所有,

我有一个网站,可以通过HTTP在端口86上很好地访问该网站。现在需要添加SSL以保护连接。该网站配有thttpd Web服务器,是的,不支持SSL。那时我通过谷歌搜索了很多。建议通过Stunnel将SSL添加到thttpd。

更新:

这是我的stunnel.conf:

; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2013
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
chroot = /usr/local/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = nogroup
fips = no
; PID is created inside the chroot jail
pid = /stunnel.pid

; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/stunnel.pem
;key = /usr/local/etc/stunnel/mail.pem

; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /usr/local/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = /usr/local/etc/stunnel/crls.pem

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************

; Example SSL server mode services

;[pop3s]
;accept  = 995
;connect = 110

;[imaps]
;accept  = 993
;connect = 143

;[ssmtp]
;accept  = 465
;connect = 25

; Example SSL client mode services

;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995

;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993

;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465

; Example SSL front-end to a web server

[https]
accept  = 443
connect = 86
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0

; vim:ft=dosini


这是我得到的结果:

linux-1ryy:/usr/local/etc/stunnel # /usr/local/bin/stunnel
Clients allowed=500
stunnel 4.56 on i686-pc-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
Reading configuration from file /usr/local/etc/stunnel/stunnel.conf
FIPS mode is disabled
Compression not enabled
Snagged 64 random bytes from /root/.rnd
Wrote 1024 new random bytes to /root/.rnd
PRNG seeded successfully
Initializing service [https]
Certificate: /usr/local/etc/stunnel/stunnel.pem
Certificate loaded
Key file: /usr/local/etc/stunnel/stunnel.pem
Private key loaded
Using DH parameters from /usr/local/etc/stunnel/stunnel.pem
DH initialized with 1024-bit key
ECDH initialized with curve prime256v1
SSL options set: 0x01000004
Configuration successful
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)
Closing service [https]
Service [https] closed (FD=7)
Sessions cached before flush: 0
Sessions cached after flush: 0
Service [https] closed
str_stats: 10 block(s), 883 data byte(s), 420 control byte(s)


这是运行/usr/local/bin/stunnel之前的端口侦听信息:

linux-1ryy:/usr/local/etc/stunnel # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      5484/mysqld
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      336/xinetd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1558/sshd
tcp        0      0 :::86                   :::*                    LISTEN      5536/thttpd
tcp        0      0 :::22                   :::*                    LISTEN      1558/sshd


这是运行后的端口侦听信息:

linux-1ryy:/usr/local/etc/stunnel # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      5484/mysqld
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      336/xinetd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1558/sshd
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      23145/stunnel
tcp        0      0 :::86                   :::*                    LISTEN      5536/thttpd
tcp        0      0 :::22                   :::*                    LISTEN      1558/sshd


我现在不知道出了什么问题。任何建议将不胜感激。

添加:

如果关闭防火墙,则可以成功通过https://<my-ip-address>访问。但是,我仍然收到此错误消息:

Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)


想知道为什么...

最佳答案

从netstat可以看出,端口443(pid = 10833)上已经存在一个stunnel进程(端口8443上还有一个stunnel进程,pid = 11191),这就是为什么在端口443上启动另一个stunnel进程失败的原因

Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)

10-08 19:44