Stunnel on Debian/Ubuntu with Squid

Rumi,

What’s Stunnel

The Stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the program’s code.

What Stunnel basically does is that it turns any insecure TCP port into a secure encrypted port using OpenSSL package for cryptography. It’s somehow like a small secure VPN that runs on specific ports.

Step 1: Create an Ubuntu Droplet

So far I have tested it on Ubuntu 12.04 x32/x64, Ubuntu 12.10 x32/x64, Ubuntu 13.04 x32/x64.

Step 2: Update and Upgrade Ubuntu

Using these commands update your Ubuntu’s package list and also upgrade the existing packages to the latest version:

apt-get update
apt-get upgrade

Step 3: Install Stunnel on your VPS

Install Stunnel package using the code below:

apt-get install stunnel4 -y

Step 4: Configure Stunnel on the VPS

Stunnel configures itself using a file named “stunnel.conf” which by default is located in “/etc/stunnel”.

Create a “stunnel.conf” file in the “/etc/stunnel” directory:

nano /etc/stunnel/stunnel.conf

We’re going to be using a SSL certificate to identify ourselves to the server so we have to set the path to that certificate in “stunnel.conf” file using this line (We will create the certificate file in the next step):

cert = /etc/stunnel/stunnel.pem

Next we specify a service for use with Stunnel. It can be any of the services which use networking such as mail server, proxy server, etc.

Here as an example we’re going to secure traffics between Squid proxy server and a client using Stunnel. We’ll explain how to install and configure Squid in Step 6.

After setting a name for the service you’re going to use, you must tell Stunnel to listen on which port for that service. This can be any of the 65535 ports, as long as it’s not blocked by another service or firewall:

[squid]
accept = 8888

Then depending on the service you’re going to use the secure tunnel on, you must specify the port and IP address of that in the configuration file Basically Stunnel takes packets from a secure port and then forwards it to the port and IP address of the service you specified.

Squid proxy by default runs on localhost and port 3128 so we have to tell Stunnel to forward accepted connections to that port:
connect = 127.0.0.1:3128

So overall the “stunnel.conf” file must contain the lines below:

client = no
[squid]
accept = 8888
connect = 127.0.0.1:3128
cert = /etc/stunnel/stunnel.pem

Note: The client = no part isn’t necessary, Stunnel by default is set to server mode.

Step 5: Create SSL Certificates

Stunnel uses SSL certificate to secure its connections, which you can easily create using the OpenSSL package:

openssl genrsa -out key.pem 2048
openssl req -new -x509 -key key.pem -out cert.pem -days 1095
cat key.pem cert.pem >> /etc/stunnel/stunnel.pem

Basically, the commands above is for creating a private key, creating a certificate using that key and combining the two of them into one files named “stunnel.pem” to use with Stunnel.

Note: When creating the certificate, you will be asked for some information such as country and state, which you can enter whatever you like but when asked for “Common Name” you must enter the correct host name or IP address of your droplet (VPS).

Also, enable Stunnel automatic startup by configuring the “/etc/default/stunnel4” file, enter command below to open the file in text editor:

nano /etc/default/stunnel4

And change ENABLED to 1:

ENABLED=1

Finally, restart Stunnel for configuration to take effect, using this command:

/etc/init.d/stunnel4 restart

Step 6: Install Squid Proxy

Install Squid using the command below:

apt-get install squid3 -y

Step 7: Configure Stunnel in Client

Note: This explains the process of installing and configuration of Stunnel as a client in Windows, but Stunnel could also be installed in Linux and even Android and configuration still remains the same. The only difference would be placement of “stunnel.conf” file required for configuration of Stunnel.

In order for Stunnel to communicate with the server, the SSL certificate we created in Step 5 must be present at the client. There are many ways of obtaining the “stunnel.pem” file from server, but we’re going to use SFTP which is both easy and very secure.

Using a SFTP client such as Filezilla, connect to your server and download the “stunnel.pem” file located in “/etc/stunnel/” directory to the client.

There’s also a good tutorial on SFTP here:

How To Use SFTP to Securely Transfer Files with a Remote Server

Download Stunnel from their website.

Install Stunnel in any place you like. Then go to the Stunnel folder and move the downloaded certificate”stunnel.pem” to Stunnel folder.

Create a “stunnel.conf” file in the Stunnel’s folder if one does not exist. Open the file with a text editor such as Notepad.

First of all, we tell Stunnel our certificate’s path, which in Windows is in the Stunnel’s directory (reminder: in Ubuntu it is in “/etc/stunnel/” directory):

cert = stunnel.pem

Since we are going to set up a client, we have to tell Stunnel that this is a client. Put the line below in the configuration file:

client = yes

Then just like the server, we must specify configuration of the service we want to use.

First we specify the service’s name, then the IP address and port, which Stunnel should listen to on the client:

[squid]
accept = 127.0.0.1:8080

The accept port could be any port on the client computer, as long as it’s not occupied by another service or blocked by a firewall.

Next, we tell Stunnel to forward packets coming to this port to our Stunnel server’s IP address and port. The IP address is your server’s (droplet) public IP address, which is assigned to you when setting up a droplet, and port is the port you specified when configuring Stunnel in the server. In our case it was 8888 so we’re going to tell Stunnel to connect to that port:

connect = [Server’s Public IP]:8888

So the final “stunnel.conf” file in the client should look like this:

cert = stunnel.pem
client = yes
[squid]
accept = 127.0.0.1:8080
connect = [Server’s Public IP]:8888

Save and close the file and run “stunnel.exe”.

That’s it. Now our client is configured to communicate securely with the virtual server using a secure SSL tunnel. From now on when trying to connect to any service on our VPS, instead of connecting directly to IP address of server, we must use the IP address and port specified in the Stunnel’s “accept” part of configuration for each service.

