SSL-соединение для хостинга сайтов под THTTPD
Все,
У меня есть веб-сайт, к которому можно получить доступ через HTTP-порт 86. Теперь необходимо добавить SSL для защиты соединения. Этот сайт обслуживается веб-сервером thttpd, который, да, не поддерживает SSL. Я много искал через гугл тогда. Предложения добавить SSL через Stunnel для thttpd.
ОБНОВЛЕНО:
Вот мой stunnel.conf:
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2013
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
; **************************************************************************
; * Global options *
; **************************************************************************
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
chroot = /usr/local/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = nogroup
fips = no
; PID is created inside the chroot jail
pid = /stunnel.pid
; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/stunnel.pem
;key = /usr/local/etc/stunnel/mail.pem
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /usr/local/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = /usr/local/etc/stunnel/crls.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; **************************************************************************
; * Service definitions (remove all services for inetd mode) *
; **************************************************************************
; Example SSL server mode services
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
; Example SSL client mode services
;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995
;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993
;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465
; Example SSL front-end to a web server
[https]
accept = 443
connect = 86
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
; vim:ft=dosini
Вот результат, который я получил:
linux-1ryy:/usr/local/etc/stunnel # /usr/local/bin/stunnel
Clients allowed=500
stunnel 4.56 on i686-pc-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
Reading configuration from file /usr/local/etc/stunnel/stunnel.conf
FIPS mode is disabled
Compression not enabled
Snagged 64 random bytes from /root/.rnd
Wrote 1024 new random bytes to /root/.rnd
PRNG seeded successfully
Initializing service [https]
Certificate: /usr/local/etc/stunnel/stunnel.pem
Certificate loaded
Key file: /usr/local/etc/stunnel/stunnel.pem
Private key loaded
Using DH parameters from /usr/local/etc/stunnel/stunnel.pem
DH initialized with 1024-bit key
ECDH initialized with curve prime256v1
SSL options set: 0x01000004
Configuration successful
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)
Closing service [https]
Service [https] closed (FD=7)
Sessions cached before flush: 0
Sessions cached after flush: 0
Service [https] closed
str_stats: 10 block(s), 883 data byte(s), 420 control byte(s)
Вот информация о прослушивании порта перед запуском /usr/local/bin/stunnel:
linux-1ryy:/usr/local/etc/stunnel # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5484/mysqld
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 336/xinetd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1558/sshd
tcp 0 0 :::86 :::* LISTEN 5536/thttpd
tcp 0 0 :::22 :::* LISTEN 1558/sshd
А вот информация о прослушивании порта после запуска:
linux-1ryy:/usr/local/etc/stunnel # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 5484/mysqld
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 336/xinetd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1558/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 23145/stunnel
tcp 0 0 :::86 :::* LISTEN 5536/thttpd
tcp 0 0 :::22 :::* LISTEN 1558/sshd
Теперь я понятия не имею, что происходит не так. Любые предложения будут оценены.
ДОБАВЛЕНО:
Если я закрою брандмауэр, я могу получить доступ через https://<my-ip-address> успешно. Тем не менее, я все еще получаю это сообщение об ошибке:
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)
Интересно, почему...
1 ответ
Как видно из netstat, на порту 443 уже есть процесс stunnel (pid=10833) (и другой на порту 8443, pid=11191), поэтому запуск другого процесса stunnel на порту 443 завершается неудачно с
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)