148 lines
4.3 KiB
Text
148 lines
4.3 KiB
Text
Index: tools/stunnel.conf-sample.in
|
|
--- tools/stunnel.conf-sample.in.orig
|
|
+++ tools/stunnel.conf-sample.in
|
|
@@ -7,17 +7,18 @@
|
|
; * Global options *
|
|
; **************************************************************************
|
|
|
|
+chroot = /var/stunnel/
|
|
; It is recommended to drop root privileges if stunnel is started by root
|
|
-;setuid = nobody
|
|
-;setgid = @DEFAULT_GROUP@
|
|
+setuid = _stunnel
|
|
+setgid = _stunnel
|
|
|
|
; PID file is created inside the chroot jail (if enabled)
|
|
-;pid = @localstatedir@/run/stunnel.pid
|
|
+;pid = /stunnel.pid
|
|
|
|
; Debugging stuff (may be useful for troubleshooting)
|
|
;foreground = yes
|
|
;debug = info
|
|
-;output = @localstatedir@/log/stunnel.log
|
|
+;output = /stunnel.log
|
|
|
|
; Enable FIPS 140-2 mode if needed for compliance
|
|
;fips = yes
|
|
@@ -46,7 +47,7 @@
|
|
; * Include all configuration file fragments from the specified folder *
|
|
; **************************************************************************
|
|
|
|
-;include = @sysconfdir@/stunnel/conf.d
|
|
+;include = ${SYSCONFDIR}/stunnel/conf.d
|
|
|
|
; **************************************************************************
|
|
; * Service definitions (remove all services for inetd mode) *
|
|
@@ -54,37 +55,37 @@
|
|
|
|
; ***************************************** Example TLS client mode services
|
|
|
|
-; The following examples use /etc/ssl/certs, which is the common location
|
|
+; The following examples use ${SYSCONFDIR}/ssl/certs, which is the common location
|
|
; of a hashed directory containing trusted CA certificates. This is not
|
|
; a hardcoded path of the stunnel package, as it is not related to the
|
|
; stunnel configuration in @sysconfdir@/stunnel/.
|
|
|
|
-[gmail-pop3]
|
|
-client = yes
|
|
-accept = 127.0.0.1:110
|
|
-connect = pop.gmail.com:995
|
|
-verifyChain = yes
|
|
-CApath = /etc/ssl/certs
|
|
-checkHost = pop.gmail.com
|
|
-OCSPaia = yes
|
|
+;[gmail-pop3]
|
|
+;client = yes
|
|
+;accept = 127.0.0.1:110
|
|
+;connect = pop.gmail.com:995
|
|
+;verifyChain = yes
|
|
+;CApath = ${SYSCONFDIR}/ssl/certs
|
|
+;checkHost = pop.gmail.com
|
|
+;OCSPaia = yes
|
|
|
|
-[gmail-imap]
|
|
-client = yes
|
|
-accept = 127.0.0.1:143
|
|
-connect = imap.gmail.com:993
|
|
-verifyChain = yes
|
|
-CApath = /etc/ssl/certs
|
|
-checkHost = imap.gmail.com
|
|
-OCSPaia = yes
|
|
+;[gmail-imap]
|
|
+;client = yes
|
|
+;accept = 127.0.0.1:143
|
|
+;connect = imap.gmail.com:993
|
|
+;verifyChain = yes
|
|
+;CApath = ${SYSCONFDIR}/ssl/certs
|
|
+;checkHost = imap.gmail.com
|
|
+;OCSPaia = yes
|
|
|
|
-[gmail-smtp]
|
|
-client = yes
|
|
-accept = 127.0.0.1:25
|
|
-connect = smtp.gmail.com:465
|
|
-verifyChain = yes
|
|
-CApath = /etc/ssl/certs
|
|
-checkHost = smtp.gmail.com
|
|
-OCSPaia = yes
|
|
+;[gmail-smtp]
|
|
+;client = yes
|
|
+;accept = 127.0.0.1:25
|
|
+;connect = smtp.gmail.com:465
|
|
+;verifyChain = yes
|
|
+;CApath = ${SYSCONFDIR}/ssl/certs
|
|
+;checkHost = smtp.gmail.com
|
|
+;OCSPaia = yes
|
|
|
|
; Encrypted HTTP proxy authenticated with a client certificate
|
|
; located in a cryptographic token
|
|
@@ -101,12 +102,12 @@ OCSPaia = yes
|
|
;[pop3s]
|
|
;accept = 995
|
|
;connect = 110
|
|
-;cert = @sysconfdir@/stunnel/stunnel.pem
|
|
+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
|
|
|
|
;[imaps]
|
|
;accept = 993
|
|
;connect = 143
|
|
-;cert = @sysconfdir@/stunnel/stunnel.pem
|
|
+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
|
|
|
|
; Either only expose this service to trusted networks, or require
|
|
; authentication when relaying emails originated from loopback.
|
|
@@ -114,29 +115,29 @@ OCSPaia = yes
|
|
;[ssmtp]
|
|
;accept = 465
|
|
;connect = 25
|
|
-;cert = @sysconfdir@/stunnel/stunnel.pem
|
|
+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
|
|
|
|
; TLS front-end to a web server
|
|
;[https]
|
|
;accept = 443
|
|
;connect = 80
|
|
-;cert = @sysconfdir@/stunnel/stunnel.pem
|
|
+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
|
|
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
|
|
; Microsoft implementations do not use TLS close-notify alert and thus they
|
|
; are vulnerable to truncation attacks
|
|
;TIMEOUTclose = 0
|
|
|
|
; Remote shell protected with PSK-authenticated TLS
|
|
-; Create "@sysconfdir@/stunnel/secrets.txt" containing IDENTITY:KEY pairs
|
|
+; Create "${SYSCONFDIR}/stunnel/secrets.txt" containing IDENTITY:KEY pairs
|
|
;[shell]
|
|
;accept = 1337
|
|
;exec = /bin/sh
|
|
;execArgs = sh -i
|
|
-;PSKsecrets = @sysconfdir@/stunnel/secrets.txt
|
|
+;PSKsecrets = ${SYSCONFDIR}/stunnel/secrets.txt
|
|
|
|
; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket
|
|
;[mysql]
|
|
-;cert = @sysconfdir@/stunnel/stunnel.pem
|
|
+;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
|
|
;accept = 3307
|
|
;connect = /run/mysqld/mysqld.sock
|
|
|