Created
April 13, 2021 02:49
-
-
Save 0neday/e48899a5ae817a6e2c2c9352fc34f69b to your computer and use it in GitHub Desktop.
stunnel configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| setuid = root | |
| setgid = root | |
| pid = /var/run/stunnel.pid | |
| ;debug = debug | |
| ;output = /tmp/stunnel.log | |
| verifyPeer = yes | |
| checkHost = yourdomain.com | |
| sni = yourdomain.com | |
| verify = 2 | |
| CAfile = /opt/stunnel/tls/ca.crt | |
| cert = /opt/stunnel/tls/my-service.crt | |
| key = /opt/stunnel/tls/my-service.key | |
| sslVersion = TLSv1.3 | |
| ciphersuites = TLS_CHACHA20_POLY1305_SHA256 | |
| curves = X25519 | |
| [client] | |
| client = yes | |
| accept = 127.0.0.1:8443 | |
| connect = yourdomain.com:443 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Define where to store the generated certs and metadata. | |
| DIR="$(pwd)/ecc" | |
| # Optional: Ensure the target directory exists and is empty. | |
| rm -rf "${DIR}" | |
| mkdir -p "${DIR}" | |
| # Create the openssl configuration file. This is used for both generating | |
| # the certificate as well as for specifying the extensions. It aims in favor | |
| # of automation, so the DN is encoding and not prompted. | |
| cat > "${DIR}/openssl.cnf" << EOF | |
| [req] | |
| default_bits = 4096 | |
| encrypt_key = no # Change to encrypt the private key using des3 or similar | |
| default_md = sha256 | |
| prompt = no | |
| utf8 = yes | |
| # Speify the DN here so we aren't prompted (along with prompt = no above). | |
| distinguished_name = req_distinguished_name | |
| # Extensions for SAN IP and SAN DNS | |
| x509_extensions = v3_req | |
| # Be sure to update the subject to match your organization. | |
| [req_distinguished_name] | |
| C = US | |
| L = California | |
| O = California University | |
| OU = IT section | |
| CN = yourdomain.com | |
| # Allow client and server auth. You may want to only allow server auth. | |
| # Link to SAN names. | |
| [v3_req] | |
| keyUsage = digitalSignature, keyEncipherment | |
| extendedKeyUsage = clientAuth, serverAuth | |
| subjectAltName = @alt_names | |
| # Alternative names are specified as IP.# and DNS.# for IP addresses and | |
| # DNS accordingly. | |
| [alt_names] | |
| DNS.1 = yourdomain.com | |
| EOF | |
| # Create the certificate authority (CA). This will be a self-signed CA, and this | |
| # command generates both the private key and the certificate. You may want to | |
| # adjust the number of bits (4096 is a bit more secure, but not supported in all | |
| # places at the time of this publication). | |
| # | |
| # To put a password on the key, remove the -nodes option. | |
| # | |
| # Be sure to update the subject to match your organization. | |
| openssl ecparam -genkey -name prime256v1 -out "${DIR}/ca.key" | |
| openssl req \ | |
| -new \ | |
| -days 3650 \ | |
| -nodes \ | |
| -x509 \ | |
| -subj "/C=US/ST=California/L=The Cloud/O=My Company CA" \ | |
| -key "${DIR}/ca.key" \ | |
| -out "${DIR}/ca.crt" | |
| # | |
| # For each server/service you want to secure with your CA, repeat the | |
| # following steps: | |
| # | |
| # Generate the private key for the service. Again, you may want to increase | |
| # the bits to 4096. | |
| openssl ecparam -genkey -name prime256v1 -out "${DIR}/my-service.key" | |
| # Generate a CSR using the configuration and the key just generated. We will | |
| # give this CSR to our CA to sign. | |
| openssl req \ | |
| -new -key "${DIR}/my-service.key" \ | |
| -out "${DIR}/my-service.csr" \ | |
| -config "${DIR}/openssl.cnf" | |
| # Sign the CSR with our CA. This will generate a new certificate that is signed | |
| # by our CA. | |
| openssl x509 \ | |
| -req \ | |
| -days 3650 \ | |
| -in "${DIR}/my-service.csr" \ | |
| -CA "${DIR}/ca.crt" \ | |
| -CAkey "${DIR}/ca.key" \ | |
| -CAcreateserial \ | |
| -extensions v3_req \ | |
| -extfile "${DIR}/openssl.cnf" \ | |
| -out "${DIR}/my-service.crt" | |
