Você está na página 1de 15

stunnel - como configurar stunnel para lidar com s... about:reader?url=https://sobrelinux.info/question...

sobrelinux.info

stunnel - como configurar stunnel


para lidar com ssl e anexar http
com ele?
11-15 minutes

Estou executando o Google App Engine, que é um servidor


da Web http com alguns redirecionamentos e outras
informações em tempo real. Mas ele não tem SSL para incluir,
então é impossível fazer HTTPS.

Portanto, eu estava tentando stunnel fazer SSL e conectar


o HTTP a ele, mas não funciona ao usar o Google App
Engine e o Stunnel.

$ cat /etc/stunnel/stunnel.conf
pid = /stunnel.pid
cert=/var/tmp/server.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
client=yes
; Some debugging stuff useful for
troubleshooting
debug = 7

1 of 15 11/14/19, 4:46 PM
stunnel - como configurar stunnel para lidar com s... about:reader?url=https://sobrelinux.info/question...

output = /var/log/stunnel.log
[SSL]
accept=0.0.0.0:443
connect=80

Veja os registros:

2014.02.06 09:13:34
LOG5[8293:140556325660608]: Threading:PTHREAD
SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2014.02.06 09:13:34
LOG6[8293:140556325660608]: file ulimit = 1024
(can be changed with 'ulimit -n')
2014.02.06 09:13:34
LOG6[8293:140556325660608]: poll() used - no
FD_SETSIZE limit for file descriptors
2014.02.06 09:13:34
LOG5[8293:140556325660608]: 500 clients
allowed
2014.02.06 09:13:34
LOG7[8293:140556325660608]: FD 9 in non-
blocking mode
2014.02.06 09:13:34
LOG7[8293:140556325660608]: FD 10 in non-
blocking mode
2014.02.06 09:13:34
LOG7[8293:140556325660608]: FD 11 in non-
blocking mode

2 of 15 11/14/19, 4:46 PM
stunnel - como configurar stunnel para lidar com s... about:reader?url=https://sobrelinux.info/question...

2014.02.06 09:13:34
LOG7[8293:140556325660608]: SO_REUSEADDR
option set on accept socket
2014.02.06 09:13:34
LOG7[8293:140556325660608]: SSL bound to
0.0.0.0:443
2014.02.06 09:13:34
LOG7[8299:140556325660608]: Created pid file
/stunnel.pid

2014.02.06 09:14:06
LOG7[8299:140556325660608]: SSL accepted FD=12
from 82.x.x.LocalPC:49651
2014.02.06 09:14:06
LOG7[8299:140556325660608]: SSL accepted FD=13
from 82.x.x.LocalPC:49652
2014.02.06 09:14:06
LOG7[8299:140556325656320]: SSL started
2014.02.06 09:14:06
LOG7[8299:140556325656320]: FD 12 in non-
blocking mode
2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL started
2014.02.06 09:14:06
LOG7[8299:140556325656320]: TCP_NODELAY option
set on local socket
2014.02.06 09:14:06

3 of 15 11/14/19, 4:46 PM
stunnel - como configurar stunnel para lidar com s... about:reader?url=https://sobrelinux.info/question...

LOG7[8299:140556325586688]: FD 13 in non-
blocking mode
2014.02.06 09:14:06
LOG7[8299:140556325656320]: Waiting for a
libwrap process
2014.02.06 09:14:06
LOG7[8299:140556325586688]: TCP_NODELAY option
set on local socket
2014.02.06 09:14:06
LOG7[8299:140556325586688]: Waiting for a
libwrap process
2014.02.06 09:14:06
LOG7[8299:140556325656320]: Acquired libwrap
process #0
2014.02.06 09:14:06
LOG7[8299:140556325586688]: Acquired libwrap
process #1
2014.02.06 09:14:06
LOG7[8299:140556325656320]: Releasing libwrap
process #0
2014.02.06 09:14:06
LOG7[8299:140556325586688]: Releasing libwrap
process #1
2014.02.06 09:14:06
LOG7[8299:140556325656320]: Released libwrap
process #0
2014.02.06 09:14:06

4 of 15 11/14/19, 4:46 PM
stunnel - como configurar stunnel para lidar com s... about:reader?url=https://sobrelinux.info/question...

LOG7[8299:140556325586688]: Released libwrap


process #1
2014.02.06 09:14:06
LOG7[8299:140556325656320]: SSL permitted by
libwrap from 82.x.x.LocalPC:49651
2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL permitted by
libwrap from 82.x.x.LocalPC:49652
2014.02.06 09:14:06
LOG5[8299:140556325656320]: SSL accepted
connection from 82.x.x.LocalPC:49651
2014.02.06 09:14:06
LOG5[8299:140556325586688]: SSL accepted
connection from 82.x.x.LocalPC:49652
2014.02.06 09:14:06
LOG7[8299:140556325656320]: FD 15 in non-
blocking mode
2014.02.06 09:14:06
LOG7[8299:140556325586688]: FD 16 in non-
blocking mode
2014.02.06 09:14:06
LOG6[8299:140556325656320]: connect_blocking:
connecting 82.x.x.x:80
2014.02.06 09:14:06
LOG6[8299:140556325586688]: connect_blocking:
connecting 82.x.x.x:80
2014.02.06 09:14:06

5 of 15 11/14/19, 4:46 PM
stunnel - como configurar stunnel para lidar com s... about:reader?url=https://sobrelinux.info/question...

