_stunnel 301 service. You may have to add an appropriate entry in 302 <filename>/etc/services</filename> as well. 303 </para> 304 305 <para> 306 For a full explanation of the commands and syntax used in the 307 configuration file, issue <command>man stunnel</command>. 308 </para> 257 309 258 310 </sect3> … … 262 314 <phrase revision="systemd">Systemd Unit</phrase></title> 263 315 264 <para revision="sysv">To automatically start the 265 <command>stunnel</command> daemon when the system is booted, install the 266 <filename>/etc/rc.d/init.d/stunnel</filename> bootscript from the 267 <xref linkend="bootscripts"/> package.</para> 268 269 <para revision="systemd">To start the <command>stunnel</command> 270 daemon at boot, enable the previously installed 271 <application>systemd</application> unit by running the following command 272 as the <systemitem class="username">root</systemitem> user:</para> 316 <para revision="sysv"> 317 To automatically start the <command>stunnel</command> daemon when the 318 system is booted, install the 319 <filename>/etc/rc.d/init.d/stunnel</filename> bootscript from the 320 <xref linkend="bootscripts"/> package. 321 </para> 322 323 <para revision="systemd"> 324 To start the <command>stunnel</command> 325 daemon at boot, enable the previously installed 326 <application>systemd</application> unit by running the following 327 command as the <systemitem class="username">root</systemitem> user: 328 </para> 273 329 274 330 <indexterm zone="stunnel stunnel-init"> … … 314 370 <term><command>stunnel</command></term> 315 371 <listitem> 316 <para> is a program designed to work as an SSL 317 encryption wrapper between remote clients and local 318 (<command>{x}inetd</command>-startable) or remote servers.</para> 372 <para> 373 is a program designed to work as an SSL 374 encryption wrapper between remote clients and local 375 (<command>{x}inetd</command>-startable) or remote servers. 376 </para> 319 377 <indexterm zone="stunnel stunnel-prog"> 320 378 <primary sortas="b-stunnel">stunnel</primary> … … 326 384 <term><command>stunnel3</command></term> 327 385 <listitem> 328 <para>is a <application>Perl</application> wrapper script to use 329 <command>stunnel</command> 3.x syntax with <command>stunnel</command> 330 >=4.05.</para> 386 <para> 387 is a <application>Perl</application> wrapper script to use 388 <command>stunnel</command> 3.x syntax with 389 <command>stunnel</command> 4.05 or later. 390 </para> 331 391 <indexterm zone="stunnel stunnel3"> 332 392 <primary sortas="b-stunnel3">stunnel3</primary> … … 338 398 <term><filename class='libraryfile'>libstunnel.so</filename></term> 339 399 <listitem> 340 <para> contains the API functions required by 341 <application>stunnel</application>.</para> 400 <para> 401 contains the API functions required by 402 <application>stunnel</application>. 403 </para> 342 404 <indexterm zone="stunnel libstunnel"> 343 405 <primary sortas="c-libstunnel">libstunnel.so</primary>
Note:
See TracChangeset
for help on using the changeset viewer.