转自:https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ssl-tunnel-using-stunnel-on-ubuntu
ps: 启动stunnel的命令,必须用sudo,否则提示启动成功了,但其实ps aux | grep stunnel什么都没有.

What’s Stunnel

The Stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the program's code.

What Stunnel basically does is that it turns any insecure TCP port into a secure encrypted port using OpenSSL package for cryptography. It’s somehow like a small secure VPN that runs on specific ports.

Step 1: Create an Ubuntu Droplet

So far I have tested it on Ubuntu 12.04 x32/x64, Ubuntu 12.10 x32/x64, Ubuntu 13.04 x32/x64.

Step 2: Update and Upgrade Ubuntu

Using these commands update your Ubuntu’s package list and also upgrade the existing packages to the latest version:

apt-get update

apt-get upgrade

Step 3: Install Stunnel on your VPS

Install Stunnel package using the code below:

apt-get install stunnel4 -y

Step 4: Configure Stunnel on the VPS

Stunnel configures itself using a file named "stunnel.conf" which by default is located in "/etc/stunnel".

Create a "stunnel.conf" file in the "/etc/stunnel" directory:

nano /etc/stunnel/stunnel.conf

We’re going to be using a SSL certificate to identify ourselves to the server so we have to set the path to that certificate in "stunnel.conf" file using this line (We will create the certificate file in the next step):

cert = /etc/stunnel/stunnel.pem

Next we specify a service for use with Stunnel. It can be any of the services which use networking such as mail server, proxy server, etc.

Here as an example we’re going to secure traffics between Squid proxy server and a client using Stunnel. We'll explain how to install and configure Squid in Step 6.

After setting a name for the service you’re going to use, you must tell Stunnel to listen on which port for that service. This can be any of the 65535 ports, as long as it’s not blocked by another service or firewall:

[squid]

accept = 8888

Then depending on the service you’re going to use the secure tunnel on, you must specify the port and IP address of that in the configuration file Basically Stunnel takes packets from a secure port and then forwards it to the port and IP address of the service you specified.

Squid proxy by default runs on localhost and port 3128 so we have to tell Stunnel to forward accepted connections to that port:
connect = 127.0.0.1:3128

So overall the "stunnel.conf" file must contain the lines below:

client = no

[squid]

accept = 8888

connect = 127.0.0.1:3128

cert = /etc/stunnel/stunnel.pem

Note: The client = no part isn't necessary, Stunnel by default is set to server mode.

Step 5: Create SSL Certificates

Stunnel uses SSL certificate to secure its connections, which you can easily create using the OpenSSL package:

openssl genrsa -out key.pem 2048

openssl req -new -x509 -key key.pem -out cert.pem -days 1095

cat key.pem cert.pem >> /etc/stunnel/stunnel.pem

Basically, the commands above is for creating a private key, creating a certificate using that key and combining the two of them into one files named "stunnel.pem" to use with Stunnel.

Note: When creating the certificate, you will be asked for some information such as country and state, which you can enter whatever you like but when asked for "Common Name" you must enter the correct host name or IP address of your droplet (VPS).

Also, enable Stunnel automatic startup by configuring the "/etc/default/stunnel4" file, enter command below to open the file in text editor:

nano /etc/default/stunnel4

And change ENABLED to 1:

ENABLED=1

Finally, restart Stunnel for configuration to take effect, using this command:

/etc/init.d/stunnel4 restart

Step 6: Install Squid Proxy

Install Squid using the command below:

apt-get install squid3 -y

Step 7: Configure Stunnel in Client

Note: This explains the process of installing and configuration of Stunnel as a client in Windows, but Stunnel could also be installed in Linux and even Android and configuration still remains the same. The only difference would be placement of "stunnel.conf" file required for configuration of Stunnel.

In order for Stunnel to communicate with the server, the SSL certificate we created in Step 5 must be present at the client. There are many ways of obtaining the "stunnel.pem" file from server, but we’re going to use SFTP which is both easy and very secure.

Using a SFTP client such as Filezilla, connect to your server and download the "stunnel.pem" file located in "/etc/stunnel/" directory to the client.

There’s also a good tutorial on SFTP here:

How To Use SFTP to Securely Transfer Files with a Remote Server

Download Stunnel from their website.

Install Stunnel in any place you like. Then go to the Stunnel folder and move the downloaded certificate "stunnel.pem" to Stunnel folder.

Create a "stunnel.conf" file in the Stunnel’s folder if one does not exist. Open the file with a text editor such as Notepad.

First of all, we tell Stunnel our certificate’s path, which in Windows is in the Stunnel’s directory (reminder: in Ubuntu it is in "/etc/stunnel/" directory):

cert = stunnel.pem

Since we are going to set up a client, we have to tell Stunnel that this is a client. Put the line below in the configuration file:

client = yes

Then just like the server, we must specify configuration of the service we want to use.

First we specify the service’s name, then the IP address and port, which Stunnel should listen to on the client:

[squid]

accept = 127.0.0.1:8080

The accept port could be any port on the client computer, as long as it’s not occupied by another service or blocked by a firewall.

Next, we tell Stunnel to forward packets coming to this port to our Stunnel server’s IP address and port. The IP address is your server’s (droplet) public IP address, which is assigned to you when setting up a droplet, and port is the port you specified when configuring Stunnel in the server. In our case it was 8888 so we’re going to tell Stunnel to connect to that port:

connect = [Server’s Public IP]:8888

So the final "stunnel.conf" file in the client should look like this:

cert = stunnel.pem

client = yes

[squid]

accept = 127.0.0.1:8080

connect = [Server’s Public IP]:8888

Save and close the file and run "stunnel.exe".

That’s it. Now our client is configured to communicate securely with the virtual server using a secure SSL tunnel. From now on when trying to connect to any service on our VPS, instead of connecting directly to IP address of server, we must use the IP address and port specified in the Stunnel’s "accept" part of configuration for each service.

As an example, when we want to connect to Squid proxy on our cloud server, we must configure our client to connect to 127.0.0.1:8080, and Stunnel automatically connects us through a secure tunnel to the service specified for that port. Here you can configure your web browser to use IP 127.0.0.1 and port 8080 as a proxy to secure your web traffic.

(转)用stunnel给普通http通信加密的更多相关文章

  1. zabbix与agent端通信加密

    Zabbix版本从3.0之后,开始支持Zabbix server, Zabbix proxy, Zabbix agent, zabbix_sender and zabbix_get之间的通信加密,加密 ...

  2. AES加密,解决了同步问题,和随机密钥和固定密钥,多端通信加密不一致解决办法

    1.密钥随机生成. import java.security.InvalidAlgorithmParameterException; import java.security.InvalidKeyEx ...

  3. Linux学习66 运维安全-通信加密和解密技术入门

    一.Linux Service and Security 1.OpenSSL(ssl/tls)协议 2.OpenSSH(ssh)协议 3.bind(dns) 4.web(http):httpd(apa ...

  4. javascript 与 PHP 通信加密,使用AES 128 CBC no padding,以及ios,java,c#文章例子

    运行环境 php7.0 不适用于 php7.0以上版本,因为mcrypt_encrypt()函数已删除 为何要采用 no padding 这种形式: AES加密如果原输入数据不够16字节的整数位,就要 ...

  5. IOS 与 PHP 通信加密,使用AES 128 CBC no padding

    这个网上的资料真实浩如烟海,但是真正有价值的屈指可数 自己尝试了一天多,终于还是搞定了. 再次要感谢网上的前辈么. 比如下面这个关于php和java端的实现: http://my.oschina.ne ...

  6. stunnel+CCProxy,搭建加密代理

    总所周知,不可抗拒的特别有用心的原因,我们无法访问youtube,picasa,Twitter……国外优秀网站,很多人采用了代理服务器的方法访问. 如果您有一台放在海外的服务器,这个就好办了.下载一个 ...

  7. AWS + Stunnel + Squid ***

    [需求] 第一,能***. 第二,在企业网络要能突破端口限制. [原理] 利用AWS提供的一年免费EC2服务,搭建一台自己的VPS,在VPS中利用Stunnel与本机建立加密连接,将本地http请求通 ...

  8. Self Host WebApi服务传输层SSL加密(服务器端+客户端调用)

    接上篇<WebApi服务URI加密及验证的两种方式>,在实际开发中,仅对URI进行加密是不够的,在传输层采用SSL加密也是必须的. 如果服务寄宿于IIS,那对传输层加密非常简单仅需要配置一 ...

  9. Java 前端加密传输后端解密以及验证码功能

    目录(?)[-] 加密解密 1 前端js加密概述 2 前后端加密解密 21 引用的js加密库 22 js加密解密 23 Java端加密解密PKCS5Padding与js的Pkcs7一致 验证码 1 概 ...

随机推荐

  1. 【JS】移动端 好用的分享插件 soshm.js

    参考链接:https://www.cnblogs.com/milo-wjh/p/6796082.html 对于qq内置浏览器分享功能处理:https://www.cnblogs.com/xuzheng ...

  2. Dockerfile 构建前端node应用并用shell脚本实现jenkins自动构建

    cat Dockerfile.node.pre FROM centos MAINTAINER zhao*******h.cn ENV LANG en_US.UTF-8 RUN /bin/cp /usr ...

  3. ubuntu_thunder

    Thunder 出自Ubuntu中文 File:Http://forum.ubuntu.org.cn/download/file.php?id=123020&mode=view/wine-th ...

  4. python正则检测密码合法性

    客户系统升级,要求用户密码符合一定的规则,即:包含大小写字母.数字.符号,长度不小于8,于是先用python写了个简单的测试程序: #encoding=utf-8 #----------------- ...

  5. 【CI】CN.一种多尺度协同变异的微粒群优化算法

    [论文标题]一种多尺度协同变异的微粒群优化算法 (2010) [论文作者]陶新民,刘福荣, 刘  玉 , 童智靖 [论文链接]Paper(14-pages // Single column) [摘要] ...

  6. JavaScript 数组(Array)对象

    Array 对象 Array 对象用于在单个的变量中存储多个值. 创建 Array 对象的语法: new Array(); new Array(size); new Array(element0, e ...

  7. 是否只查看安全传送的网页内容? 去掉 IE弹出窗口

    选择IE工具intemt选项,在选项卡里选择安全,然后在安全选项卡里点自定义级别,在设置里找到‘其他’这个分类,在次分类下找到‘显示混合内容’选择‘启用’然后保存退出就OK了,当然楼上几位说安全问题, ...

  8. umdh windbg分析内存泄露

    A.利用工具umdh(user-mode dump heap)分析:此处以程序MemoryLeak.exe为例子 1.开启cmd 键入要定位内存泄露的程序gflags.exe /i memroylea ...

  9. 在触屏设备上面利用html5裁剪图片(转)

    前言 现在触屏设备越来越流行,而且大多数已经支持html5了.针对此,对触屏设备开发图片裁剪功能, 让其可以直接处理图片,减轻服务端压力. 技术点 浏览器必须支持html5,包括fileReader, ...

  10. Postgresql 正则表达式

    在postgresql中使用正则表达式时需要使用关键字“~”,以表示该关键字之前的内容需匹配之后的正则表达式,若匹配规则不需要区分大小写,可以使用组合关键字“~*”: 相反,若需要查询不匹配这则表达式 ...