Synoposis
Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code.
Installing Stunnel
Stunnel uses a client/server model. This means you must install Stunnel on both servers. Here, we are assuming you are installing Stunnel on FreeBSD 8.0 using the ports tree.
WARNING: Do NOT use portupgrade or portmaster to install the Stunnel port. This will break the certificate generation portion of the Stunnel installation. The installation procedure is identical on both the client and server.
Installation
- cd /usr/ports/security/stunnel/
- make all install
- make certification
- make clean
During step 3 you will be asked questions about certificate installation. The certificate will be generated in /usr/local/etc/stunnel/ as stunnel.pem
Stunnel Server Configuration
Edit /usr/local/etc/stunnel/stunnel.conf with the following parameters:
cert = /usr/local/etc/stunnel/stunnel.pem chroot = /var/tmp/stunnel # PID is created inside chroot jail pid = /stunnel.pid setuid = stunnel setgid = stunnel client = no [mysql] accept = 3307 connect = 3306
Stunnel Client Configuration
Edit /usr/local/etc/stunnel/stunnel.conf with the following parameters:
cert = /usr/local/etc/stunnel/stunnel.pem chroot = /var/tmp/stunnel # PID is created inside chroot jail pid = /stunnel.pid setuid = stunnel setgid = stunnel client = yes [mysql] accept = 3306 connect = <IP or Hostname>:3307
rc.conf Changes
Add stunnel_enable="YES"
Start up
/usr/local/etc/rc.d/stunnel start
How to use
Set your website to use localhost at port 3306 as your database server. Configure your database server to grant permissions for connections from the localhost instead of the remote web server. Stunnel will take over and transmit the data to the database server where it will connect to 3306 locally and talk to the database.