network stunnel - ghdrako/doc_snipets GitHub Wiki

• https://www.stunnel.org/static/stunnel.pl.html

log output

If not specify output. Setting syslog=yes is default

$ journalctl -t stunnel # ask syslog for logs

If you use --follow you get tail -f behavior

Server configuration

setuid = stunnel
setgid = nogroup

pid = /var/run/stunnel/stunnel.pid

[bayes]
accept  = 6478
connect = 6378
ciphers = PSK
PSKsecrets = /usr/local/etc/stunnel/psk.txt

[fuzzy]
accept  = 6477
connect = 6377
ciphers = PSK
PSKsecrets = /usr/local/etc/stunnel/psk.txt

Client configuration (slave side)

/usr/local/etc/stunnel/stunnel.conf:

setuid = stunnel
setgid = nogroup

pid = /var/run/stunnel/stunnel.pid

[bayes]
client = yes
accept  = localhost:6478
connect = master.example.com:6478
ciphers = PSK
PSKsecrets = /usr/local/etc/stunnel/psk.txt

[fuzzy]
client = yes
accept  = localhost:6477
connect = master.example.com:6477
ciphers = PSK
PSKsecrets = /usr/local/etc/stunnel/psk.txt

Preshared keys

Server

output = /var/log/stunnel.log
debug = debug
pid = /var/run/stunnel.pid
[sql-proxy]
cert = /etc/stunnel/cert/ACP_CERT
key = /etc/stunnel/cert/ACP_KEY
CAPath = /etc/stunnel/ca
client = no
accept = 5431
connect = 5432
verify = 0
ciphers = TLSv1.2

Client

output = /var/log/stunnel.log
debug = debug
pid = /var/run/stunnel.pid
[sql-proxy]
cert = /etc/stunnel/cert/ACP_CLIENT_CERT
key = /etc/stunnel/cert/ACP_CLIENT_KEY
CAPath = /etc/stunnel/ca
client = yes
accept = 5431
connect = aaa.bbb.ccc.ddd:5432    # adres maszyny sqlproxy
verify = 0
ciphers = TLSv1.2