Created
October 17, 2019 07:49
-
-
Save JedMeister/d6b1f39f9018075288f0fc62e3e4a5d5 to your computer and use it in GitHub Desktop.
stunnel.conf for turnkey v15.x Debian 9/Stretch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; ************************************************************************** | |
| ; * Global options * | |
| ; ************************************************************************** | |
| ; A copy of some devices and system files is needed within the chroot jail | |
| ; Chroot conflicts with configuration file reload and many other features | |
| ; Remember also to update the logrotate configuration. | |
| chroot = /var/lib/stunnel4/ | |
| ; Chroot jail can be escaped if setuid option is not used | |
| setuid = stunnel4 | |
| setgid = stunnel4 | |
| ; PID is created inside the chroot jail | |
| pid = /stunnel4.pid | |
| ; Debugging stuff (may useful for troubleshooting) | |
| ;debug = 7 | |
| ;output = /var/log/stunnel4/stunnel.log | |
| ; ************************************************************************** | |
| ; * Service defaults may also be specified in individual service sections * | |
| ; ************************************************************************** | |
| ; Certificate/key is needed in server mode and optional in client mode | |
| cert = /etc/ssl/private/cert.pem | |
| ; Authentication stuff needs to be configured to prevent MITM attacks | |
| ; It is not enabled by default! | |
| ;verify = 2 | |
| ; Don't forget to c_rehash CApath | |
| ; CApath is located inside chroot jail | |
| ;CApath = /certs | |
| ; It's often easier to use CAfile | |
| ;CAfile = /etc/stunnel/certs.pem | |
| ; Don't forget to c_rehash CRLpath | |
| ; CRLpath is located inside chroot jail | |
| ;CRLpath = /crls | |
| ; Alternatively CRLfile can be used | |
| ;CRLfile = /etc/stunnel/crls.pem | |
| ; Disable support for insecure SSLv2 protocol | |
| options = NO_SSLv3 | |
| ; Workaround for Eudora bug | |
| ;options = DONT_INSERT_EMPTY_FRAGMENTS | |
| ; These options provide additional security at some performance degradation | |
| ;options = SINGLE_ECDH_USE | |
| ;options = SINGLE_DH_USE | |
| options = CIPHER_SERVER_PREFERENCE | |
| renegotiation = no | |
| ; secure ciphens added by conf script | |
| ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256 | |
| [shellinabox] | |
| accept = 12320 | |
| connect = 127.0.0.1:12319 | |
| TIMEOUTclose = 0 | |
| [webmin] | |
| accept = 12321 | |
| connect = 127.0.0.1:10000 | |
| TIMEOUTclose = 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment