Networking
stunnel - 如何設置 stunnel 來處理 ssl 並附加 http?
我正在執行 Google App Engine,它是一個帶有一些重定向和其他實時內容的 http 網路伺服器。但它沒有包含 SSL,因此無法製作 HTTPS。
因此,我試圖
stunnel製作 SSL 並在其上連接 HTTP,但在使用 Google App Engine 和 Stunnel 時它不起作用。$ cat /etc/stunnel/stunnel.conf pid = /stunnel.pid cert=/var/tmp/server.pem socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 client=yes ; Some debugging stuff useful for troubleshooting debug = 7 output = /var/log/stunnel.log [SSL] accept=0.0.0.0:443 connect=80查看日誌:
2014.02.06 09:13:34 LOG5[8293:140556325660608]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2014.02.06 09:13:34 LOG6[8293:140556325660608]: file ulimit = 1024 (can be changed with 'ulimit -n') 2014.02.06 09:13:34 LOG6[8293:140556325660608]: poll() used - no FD_SETSIZE limit for file descriptors 2014.02.06 09:13:34 LOG5[8293:140556325660608]: 500 clients allowed 2014.02.06 09:13:34 LOG7[8293:140556325660608]: FD 9 in non-blocking mode 2014.02.06 09:13:34 LOG7[8293:140556325660608]: FD 10 in non-blocking mode 2014.02.06 09:13:34 LOG7[8293:140556325660608]: FD 11 in non-blocking mode 2014.02.06 09:13:34 LOG7[8293:140556325660608]: SO_REUSEADDR option set on accept socket 2014.02.06 09:13:34 LOG7[8293:140556325660608]: SSL bound to 0.0.0.0:443 2014.02.06 09:13:34 LOG7[8299:140556325660608]: Created pid file /stunnel.pid 2014.02.06 09:14:06 LOG7[8299:140556325660608]: SSL accepted FD=12 from 82.x.x.LocalPC:49651 2014.02.06 09:14:06 LOG7[8299:140556325660608]: SSL accepted FD=13 from 82.x.x.LocalPC:49652 2014.02.06 09:14:06 LOG7[8299:140556325656320]: SSL started 2014.02.06 09:14:06 LOG7[8299:140556325656320]: FD 12 in non-blocking mode 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL started 2014.02.06 09:14:06 LOG7[8299:140556325656320]: TCP_NODELAY option set on local socket 2014.02.06 09:14:06 LOG7[8299:140556325586688]: FD 13 in non-blocking mode 2014.02.06 09:14:06 LOG7[8299:140556325656320]: Waiting for a libwrap process 2014.02.06 09:14:06 LOG7[8299:140556325586688]: TCP_NODELAY option set on local socket 2014.02.06 09:14:06 LOG7[8299:140556325586688]: Waiting for a libwrap process 2014.02.06 09:14:06 LOG7[8299:140556325656320]: Acquired libwrap process #0 2014.02.06 09:14:06 LOG7[8299:140556325586688]: Acquired libwrap process #1 2014.02.06 09:14:06 LOG7[8299:140556325656320]: Releasing libwrap process #0 2014.02.06 09:14:06 LOG7[8299:140556325586688]: Releasing libwrap process #1 2014.02.06 09:14:06 LOG7[8299:140556325656320]: Released libwrap process #0 2014.02.06 09:14:06 LOG7[8299:140556325586688]: Released libwrap process #1 2014.02.06 09:14:06 LOG7[8299:140556325656320]: SSL permitted by libwrap from 82.x.x.LocalPC:49651 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL permitted by libwrap from 82.x.x.LocalPC:49652 2014.02.06 09:14:06 LOG5[8299:140556325656320]: SSL accepted connection from 82.x.x.LocalPC:49651 2014.02.06 09:14:06 LOG5[8299:140556325586688]: SSL accepted connection from 82.x.x.LocalPC:49652 2014.02.06 09:14:06 LOG7[8299:140556325656320]: FD 15 in non-blocking mode 2014.02.06 09:14:06 LOG7[8299:140556325586688]: FD 16 in non-blocking mode 2014.02.06 09:14:06 LOG6[8299:140556325656320]: connect_blocking: connecting 82.x.x.x:80 2014.02.06 09:14:06 LOG6[8299:140556325586688]: connect_blocking: connecting 82.x.x.x:80 2014.02.06 09:14:06 LOG7[8299:140556325656320]: connect_blocking: s_poll_wait 82.x.x.x:80: waiting 10 seconds 2014.02.06 09:14:06 LOG5[8299:140556325656320]: connect_blocking: connected 82.x.x.x:80 2014.02.06 09:14:06 LOG7[8299:140556325586688]: connect_blocking: s_poll_wait 82.x.x.x:80: waiting 10 seconds 2014.02.06 09:14:06 LOG5[8299:140556325656320]: SSL connected remote server from 82.x.x.x:36426 2014.02.06 09:14:06 LOG5[8299:140556325586688]: connect_blocking: connected 82.x.x.x:80 2014.02.06 09:14:06 LOG7[8299:140556325656320]: Remote FD=15 initialized 2014.02.06 09:14:06 LOG5[8299:140556325586688]: SSL connected remote server from 82.x.x.x:36427 2014.02.06 09:14:06 LOG7[8299:140556325656320]: TCP_NODELAY option set on remote socket 2014.02.06 09:14:06 LOG7[8299:140556325586688]: Remote FD=16 initialized 2014.02.06 09:14:06 LOG7[8299:140556325656320]: SSL state (connect): before/connect initialization 2014.02.06 09:14:06 LOG7[8299:140556325586688]: TCP_NODELAY option set on remote socket 2014.02.06 09:14:06 LOG7[8299:140556325656320]: SSL state (connect): SSLv3 write client hello A 2014.02.06 09:14:06 LOG7[8299:140556325656320]: SSL alert (write): fatal: handshake failure 2014.02.06 09:14:06 LOG3[8299:140556325656320]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL state (connect): before/connect initialization 2014.02.06 09:14:06 LOG5[8299:140556325656320]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL state (connect): SSLv3 write client hello A 2014.02.06 09:14:06 LOG7[8299:140556325656320]: SSL finished (1 left) 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL alert (write): fatal: handshake failure 2014.02.06 09:14:06 LOG3[8299:140556325586688]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 2014.02.06 09:14:06 LOG5[8299:140556325586688]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL finished (0 left) 2014.02.06 09:14:06 LOG7[8299:140556325660608]: SSL accepted FD=12 from 82.x.x.LocalPC:49653 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL started 2014.02.06 09:14:06 LOG7[8299:140556325586688]: FD 12 in non-blocking mode 2014.02.06 09:14:06 LOG7[8299:140556325586688]: TCP_NODELAY option set on local socket 2014.02.06 09:14:06 LOG7[8299:140556325586688]: Waiting for a libwrap process 2014.02.06 09:14:06 LOG7[8299:140556325586688]: Acquired libwrap process #1 2014.02.06 09:14:06 LOG7[8299:140556325586688]: Releasing libwrap process #1 2014.02.06 09:14:06 LOG7[8299:140556325586688]: Released libwrap process #1 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL permitted by libwrap from 82.x.x.LocalPC:49653 2014.02.06 09:14:06 LOG5[8299:140556325586688]: SSL accepted connection from 82.x.x.LocalPC:49653 2014.02.06 09:14:06 LOG7[8299:140556325586688]: FD 13 in non-blocking mode 2014.02.06 09:14:06 LOG6[8299:140556325586688]: connect_blocking: connecting 82.x.x.x:80 2014.02.06 09:14:06 LOG7[8299:140556325586688]: connect_blocking: s_poll_wait 82.x.x.x:80: waiting 10 seconds 2014.02.06 09:14:06 LOG5[8299:140556325586688]: connect_blocking: connected 82.x.x.x:80 2014.02.06 09:14:06 LOG5[8299:140556325586688]: SSL connected remote server from 82.x.x.x:36428 