LOG7[8299:140556325656320]: connect_blocking:
s_poll_wait 82.x.x.x:80: waiting 10 seconds
2014.02.06 09:14:06
LOG5[8299:140556325656320]: connect_blocking:
connected 82.x.x.x:80
2014.02.06 09:14:06
LOG7[8299:140556325586688]: connect_blocking:
s_poll_wait 82.x.x.x:80: waiting 10 seconds
2014.02.06 09:14:06
LOG5[8299:140556325656320]: SSL connected
remote server from 82.x.x.x:36426
2014.02.06 09:14:06
LOG5[8299:140556325586688]: connect_blocking:
connected 82.x.x.x:80
2014.02.06 09:14:06
LOG7[8299:140556325656320]: Remote FD=15
initialized
2014.02.06 09:14:06
LOG5[8299:140556325586688]: SSL connected
remote server from 82.x.x.x:36427
2014.02.06 09:14:06
LOG7[8299:140556325656320]: TCP_NODELAY option
set on remote socket
2014.02.06 09:14:06
LOG7[8299:140556325586688]: Remote FD=16
initialized
2014.02.06 09:14:06

6 of 15 11/14/19, 4:46 PM
stunnel - como configurar stunnel para lidar com s... about:reader?url=https://sobrelinux.info/question...

LOG7[8299:140556325656320]: SSL state


(connect): before/connect initialization
2014.02.06 09:14:06
LOG7[8299:140556325586688]: TCP_NODELAY option
set on remote socket
2014.02.06 09:14:06
LOG7[8299:140556325656320]: SSL state
(connect): SSLv3 write client hello A
2014.02.06 09:14:06
LOG7[8299:140556325656320]: SSL alert (write):
fatal: handshake failure
2014.02.06 09:14:06
LOG3[8299:140556325656320]: SSL_connect:
1408F10B: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number
2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL state
(connect): before/connect initialization
2014.02.06 09:14:06
LOG5[8299:140556325656320]: Connection reset:
0 bytes sent to SSL, 0 bytes sent to socket
2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL state
(connect): SSLv3 write client hello A
2014.02.06 09:14:06
LOG7[8299:140556325656320]: SSL finished (1
left)

7 of 15 11/14/19, 4:46 PM
stunnel - como configurar stunnel para lidar com s... about:reader?url=https://sobrelinux.info/question...

2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL alert (write):
fatal: handshake failure
2014.02.06 09:14:06
LOG3[8299:140556325586688]: SSL_connect:
1408F10B: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number
2014.02.06 09:14:06
LOG5[8299:140556325586688]: Connection reset:
0 bytes sent to SSL, 0 bytes sent to socket
2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL finished (0
left)
2014.02.06 09:14:06
LOG7[8299:140556325660608]: SSL accepted FD=12
from 82.x.x.LocalPC:49653
2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL started
2014.02.06 09:14:06
LOG7[8299:140556325586688]: FD 12 in non-
blocking mode
2014.02.06 09:14:06
LOG7[8299:140556325586688]: TCP_NODELAY option
set on local socket
2014.02.06 09:14:06
LOG7[8299:140556325586688]: Waiting for a
libwrap process

8 of 15 11/14/19, 4:46 PM
stunnel - como configurar stunnel para lidar com s... about:reader?url=https://sobrelinux.info/question...

2014.02.06 09:14:06
LOG7[8299:140556325586688]: Acquired libwrap
process #1
2014.02.06 09:14:06
LOG7[8299:140556325586688]: Releasing libwrap
process #1
2014.02.06 09:14:06
LOG7[8299:140556325586688]: Released libwrap
process #1
2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL permitted by
libwrap from 82.x.x.LocalPC:49653
2014.02.06 09:14:06
LOG5[8299:140556325586688]: SSL accepted
connection from 82.x.x.LocalPC:49653
2014.02.06 09:14:06
LOG7[8299:140556325586688]: FD 13 in non-
blocking mode
2014.02.06 09:14:06
LOG6[8299:140556325586688]: connect_blocking:
connecting 82.x.x.x:80
2014.02.06 09:14:06
LOG7[8299:140556325586688]: connect_blocking:
s_poll_wait 82.x.x.x:80: waiting 10 seconds
2014.02.06 09:14:06
LOG5[8299:140556325586688]: connect_blocking:
connected 82.x.x.x:80

9 of 15 11/14/19, 4:46 PM
stunnel - como configurar stunnel para lidar com s... about:reader?url=https://sobrelinux.info/question...

