![]() ![]() There are several ways you could go about that, such as firewalling your Redis or using spiped, but (post- Heartbleed) SSL is still one of my favorites. ![]() the AUTH command) only gets you so far and in some cases you need something a little stronger. What do you do if you want to secure access to your Redis? Plain password authentication (i.e. 'debug = 5' logs everything including informational this is the default.Securing Redis Client and Server with Stunnel The 'debug' option increases the log level, 0 = no logging, 7 = full logging plus console output. May 6 00:24:36 susie stunnel: LOG5: Connection closed: 13079īytes sent to SSL, 930 bytes sent to socket May 6 00:24:35 susie stunnel: LOG5: https connected from May 6 00:24:18 susie stunnel: LOG5: 500 clients allowed May 6 00:24:18 susie stunnel: LOG5: Threading:PTHREAD May 6 00:24:18 susie stunnel: LOG5: stunnel 4.15 on Susie:/home/stunnel # tail -f /var/log/messages Susie:~ # kill `cat /home/stunnel/var/lib/stunnel/stunnel.pid` 8. Stunnel 15229 nobody 6u IPv4 67679 TCP *:https (LISTEN) Start stunnel and verify it is listening on port 443 Master 1339 root 11u IPv4 3741 TCP localhost:smtp (LISTEN) Sshd 1153 root 5u IPv6 2949 TCP *:ssh (LISTEN) Verify the webserver is running on port 80 and the SSL port 443 is freeĬOMMAND PID USER FD TYPE DEVICE SIZE NODE NAME Some debugging stuff useful for troubleshooting Some security enhancements for UNIX systems - comment them out on Win32 CAfile = /home/stunnel/etc/stunnel/cacert.pem key = /home/stunnel/etc/stunnel/stunnel-privkey.pem client certs, we don't need the CA certificate for verification. since private key and certificate are in one file, we don't need Certificate/key is needed in server mode and optional in client modeĬert = /home/stunnel/etc/stunnel/stunnel.pem = stunnel configuration for https to http forwarding = susie:~ # vi /home/stunnel/etc/stunnel/nf Adjust the stunnel configuration fileįor more information, see the stunnel manpage. Susie:~ # openssl rsa -in /home/stunnel/etc/stunnel/stunnel.pem -noout -text 4. Susie:~ # openssl x509 -in /home/stunnel/etc/stunnel/stunnel.pem -noout -text The certificate and key can be displayed with openssl: "make install" calls OpenSSL routines and generates a self-signed certificate together with the private key in a single file. with-ssl=/home/openssl make su make install Since I do not plan to use DH, I removed the option and compilation worked with out any. ![]() Reasons are two missing pointer declarations in src/ctx.c: Make: Leaving directory `/home/devel/stunnel-4.15/src' with-ssl=/home/openssl -enable-dh -disable-libwrapĬtx.c:170: error: `section' undeclared (first use in this fuĬtx.c:170: error: (Each undeclared identifier is reported onĬtx.c:170: error: for each function it appears in.)Ĭtx.c:198: error: `ctx' undeclared (first use in this functi There is a bug in stunnel when Diffie Hellman support is enabled with -enable-dh in. Susie:/home/devel # ln -s /home/stunnel-4.15 /home/stunnel 3. Susie:/home/devel # mkdir /home/stunnel-4.15 software/stunnel-4.15.tar.gz | tar xf ls stunnel-4 2. In this example, I compiled it from zcat. Source is available at, but many distributions already provide a precompiled package. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |