![]() The file must be located in the same directory as the nf on the client. The psk.txt contain the same username and passphrase as on the server-side. The config of the client is pretty simple. ![]() You can fine installer files for Windows on. On the client-side, you have to install Stunnel. Installation and configuration on Windows Initialize the cache dir, and start Squid and Stunnel on the server-side. Make sure that you have initialized the Squid cache dir, before you start squid. Stunnel_pidfile="/var/run/stunnel/stunnel.pid" The stunnel_pidfile option tells Stunnel, where it should create its PID file. To enable stunnel and squid in the /etc/rc.conf, add the following lines to your /etc/rc.conf. # access_log /var/log/squid/access.log combined Logformat combined %>a %ui %un "%rm %ru HTTP/%rv" %>Hs %h" "%>h" %Ss:%Sh Make sure, that all requests are only allowed from localhost! acl SSL_ports port 443Ĭache_dir ufs /var/squid/cache 1024 16 256 no-store There is no need to configure localhsot or 127.0.0.1 as a source, if you want to allow http access only from localhost. Some ACLs of Squid are now implicitly active. ![]() And I don’t have to rotate another logfile. I simply don’t need it, because I’m the only user. Make sure that Squid only listens on localhost! I disabled the access log. Make sure that the PSK file is not group- and world-readable! patrick:SuperSecretPassw0rd The file itself it pretty simple – username:passphrase. The same file must be located on the client-side. PSKsecrets = /usr/local/etc/stunnel/psk.txtĬAFile = /usr/local/etc/letsencrypt/live/server/fullchain.pem Key = /usr/local/etc/letsencrypt/live/server/privkey.pem cert = /usr/local/etc/letsencrypt/live/server/fullchain.pem If you like, you can create your own certificate using OpenSSL. I’m using a Let’s Encrypt certificate on the server-side. :/var/run # chown stunnel:stunnel /var/run/stunnel Stunnel is not running with root privileges, thus it can’t create its PID file in /var/run. After the installation of stunnel, an additional directory for the PID file must be created. The configuration files are located under /usr/local/etc/stunnel and /usr/local/etc/squid. Stunnel-5.41,1 SSL encryption wrapper for standard network daemons Stunnel and Squid can be installed using pkg install . Installation and configuration on FreeBSD On the server, the traffic leaves the tunnel, and the connection attempt of the client is directed to the Squid proxy, which listens on 127.0.0.1:3128 for connections. Summarized, my browser connectes the Squid proxy on my FreeBSD host over a TLS encrypted connection. I use 443/tcp. The connection is encrypted using TLS, and the connection is authenticated by a pre-shared key (PSK). You can use any port, as long as it is unused on the server-side. ![]() The traffic enters the tunnel on the client-side, and Stunnel opens a connection to the server-side. This is done by configuring 127.0.0.1:8080 as proxy server in the browser. The browser connects to the Stunnel client on 127.0.0.1:8080. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |