SSH Tunnel 替代方案 Stunnel

用 SSH 建立 tunnel 很好用,可是終端機就不能關了,必須維持在連線狀態,如果終端機關掉了,SSH 連線也會跟著中止,這時使用 Stunnel 可以改善這項缺點。

Stunnel Server

#mkdir /var/run/stunnel (先建立 run pid 的目錄)

#chown nobody:nobody /var/run/stunnel (將目錄的權限改成 nobody 的)

#cd /etc/pki/tls/certs/ (到這裡來建立加密金鑰)

# make stunnel.pem (建立金鑰)
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req -utf8 -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 -set_serial 0 ; \
cat $PEM1 >  stunnel.pem ; \
echo “”    >> stunnel.pem ; \
cat $PEM2 >> stunnel.pem ; \
rm -f $PEM1 $PEM2
Generating a 1024 bit RSA private key
………………………………………++++++
………………………++++++
writing new private key to ‘/tmp/openssl.XJ9665’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]:ISHM Studio
Organizational Unit Name (eg, section) []:ISHM
Common Name (eg, your name or your server’s hostname) []:ishm.idv.tw
Email Address []:admin@ishm.idv.tw

#mv /etc/pki/tls/certs/stunnel.pem /etc/stunnel/ (將金鑰移動到 /etc/stunnel/ 目錄下)

#vi /etc/stunnel/stunnel.conf (製作 config 檔案)

cert    =       /etc/stunnel/stunnel.pem
pid     =       /var/run/stunnel/stunnel.pid
setuid  =       nobody
setgid  =       nobody

[www]      (這裡自己隨便填,認得就好)
accept  =       4.3.2.1:80      (填上 Stunnel Server 的 IP 及 埠)
connect =       72.14.235.99:80      (填上要轉送的 IP 及 Port,這裡是填 Google 的IP,也可以填本機的其他埠,端看要作什麼連線而定)

#service httpd stop (在這個示範裡是用 80 埠,不要和自己的網頁衝到了,關掉先)

#stunnel (啟動 stunnel)

#ps aux (看一下有沒有起來)

nobody   10162  0.0  0.0   4576   908 ?        Ss   22:11   0:00 stunnel      (真的起來了,如果沒有起就可能是設定錯誤了)
==============================

Stunnel Client

#mkdir /var/run/stunnel

#chown nobody:nobody /var/run/stunnel

#vi /etc/stunnel/stunnel.conf

pid     =       /var/run/stunnel/stunnel.pid
setuid  =       nobody
setgid  =       nobody
client  =       yes (這一行特別注意)

[www]
accept  =       8888      (不用寫 IP,只要寫 local Port 就可以了)
connect =       4.3.2.1:80      (剛才那個 Stunnel Server 的 IP 及 埠)

#stunnel

#netstat -ntl (看一下有沒有監聽 8888 這個埠)

tcp        0      0 0.0.0.0:8888                0.0.0.0:*                   LISTEN        (找到了)

# telnet localhost 8888 (連線測試一下)
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
GET /
HTTP/0.9 302 Found
Location: http://www.google.com.tw/ (真的轉到 Google 去了)
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=9ea69b5663108c77:TM=1237827983:LM=1237827983:S=3y6gLbuliuzr1axD; expires=Wed, 23-Mar-2011 17:06:23 GMT; path=/; domain=.google.com
Date: Mon, 23 Mar 2009 17:06:23 GMT
Server: gws
Content-Length: 222
<HTML><HEAD><meta http-equiv=”content-type” content=”text/html;charset=utf-8″>
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF=”http://www.google.com.tw/”>here</A>.      (不過不是首頁,也不知道 Google 的首頁是怎麼亂轉的)
</BODY></HTML>
Connection closed by foreign host.
就這樣,Stunnel 就跑到背景去執行了,就算終端機關閉也會持續連線,直到手動中斷為止。

在〈SSH Tunnel 替代方案 Stunnel〉中有 2 則留言

留言功能已關閉。