2014.02.06 09:14:06 LOG7[8299:140556325586688]: Remote FD=13 initialized 2014.02.06 09:14:06 LOG7[8299:140556325586688]: TCP_NODELAY option set on remote socket 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL state (connect): before/connect initialization 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL state (connect): SSLv3 write client hello A 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL alert (write): fatal: handshake failure 2014.02.06 09:14:06 LOG3[8299:140556325586688]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 2014.02.06 09:14:06 LOG5[8299:140556325586688]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL finished (0 left) 2014.02.06 09:14:06 LOG7[8299:140556325660608]: SSL accepted FD=12 from 82.x.x.LocalPC:49654 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL started 2014.02.06 09:14:06 LOG7[8299:140556325586688]: FD 12 in non-blocking mode 2014.02.06 09:14:06 LOG7[8299:140556325586688]: TCP_NODELAY option set on local socket 2014.02.06 09:14:06 LOG7[8299:140556325586688]: Waiting for a libwrap process 2014.02.06 09:14:06 LOG7[8299:140556325586688]: Acquired libwrap process #1 2014.02.06 09:14:06 LOG7[8299:140556325586688]: Releasing libwrap process #1 2014.02.06 09:14:06 LOG7[8299:140556325586688]: Released libwrap process #1 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL permitted by libwrap from 82.x.x.LocalPC:49654 2014.02.06 09:14:06 LOG5[8299:140556325586688]: SSL accepted connection from 82.x.x.LocalPC:49654 2014.02.06 09:14:06 LOG7[8299:140556325586688]: FD 13 in non-blocking mode 2014.02.06 09:14:06 LOG6[8299:140556325586688]: connect_blocking: connecting 82.x.x.x:80 2014.02.06 09:14:06 LOG7[8299:140556325586688]: connect_blocking: s_poll_wait 82.x.x.x:80: waiting 10 seconds 2014.02.06 09:14:06 LOG5[8299:140556325586688]: connect_blocking: connected 82.x.x.x:80 2014.02.06 09:14:06 LOG5[8299:140556325586688]: SSL connected remote server from 82.x.x.x:36429 2014.02.06 09:14:06 LOG7[8299:140556325586688]: Remote FD=13 initialized 2014.02.06 09:14:06 LOG7[8299:140556325586688]: TCP_NODELAY option set on remote socket 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL state (connect): before/connect initialization 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL state (connect): SSLv3 write client hello A 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL alert (write): fatal: handshake failure 2014.02.06 09:14:06 LOG3[8299:140556325586688]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 2014.02.06 09:14:06 LOG5[8299:140556325586688]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2014.02.06 09:14:06 LOG7[8299:140556325586688]: SSL finished (0 left)編輯:這裡在本地驗證 ssL
$ openssl s_client -ssl3 -connect localhost:443 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1391675538 Timeout : 7200 (sec) Verify return code: 0 (ok) ---編輯:
目標:訪問者訪問一個有效地址,例如:https ://www.yumyumyum.com (假設其有效並且有 CA、KEY、CERT 文件)並且他沒有被轉發到http://www.yumyumyum.com它應該保留作為 https
使用 Google App Engine 時沒有 HTTPS 選項,因此一切都必須以 HTTP 方式執行,現在服務以 HTTP 方式執行,但當使用者以 http 方式使用時,會導致其他安全問題
因此,我們需要一個指向該 HTTP 的 SSL 代理,以便使用者即使在他們附加 http 的螢幕後面也能始終獲得 https
這是清楚的描述嗎?
問題是您的(預設更改)設置
client=yes但是您需要在伺服器模式下使用 stunnel,即向外部提供 SSL/TLS 連接並作為未加密連接轉發。