As an example, when we want to connect to Squid proxy on our cloud server, we must configure our client to connect to 127.0.0.1:8080, and Stunnel automatically connects us through a secure tunnel to the service specified for that port. Here you can configure your web browser to use IP 127.0.0.1 and port 8080 as a proxy to secure your web traffic.

Last but not least, a squid configuration needs to be prepared.

Installing Squid3

Log in on Ubuntu Server, then type command below to Install squid2 in ubuntu server 12.04:

sudo apt-get install squid3 ccze

Configure Squid3

Create directory for Cache, on this case cache directory placed on directory /home/precise/cache/. Then change the permissions cache directory to 777 and owner proxy:proxy

sudo mkdir -p /home/precise/cache/
sudo chmod 777 /home/precise/cache/
sudo chown proxy:proxy /home/precise/cache/

Before editing squid configuration, Make a backup of your /etc/squid3/squid.conf file for future reference. Squid.conf has nearly all the options listed and it is recommended to go through that file to know more about squid options.

sudo cp /etc/squid3/squid.conf /etc/squid3/squid.conf.origin
sudo chmod a-w /etc/squid3/squid.conf.origin

Now edit /etc/squid3/squid.conf file, delete all options in /etc/squid3/squid.conf then replace with squid3 configuration below

sudo nano /etc/squid3/squid.conf
# ACCESS CONTROLS OPTIONS
# ====================
#
acl QUERY urlpath_regex -i cgi-bin \? \.php$ \.asp$ \.shtml$ \.cfm$ \.cfml$ \.phtml$ \.php3$ localhost
acl all src
acl localnet src 10.0.0.0/8
acl localnet src 192.168.1.0/24 # Your network here
acl localhost src 127.0.0.1/32
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 81 3128 1025-65535
acl sslports port 443 563 81 2087 10000
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
acl ym dstdomain .messenger.yahoo.com .psq.yahoo.com
acl ym dstdomain .us.il.yimg.com .msg.yahoo.com .pager.yahoo.com
acl ym dstdomain .rareedge.com .ytunnelpro.com .chat.yahoo.com
acl ym dstdomain .voice.yahoo.com
acl ymregex url_regex yupdater.yim ymsgr myspaceim
#
http_access deny ym
http_access deny ymregex
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports
http_access allow localhost
http_access allow localnet
http_access deny all
#
# NETWORK OPTIONS
# —————
#
http_port 3128
#
# OPTIONS WHICH AFFECT THE CACHE SIZE
# ==============================
#
cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir aufs /home/precise/cache 10000 14 256
maximum_object_size 128000 KB
cache_swap_low 95
cache_swap_high 99
#
# LOGFILE PATHNAMES AND CACHE DIRECTORIES
# ==================================
#
access_log /var/log/squid3/access.log
cache_log /cache/cache.log
#cache_log /dev/null
cache_store_log none
logfile_rotate 5
log_icp_queries off
#
# OPTIONS FOR TUNING THE CACHE
# ========================
#
cache deny QUERY
refresh_pattern ^ftp: 1440 20% 10080 reload-into-ims
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i \.(gif|png|jp?g|ico|bmp|tiff?)$ 10080 95% 43200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private
refresh_pattern -i \.(rpm|cab|deb|exe|msi|msu|zip|tar|xz|bz|bz2|lzma|gz|tgz|rar|bin|7z|doc?|xls?|ppt?|pdf|nth|psd|sis)$ 10080 90% 43200 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private
refresh_pattern -i \.(avi|iso|wav|mid|mp?|mpeg|mov|3gp|wm?|swf|flv|x-flv|axd)$ 43200 95% 432000 override-expire override-lastmod reload-into-ims ignore-no-cache ignore-private
refresh_pattern -i \.(html|htm|css|js)$ 1440 75% 40320
refresh_pattern -i \.index.(html|htm)$ 0 75% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 1440 90% 10080
#
quick_abort_min 0 KB
quick_abort_max 0 KB
quick_abort_pct 100
store_avg_object_size 13 KB
#
# HTTP OPTIONS
# ===========
vary_ignore_expire on
#
# ANONIMITY OPTIONS
# ===============
#
request_header_access From deny all
request_header_access Server deny all
request_header_access Link deny all
request_header_access Via deny all
request_header_access X-Forwarded-For deny all
#
# TIMEOUTS
# =======
#
forward_timeout 240 second
connect_timeout 30 second
peer_connect_timeout 5 second
read_timeout 600 second
request_timeout 60 second
shutdown_lifetime 10 second
#
# ADMINISTRATIVE PARAMETERS
# =====================
#
cache_mgr ninja
cache_effective_user proxy
cache_effective_group proxy
httpd_suppress_version_string on
visible_hostname ninja
#
ftp_list_width 32
ftp_passive on
ftp_sanitycheck on
#
# DNS OPTIONS
# ==========
#
dns_timeout 10 seconds
dns_nameservers 192.168.1.1 8.8.8.8 8.8.4.4 # DNS Server
#
# MISCELLANEOUS
# ===========
#
memory_pools off
client_db off
reload_into_ims on
coredump_dir /cache
pipeline_prefetch on
offline_mode off
#
#Marking ZPH
#==========
zph_mode tos
zph_local 0x04
zph_parent 0
zph_option 136
### END CONFIGURATION ###

Create swap directory,

squid3 -z

Restart squid3:

sudo /etc/init.d/squid3 restart

Src:

https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ssl-tunnel-using-stunnel-on-ubuntu

http://ubuntuserverguide.com/2012/05/how-to-install-and-configure-proxy-server-with-squid3-on-ubuntu-server-12-04-lts.html

Administrations Configurations (Linux) PKI

Leave a Reply

Your email address will not be published. Required fields are marked *