Stunnel安装与实践

概念与用途

维基上介绍Stunnel是一个自由的跨平台软件,用于提供全局的TLS/SSL服务。通俗些讲Stunnel是为服务器和客户端之间的通讯连接提供安全加密的工具。其他类似的实现方法还有使用SSH建立安全连接隧道。

应用场景举例:在一个局域网环境中有一台具有公网地址的主机可以被外界访问。当位于本机或其他内网主机上的服务和应用(如Mysql、Mongodb、Hive、Spark、Http、Shell等)需要被外界安全调用时,可以通过在该主机上配置Stunnel服务,将需要被访问的服务和应用的地址和端口映射为本机的一个开放端口,暴露给外界。外界也通过配置自己的Stunnel服务,访问公网地址和对应端口来获取相关服务。

安装与配置

  • 安装:
yum -y install stunnel
  • 创建运行用户:
useradd stunnel
  • 创建用于加密通讯的证书,并复制证书到需要通讯的两个stunnel端:
cd /etc/pki/tls/certs/
make stunnel.pem
mv stunnel.pem /etc/stunnel/
chown stunnel:root /etc/stunnel/stunnel.pem

Stunnel服务必须要有证书(certificate)才能启动。因为下面配置service时使用stunnel用户运行服务,所以stunnel用户需要拥有对stunnel.pem文件的读权限,否则启动失败,通过journalctl -xe查看会发现错误提示Error reading certificate file: /etc/stunnel/stunnel.pem … Permission denied。

  • 创建stunnel.conf文件,并配置至少一个端点(endpoint):

所谓端点起到端口映射的作用,分为服务端和客户端,用client = yes区分。

服务端stunnel.conf:

pid=/var/run/stunnel/stunnel.pid

;foreground=yes
;debug=debug
;output=/data2/log/stunnel/stunnel.log
;fips=no
;compression=zlib

;options=-NO_SSLv3
;options=SINGLE_ECDH_USE
;options=SINGLE_DH_USE

; cert可以全局配置也可以在端点中配置
;cert=/etc/stunnel/stunnel.pem
;key=/etc/stunnel/stunnel.pem

;sslVersion = TLSv1
;socket = l:TCP_NODELAY=1
;socket = r:TCP_NODELAY=1

; 自定义服务名squid-proxy
[squid-proxy]
; 服务监听的端口,client要连接这个端口与server通信
accept = 3129
; 服务要连接的端口,连接到squid的3128端口,将数据发给squid
connect = 3128

[mysql]
accept = 13069
connect = 172.31.22.12:3306
cert=/etc/stunnel/stunnel.pem

; TLS front-end to a web server
;[https]
;accept  = 443
;connect = 80
;cert = /usr/local/etc/stunnel/stunnel.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
;TIMEOUTclose = 0

; Remote shell protected with PSK-authenticated TLS
; Create "/usr/local/etc/stunnel/secrets.txt" containing IDENTITY:KEY pairs
;
;accept = 1337
;exec = /bin/sh
;execArgs = sh -i
;PSKsecrets = /usr/local/etc/stunnel/secrets.txt

客户端stunnel.conf:

pid=/var/run/stunnel/stunnel.pid

; 定义一个服务
[squid-proxy]
client = yes
; 监听3128端口,那么用户浏览器的代理设置就是 stunnel-client-ip:3128
accept = 3128
; 要连接到的stunnel服务端的IP和端口
connect = xx.xx.xx.xx:3129
; 需要验证对方发过来的证书
verify = 2
; 用来进行证书验证的文件(里面有stunnel server的证书)
CAfile = /etc/stunnel/stunnel-server.pem

[mongo_cm]
client = yes
accept = 172.16.0.3:21001
connect = 52.52.52.52:21001
cert = /etc/stunnel/stunnel.pem

[hadoop]
client = yes
accept = 0.0.0.0:50070
connect = 175.25.21.94:50070
cert = /etc/stunnel/stunnel.pem

[spark]
client = yes
accept = 127.0.0.1:10002
connect = 182.92.129.158:10001
cert = /etc/stunnel/spark-158.pem

[gfw_tokyo_aws]
client = yes
accept = 0.0.0.0:8889
connect = 56.26.22.45:2465
cert = /etc/stunnel/tokyo-158.pem
  • 创建/usr/lib/systemd/system/stunnel.service文件,使用systemd管理stunnel:
; systemd script for stunnel. Please put this file in
; /etc/systemd/system/stunnel.service or /usr/lib/systemd/system/stunnel.service

[Unit]
Description=SSL tunnel for network daemons
After=syslog.target

[Service]
Type=forking
#PermissionsStartOnly=true
#ExecStartPre=/usr/bin/mkdir -p /var/run/stunnel
#ExecStartPre=/usr/bin/chown -R stunnel /var/run/stunnel
ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf
ExecStop=/usr/bin/kill -9 $(pgrep stunnel)
ExecStatus=pgrep stunnel

#PIDFile=/var/run/stunnel/stunnel.pid
#User=stunnel

Restart=always
#Restart=on-failure
#RestartSec=5s
[Install]
WantedBy=multi-user.target
systemctl enable stunnel
systemctl start stunnel
systemctl status stunnel
Creative Commons License

本文基于署名-非商业性使用-相同方式共享 4.0许可协议发布,欢迎转载、使用、重新发布,但请保留文章署名wanghengbin(包含链接:https://wanghengbin.com),不得用于商业目的,基于本文修改后的作品请以相同的许可发布。

评论(1) “Stunnel安装与实践

发表评论