Stunnel + haproxy SSL and problem records

Document directory

• About SSL certificates
• Others
• Install haproxy by the way:
• Some practical problems and solutions

Recently, Stunnel is used as a transparent proxy, and haproxy is used as an SSL solution. Stunnel is added between the user and the original reverse proxy, so that the user and Stunnel can use SSL, the real Web after Stunnel does not need to bear the HTTPS overhead.

Record the configuration process and problems. The following installation methods are successfully configured on centos and Ubuntu:

First, go to the Stunnel official website to obtain the installation package. Because we need to patch the Stunnel with haproxy, and the current version of the official patch provided by haproxy is 4.32, Stunnel is selected as version 4.32, you can find ftp://ftp.stunnel.org/stunnel/obsolete/4.x/on the FTP provided by the official website. Here, you can use the rsyncto synchronize the corresponding environment:

   1:  rsync rsync.stunnel.org::stunnel/obsolete/4.x/stunnel-4.32.tar.gz stunnel-4.32.tar.gz

   2:  wget http://haproxy.1wt.eu/download/patches/stunnel-4.32-xforwarded-for.diff

   3:  tar -zxvf stunnel-4.32.tar.gz

   4:  cd stunnel-4.32

   5:  patch -p1 < ../stunnel-4.32-xforwarded-for.diff

   6:  ./configure

   7:  make && make install

If "couldn't find your SSL library installation dir" appears in the above process, OpenSSL is missing. After installation, perform the above process:

   1:  apt-get install libcurl3-openssl-dev

Or:

yum install openssl-devel

Configure Stunnel. conf:

   1:  sslVersion=all

   2:  fips=no

   3:  cert=/usr/local/etc/stunnel/stunnel.pem

   4:  CAfile=/usr/local/etc/stunnel/cacert.pem

   5:  pid =/var/run/stunnel.pid

   6:  setuid=root

   7:  setgid=root

   8:   

   9:  socket=l:TCP_NODELAY=1

  10:  socket=r:TCP_NODELAY=1

  11:  output=/var/log/stunnel.log

  12:   

  13:  [https]

  14:  accept=443

  15:  connect=127.0.0.1:8080

  16:  TIMEOUTclose=0

  17:  xforwardedfor=yes

 

-----------------------------------------------------------------------------

After completing the preceding steps, you can run:

   1:  stunnel

If the routines: fips_mode_set: fingerprint does not match error occurs when running stunel, you can set FIPS = No. If the nobody permission is displayed, you can set it:

   1:  chmod 755 /var/run/stunnel/

-------------------------------------------------------------------------------

About SSL certificates

Use your own certificate:

   1:  openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

If the existing certificate is imported into pfx and Ca (the corresponding cafile parameter is set in the configuration file ):

   1:  openssl

2: // convert CER to PEM

   3:  openssl>x509 -in cacert.cer -out cacert.pem

4: // pfx to PEM

   5:  openssl>pkcs12 -in stunnel.pfx -out stunnel.pem -nodes

To simplify the use of certificates, we will issue or purchase a certificate such as * .xxx.org, so that all sites under the second-level domain name can be shared. Note that *. * .xxx.org is invalid.

-------------------------------------------------------------------------------

Others

Stunnel can only be used as a proxy for Linux machines

You can differentiate IP addresses, IP addresses, and ports as proxies.

Simple and efficient, and a powerful system tool :)

 

Install haproxy by the way:

Find the version http://haproxy.1wt.eu/download/1.4/src/ you want to install

Take centos5 installation as an example:

   1:  wget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.9.tar.gz  

   2:  tar -zxvf haproxy-1.4.9.tar.gz

   3:  cd haproxy-1.4.9

   4:  make TARGET=linux26 PREFIX=/usr/local/

   5:  make install PREFIX=/usr/local/

Some practical problems and solutions

When using the SSL channel in IE6, the "page can not load" problem occurs. This is due to OpenSSL support issues. The official FAQ is as follows:

Http://www.stunnel.org /? Page = FAQ

Http://www.daniweb.com/hardware-and-software/microsoft-windows/web-browsers/threads/50765

Stunnel is compatible, but no specific solution is attached. Here is the solution. Modify the Stunnel. conf configuration file:

   1:  ciphers=RC4-SHA

   2:  options=DONT_INSERT_EMPTY_FRAGMENTS

By the way, let's take a look at the encryption methods supported by IE6 (you can find them on the OpenSSL official website ):

SSL_RSA_WITH_RC4_128_MD5

SSL_RSA_WITH_RC4_128_SHA 

SSL_RSA_WITH_3DES_EDE_CBC_SHA 

SSL2_CK_RC4 SSL2_CK_3DES 

SSL2_CK_RC2 SSL_RSA_WITH_DES_CBC_SHA 

SSL2_CK_DES SSL_RSA_EXPORT1024_WITH_RC4_56_SHA 

SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA 

SSL_RSA_EXPORT_WITH_RC4_40_MD5 

SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 

SSL2_CK_RC4_EXPORT40 

SSL2_CK_RC2_EXPORT40 

SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA 

SSL_DHE_DSS_WITH_DES_CBC_SHA 

SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA

Select an appropriate encryption algorithm. You can use log to check whether the algorithm is successfully loaded:

tail -f /var/log/stunnel.log

The ciphers settings are incorrect. Note that the sslversion in the configuration file will affect the matching of related algorithms.

Bytes -------------------------------------------------------------------------------------------------------

Because the client-to-stuunel is SSL, haproxy uses http to the Web, that is, the actual request URL is HTTP. In order to make the web end know whether the client-to-request URL is HTTP or HTTPS, you can use the following Configuration:

   1:  option forwardfor

   2:  option httpclose

   3:  reqadd X-Forwarded-Proto:\ https

On the web end, you can obtain the request header ["X-forwarded-Proto"] to distinguish

Please note that httpclose configuration: If this option is not available, X-forwarded is passed only for the first request. If this option is enabled, keepalive cannot be performed. If this option cannot be verified in windows

Bytes -------------------------------------------------------------------------------------------------------

The problem that HTTPS cannot be enabled due to the patch of IE in the XP system:

http://www.microsoft.com/downloads/zh-cn/details.aspx?FamilyID=6429fd02-8138-4919-9942-80d62ecef22e&DisplayLang=zh-cn