| # (Optional) Verify the certificate. | |
| openssl x509 -in "${DIR}/my-service.crt" -noout -text |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Define where to store the generated certs and metadata. | |
| DIR="$(pwd)/tls" | |
| # Optional: Ensure the target directory exists and is empty. | |
| rm -rf "${DIR}" | |
| mkdir -p "${DIR}" | |
| # Create the openssl configuration file. This is used for both generating | |
| # the certificate as well as for specifying the extensions. It aims in favor | |
| # of automation, so the DN is encoding and not prompted. | |
| cat > "${DIR}/openssl.cnf" << EOF | |
| [req] | |
| default_bits = 4096 | |
| encrypt_key = no # Change to encrypt the private key using des3 or similar | |
| default_md = sha256 | |
| prompt = no | |
| utf8 = yes | |
| # Speify the DN here so we aren't prompted (along with prompt = no above). | |
| distinguished_name = req_distinguished_name | |
| # Extensions for SAN IP and SAN DNS | |
| x509_extensions = v3_req | |
| # Be sure to update the subject to match your organization. | |
| [req_distinguished_name] | |
| C = US | |
| L = California | |
| O = California University | |
| OU = IT section | |
| CN = yourdomain.com | |
| # Allow client and server auth. You may want to only allow server auth. | |
| # Link to SAN names. | |
| [v3_req] | |
| keyUsage = digitalSignature, keyEncipherment | |
| extendedKeyUsage = clientAuth, serverAuth | |
| subjectAltName = @alt_names | |
| # Alternative names are specified as IP.# and DNS.# for IP addresses and | |
| # DNS accordingly. | |
| [alt_names] | |
| DNS.1 = yourdomain.com | |
| EOF | |
| # Create the certificate authority (CA). This will be a self-signed CA, and this | |
| # command generates both the private key and the certificate. You may want to | |
| # adjust the number of bits (4096 is a bit more secure, but not supported in all | |
| # places at the time of this publication). | |
| # | |
| # To put a password on the key, remove the -nodes option. | |
| # | |
| # Be sure to update the subject to match your organization. | |
| openssl req \ | |
| -new \ | |
| -newkey rsa:2048 \ | |
| -days 3650 \ | |
| -nodes \ | |
| -x509 \ | |
| -subj "/C=US/ST=California/L=The Cloud/O=My Company CA" \ | |
| -keyout "${DIR}/ca.key" \ | |
| -out "${DIR}/ca.crt" | |
| # | |
| # For each server/service you want to secure with your CA, repeat the | |
| # following steps: | |
| # | |
| # Generate the private key for the service. Again, you may want to increase | |
| # the bits to 4096. | |
| openssl genrsa -out "${DIR}/my-service.key" 2048 | |
| # Generate a CSR using the configuration and the key just generated. We will | |
| # give this CSR to our CA to sign. | |
| openssl req \ | |
| -new -key "${DIR}/my-service.key" \ | |
| -out "${DIR}/my-service.csr" \ | |
| -config "${DIR}/openssl.cnf" | |
| # Sign the CSR with our CA. This will generate a new certificate that is signed | |
| # by our CA. | |
| openssl x509 \ | |
| -req \ | |
| -days 3650 \ | |
| -in "${DIR}/my-service.csr" \ | |
| -CA "${DIR}/ca.crt" \ | |
| -CAkey "${DIR}/ca.key" \ | |
| -CAcreateserial \ | |
| -extensions v3_req \ | |
| -extfile "${DIR}/openssl.cnf" \ | |
| -out "${DIR}/my-service.crt" | |
| # (Optional) Verify the certificate. | |
| openssl x509 -in "${DIR}/my-service.crt" -noout -text |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| setuid = root | |
| setgid = root | |
| pid = /var/run/stunnel.pid | |
| debug = info | |
| output = /tmp/stunnel.log | |
| verifyPeer = yes | |
| checkHost = yourdomain.com | |
| verify = 2 | |
| CAfile = /opt/stunnel/tls/ca.crt | |
| cert = /opt/stunnel/tls/my-service.crt | |
| key = /opt/stunnel/tls/my-service.key | |
| sslVersion = TLSv1.3 | |
| ciphersuites = TLS_CHACHA20_POLY1305_SHA256 | |
| curves = X25519 | |
| [server] | |
| accept = 0.0.0.0:443 | |
| connect = 127.0.0.1:8888 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment