LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Closed Thread
 
Search this Thread
Old 08-28-2012, 10:47 AM   #1
hamzar.pm
Member
 
Registered: Aug 2009
Location: India,Kerala,Cochin
Distribution: Fedora 11 ,Centos, ubuntu, Redhat
Posts: 42

Rep: Reputation: 1
Smile Stunnel+haproxy+apache not working as desired


hi linux experts,
Currently am having a problem on stunnel+haproxy+Apache

my current set-up is when a request is
coming to my webserver (which is on amazon ec2) the requests will be managed by stunnel for rendering or proceccing the
ssl certificates(for testing its self signed), am having 3 web servers on cloud, and one haproxy load balancer, and one stunnel
haproxy and stunnel are loaded on the same linux box, without stunnel haproxy is working fine,
in my linux box having only one network interface
******and pease take look at my requirement******

when a browser requests foo.example.com the stunnel should act by giving that sites certificate
when a browser requests foo1.example.com the stuunel shoul give the certificate for that site
this whole things can be done with stunnel
because stunnel is accepting https requests from out side and tunnel or redirect requests to web servers port 80
pls look at my stunnel config file
PHP Code:
Sample stunnel configuration file by Michal Trojnara 2002-2009
Some options used here may not be adequate for your particular configuration
Please make sure you understand them (especially the effect of the chroot jail)

Certificate/key is needed in server mode and optional in client mode
cert 
= /etc/certs/server.crt
key 
= /etc/certs/server.key

Protocol version (allSSLv2SSLv3TLSv1)
sslVersion all

Some security enhancements for UNIX systems comment them out on Win32
;chroot = /var/run/stunnel/
setuid root
setgid 
root
PID is created inside the chroot jail
pid 
=/var/run/stunnel.pid
ciphers 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL
Some performance tunings

socket 
l:TCP_NODELAY=1
socket 
r:TCP_NODELAY=0
            


;compression zlib

Workaround for Eudora bug
;options DONT_INSERT_EMPTY_FRAGMENTS

Authentication stuff
verify 
1
Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /etc/certs/
;client = yes
;cert = /etc/stunnel/ssl.crt/test2.crt
;key = /etc/stunnel/ssl.key/test2.key

; It'
s often easier to use CAfile
CAfile = /etc/stunnel/pem/test1.pem
;CAfile = /etc/pki/tls/certs/ca-bundle.crt
Dont forget to c_rehash CRLpath
CRLpath is located inside chroot jail
;CRLpath = /crls
Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

Some debugging stuff useful for troubleshooting
debug 
5
output 
stunnel.log

; Use it for client mode
;client yes

Service-level configuration

;[pop3s]
;
accept  995
;connect 110

;[imaps]
;
accept  993
;connect 143

;[ssmtp]
;
accept  465
;connect 25
       
accept  
443
connect
80
[https-test1]
key = /etc/certs/test1.key
cert 
= /etc/certs/test1.crt
TIMEOUTclose 
0

[https-test2]
key = /etc/certs/test2.key
cert 
= /etc/certs/test2.crt
TIMEOUTclose 


Thanks In advance pls reply me if any doubts on my configurations, pls give me feed back if you are not clear what i said.......
 
Old 09-01-2012, 01:12 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,777
Blog Entries: 54

Rep: Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977Reputation: 2977
Please post your thread in only one forum and be patient. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place. This thread is being closed because it is a duplicate of http://www.linuxquestions.org/questi...ed-4175424919/. Next time just ask a moderator to move a thread for you if you think it's more appropriate elsewhere.
 
  


Closed Thread

Tags
certificates, haproxy, loadbalance, openssl, ssl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] less than condition in if statement not working as desired samasat Linux - Newbie 11 06-09-2012 06:33 PM
haproxy question cbtshare Linux - Server 1 11-07-2010 03:44 PM
stunnel with haproxy 1.4.6 cbtshare Linux - Software 6 08-09-2010 02:35 PM
haproxy agarwalpranay Linux - Newbie 4 06-19-2010 02:31 AM
Haproxy by host guruyaya Linux - Server 0 08-26-2008 09:15 AM


All times are GMT -5. The time now is 12:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration