The instructions below assume you are using Ubuntu 16.04 but they will work for other Linuxes with minor modifications. The instructions below will also conflict with a webserver listening on port 443 ( https ) so you’ll need to disable it. Once the setup below is complete your https connections will get seamlessly forwarded to port 80. <\/p>\n
For the SSL connection to be secure and trusted by browsers and other software you need to have a certificate signed by a recognised certificate authority. The easiest way to do this is to use letsencypt’s<\/a> certbot. I’m not going to go into how to get the certificate as there are too many ways depending on your configuration. Just follow letsencrypt’s documentation to generate a key for your "servernname.com" that will get used in the rest of these instructions.<\/p>\n You could also use a self signed key but that may cause you problems with stateful firewalls.<\/p>\n With your certificate installed on the server you can now setup stunnel<\/a> to use it. crow shows a partial setup here<\/a>. I think he’s limited the ciphers for increased security but I found it was not necessary. <\/p>\n Install stunnel4<\/p>\n So the setup in \/etc\/stunnel\/stunnel.conf I am using looks like this<\/p>\n You also need to enable stunnel in \/etc\/default\/stunnel4.conf by setting ENABLED=1<\/p>\n restart stunnel to use the new configuration.<\/p>\n At this point you can test the stunnel setup by going to “http:\/\/servername.com” with your browser and you will have a secure connection to your http server.<\/p>\n To prep for the sslh configuration change <\/p>\n in \/etc\/stunnel\/stunnel.conf to <\/p>\n and then restart stunnel again.<\/p>\n sslh<\/a> will redirect the sessions decrypted by stunnel to the correct port on your server. <\/p>\n You need to install sslh<\/p>\n The minimum services I wanted are ssh and http so my configuration in \/etc\/default\/sslh looks like this.<\/p>\n The sslh documentation says that OpenVPN, tinc, XMPP are also supported but I didn’t need those so my configuration doesn’t support them. You can now restart sslh <\/p>\n This would be another good time to test the stunnel -> sslh -> httpd redirection by visiting “http:\/\/servername.com” in your browser.<\/p>\n Once all of the above is complete and assuming that you have an ssh server that you can connect to on port 22 of your server the ssh client can be setup to use the ssl tunnel. The ssh session needs to wrapped in the ssl session to be able to connect to the server so I used the ssh ProxyCommand to accomplish this. Add the section below to your ~\/.ssh\/config on your client machine<\/p>\n From the client you should now be able to connect to your server by doing <\/p>\n If you get errors from ProxyCommand about your keys or if you used a self signed certificate you will need to turn off key verification.<\/p>\n There is usually one other modification I have in my ssh config and that is a DynamicProxy so that stateful packet inspection doesn’t interfere. So the final configuration looks like this.<\/p>\n The interested reader should look into FoxyProxy to see how this might be used.<\/p>\n","protected":false},"excerpt":{"rendered":" The instructions below assume you are using Ubuntu 16.04 but they will work for other Linuxes with minor modifications. The instructions below will also conflict with a webserver listening on port 443 ( https ) so you’ll need to disable … Continue reading Setup stunnel<\/h2>\n
\r\nsudo apt-get install stunnel4\r\n<\/pre>\n
\r\npid = \/var\/run\/stunnel.pid\r\ncert = \/etc\/letsencrypt\/live\/servername.com\/fullchain.pem\r\nkey = \/etc\/letsencrypt\/live\/servername.com\/privkey.pem\r\n[ssh]\r\naccept = servername.com:443\r\nconnect = localhost:80\r\n<\/pre>\n
\r\nsystemctl restart stunnel4\r\n<\/pre>\n
\r\nconnect = localhost:80\r\n<\/pre>\n
\r\nconnect = localhost:1022\r\n<\/pre>\n
Setup sslh<\/h2>\n
\r\nsudo apt-get install sslh\r\n<\/pre>\n
\r\nRUN=yes\r\n\r\n# binary to use: forked (sslh) or single-thread (sslh-select) version\r\nDAEMON=\/usr\/sbin\/sslh\r\n\r\nDAEMON_OPTS=\"--user sslh --listen 127.0.0.1:1022 --http 127.0.0.1:80 --ssh 127.0.0.1:22 --pidfile \/var\/run\/sslh\/sslh.pid\"\r\n<\/pre>\n
\r\nsudo systemctl restart sslh\r\n<\/pre>\n
Client side ssh setup<\/h2>\n
\r\nHost servername.com\r\nProxyCommand \/usr\/bin\/socat - OPENSSL:servername.com:443\r\n<\/pre>\n
\r\nssh servername.com\r\n<\/pre>\n
\r\nHost servername.com\r\nProxyCommand \/usr\/bin\/socat - OPENSSL:servername.com:443,verify=0\r\n<\/pre>\n
\r\nHost servername.com\r\nDynamicForward localhost:2121\r\nProxyCommand \/usr\/bin\/socat - OPENSSL:servername.com:443\r\n<\/pre>\n