Document directory
- About SSL certificates
- Others
- Install haproxy by the way:
- Some practical problems and solutions
Recently, Stunnel is used as a transparent proxy, and haproxy is used as an SSL solution. Stunnel is added between the user and the original reverse proxy, so that the user and Stunnel can use SSL, the real Web after Stunnel does not need to bear the HTTPS overhead.
Record the configuration process and problems. The following installation methods are successfully configured on centos and Ubuntu:
First, go to the Stunnel official website to obtain the installation package. Because we need to patch the Stunnel with haproxy, and the current version of the official patch provided by haproxy is 4.32, Stunnel is selected as version 4.32, you can find ftp://ftp.stunnel.org/stunnel/obsolete/4.x/on the FTP provided by the official website. Here, you can use the rsyncto synchronize the corresponding environment:
1: rsync rsync.stunnel.org::stunnel/obsolete/4.x/stunnel-4.32.tar.gz stunnel-4.32.tar.gz
2: wget http://haproxy.1wt.eu/download/patches/stunnel-4.32-xforwarded-for.diff
3: tar -zxvf stunnel-4.32.tar.gz
4: cd stunnel-4.32
5: patch -p1 < ../stunnel-4.32-xforwarded-for.diff
6: ./configure
7: make && make install
If "couldn't find your SSL library installation dir" appears in the above process, OpenSSL is missing. After installation, perform the above process:
1: apt-get install libcurl3-openssl-dev
Or:
yum install openssl-devel
Configure Stunnel. conf:
1: sslVersion=all
2: fips=no
3: cert=/usr/local/etc/stunnel/stunnel.pem
4: CAfile=/usr/local/etc/stunnel/cacert.pem
5: pid =/var/run/stunnel.pid
6: setuid=root
7: setgid=root
8:
9: socket=l:TCP_NODELAY=1
10: socket=r:TCP_NODELAY=1
11: output=/var/log/stunnel.log
12:
13: [https]
14: accept=443
15: connect=127.0.0.1:8080
16: TIMEOUTclose=0
17: xforwardedfor=yes
-----------------------------------------------------------------------------
After completing the preceding steps, you can run:
1: stunnel
If the routines: fips_mode_set: fingerprint does not match error occurs when running stunel, you can set FIPS = No. If the nobody permission is displayed, you can set it:
1: chmod 755 /var/run/stunnel/
-------------------------------------------------------------------------------
About SSL certificates
Use your own certificate:
1: openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
If the existing certificate is imported into pfx and Ca (the corresponding cafile parameter is set in the configuration file ):
1: openssl
2: // convert CER to PEM
3: openssl>x509 -in cacert.cer -out cacert.pem
4: // pfx to PEM
5: openssl>pkcs12 -in stunnel.pfx -out stunnel.pem -nodes
To simplify the use of certificates, we will issue or purchase a certificate such as * .xxx.org, so that all sites under the second-level domain name can be shared. Note that *. * .xxx.org is invalid.
-------------------------------------------------------------------------------
Others
Stunnel can only be used as a proxy for Linux machines
You can differentiate IP addresses, IP addresses, and ports as proxies.
Simple and efficient, and a powerful system tool :)
Install haproxy by the way:
Find the version http://haproxy.1wt.eu/download/1.4/src/ you want to install
Take centos5 installation as an example:
1: wget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.9.tar.gz
2: tar -zxvf haproxy-1.4.9.tar.gz
3: cd haproxy-1.4.9
4: make TARGET=linux26 PREFIX=/usr/local/
5: make install PREFIX=/usr/local/
Some practical problems and solutions
When using the SSL channel in IE6, the "page can not load" problem occurs. This is due to OpenSSL support issues. The official FAQ is as follows:
Http://www.stunnel.org /? Page = FAQ
Http://www.daniweb.com/hardware-and-software/microsoft-windows/web-browsers/threads/50765
Stunnel is compatible, but no specific solution is attached. Here is the solution. Modify the Stunnel. conf configuration file:
1: ciphers=RC4-SHA
2: options=DONT_INSERT_EMPTY_FRAGMENTS
By the way, let's take a look at the encryption methods supported by IE6 (you can find them on the OpenSSL official website ):
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL2_CK_RC4 SSL2_CK_3DES
SSL2_CK_RC2 SSL_RSA_WITH_DES_CBC_SHA
SSL2_CK_DES SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL2_CK_RC4_EXPORT40
SSL2_CK_RC2_EXPORT40
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
Select an appropriate encryption algorithm. You can use log to check whether the algorithm is successfully loaded:
tail -f /var/log/stunnel.log
The ciphers settings are incorrect. Note that the sslversion in the configuration file will affect the matching of related algorithms.
Bytes -------------------------------------------------------------------------------------------------------
Because the client-to-stuunel is SSL, haproxy uses http to the Web, that is, the actual request URL is HTTP. In order to make the web end know whether the client-to-request URL is HTTP or HTTPS, you can use the following Configuration:
1: option forwardfor
2: option httpclose
3: reqadd X-Forwarded-Proto:\ https
On the web end, you can obtain the request header ["X-forwarded-Proto"] to distinguish
Please note that httpclose configuration: If this option is not available, X-forwarded is passed only for the first request. If this option is enabled, keepalive cannot be performed. If this option cannot be verified in windows
Bytes -------------------------------------------------------------------------------------------------------
The problem that HTTPS cannot be enabled due to the patch of IE in the XP system:
http://www.microsoft.com/downloads/zh-cn/details.aspx?FamilyID=6429fd02-8138-4919-9942-80d62ecef22e&DisplayLang=zh-cn