2014.02.06 09:14:06
LOG5[8299:140556325586688]: SSL connected
remote server from 82.x.x.x:36428
2014.02.06 09:14:06
LOG7[8299:140556325586688]: Remote FD=13
initialized
2014.02.06 09:14:06
LOG7[8299:140556325586688]: TCP_NODELAY option
set on remote socket
2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL state
(connect): before/connect initialization
2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL state
(connect): SSLv3 write client hello A
2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL alert (write):
fatal: handshake failure
2014.02.06 09:14:06
LOG3[8299:140556325586688]: SSL_connect:
1408F10B: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number
2014.02.06 09:14:06
LOG5[8299:140556325586688]: Connection reset:
0 bytes sent to SSL, 0 bytes sent to socket
2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL finished (0

10 of 15 11/14/19, 4:46 PM
stunnel - como configurar stunnel para lidar com s... about:reader?url=https://sobrelinux.info/question...

left)
2014.02.06 09:14:06
LOG7[8299:140556325660608]: SSL accepted FD=12
from 82.x.x.LocalPC:49654
2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL started
2014.02.06 09:14:06
LOG7[8299:140556325586688]: FD 12 in non-
blocking mode
2014.02.06 09:14:06
LOG7[8299:140556325586688]: TCP_NODELAY option
set on local socket
2014.02.06 09:14:06
LOG7[8299:140556325586688]: Waiting for a
libwrap process
2014.02.06 09:14:06
LOG7[8299:140556325586688]: Acquired libwrap
process #1
2014.02.06 09:14:06
LOG7[8299:140556325586688]: Releasing libwrap
process #1
2014.02.06 09:14:06
LOG7[8299:140556325586688]: Released libwrap
process #1
2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL permitted by
libwrap from 82.x.x.LocalPC:49654

11 of 15 11/14/19, 4:46 PM
stunnel - como configurar stunnel para lidar com s... about:reader?url=https://sobrelinux.info/question...

2014.02.06 09:14:06
LOG5[8299:140556325586688]: SSL accepted
connection from 82.x.x.LocalPC:49654
2014.02.06 09:14:06
LOG7[8299:140556325586688]: FD 13 in non-
blocking mode
2014.02.06 09:14:06
LOG6[8299:140556325586688]: connect_blocking:
connecting 82.x.x.x:80
2014.02.06 09:14:06
LOG7[8299:140556325586688]: connect_blocking:
s_poll_wait 82.x.x.x:80: waiting 10 seconds
2014.02.06 09:14:06
LOG5[8299:140556325586688]: connect_blocking:
connected 82.x.x.x:80
2014.02.06 09:14:06
LOG5[8299:140556325586688]: SSL connected
remote server from 82.x.x.x:36429
2014.02.06 09:14:06
LOG7[8299:140556325586688]: Remote FD=13
initialized
2014.02.06 09:14:06
LOG7[8299:140556325586688]: TCP_NODELAY option
set on remote socket
2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL state
(connect): before/connect initialization

12 of 15 11/14/19, 4:46 PM
stunnel - como configurar stunnel para lidar com s... about:reader?url=https://sobrelinux.info/question...

2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL state
(connect): SSLv3 write client hello A
2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL alert (write):
fatal: handshake failure
2014.02.06 09:14:06
LOG3[8299:140556325586688]: SSL_connect:
1408F10B: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number
2014.02.06 09:14:06
LOG5[8299:140556325586688]: Connection reset:
0 bytes sent to SSL, 0 bytes sent to socket
2014.02.06 09:14:06
LOG7[8299:140556325586688]: SSL finished (0
left)

EDIT: aqui para verificar localmente o ssL

$ openssl s_client -ssl3 -connect


localhost:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---

13 of 15 11/14/19, 4:46 PM
stunnel - como configurar stunnel para lidar com s... about:reader?url=https://sobrelinux.info/question...

SSL handshake has read 0 bytes and written 0


bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1391675538
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---

EDITAR:

Meta: o visitante visita um endereço válido, por exemplo: link


(suponha que ele seja válido e tenha arquivos CA, KEY,
CERT) e ele não seja encaminhado para o link que deve
permanecer como https

14 of 15 11/14/19, 4:46 PM
stunnel - como configurar stunnel para lidar com s... about:reader?url=https://sobrelinux.info/question...

1) quando usado o Google App Engine ele não tem a opção


HTTPS, como resultado, tudo tem que ser executado como
HTTP, agora o serviço está rodando como HTTP, mas quando
usuários o usam como http, ele causa outros problemas de
segurança

2) portanto, precisávamos de um proxy SSL para esse HTTP,


para que o usuário sempre recebesse https mesmo atrás da
tela em que estão conectados com http

esta descrição clara?

15 of 15 11/14/19, 4:46 PM