使用以下 stunnel 配置文件:
chroot = /var/run/stunnel
setuid = nobody
setgid = nobody
debug = 7
output = /var/log/stunnel/stunnel.log
pid = /stunnel.pid
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem
client = yes
[https]
accept = 127.0.0.1:10051
connect = 10.0.10.116:443
输入“sudo stunnel”我得到以下输出。 (如果我使用前台命令并将日志发送到终端,配置文件就可以工作)
[chuck@scorch ~]$ sudo stunnel
Clients allowed=500
stunnel 4.56 on x86_64-redhat-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
Reading configuration from file /etc/stunnel/stunnel.conf
FIPS mode is enabled
Compression not enabled
PRNG seeded successfully
Initializing service [https]
Insecure file permissions on /etc/stunnel/stunnel.pem
Certificate: /etc/stunnel/stunnel.pem
Certificate loaded
Key file: /etc/stunnel/stunnel.pem
Private key loaded
SSL options set: 0x01000004
Configuration successful
Service [https] (FD=12) bound to 127.0.0.1:10051
Cannot open log file: /var/log/stunnel/stunnel.log
Closing service [https]
Service [https] closed (FD=12)
Sessions cached before flush: 0
Sessions cached after flush: 0
Service [https] closed
str_stats: 16 block(s), 1147 data byte(s), 928 control byte(s)
我认为这是某种权限问题,由于“chroot 命令”,但我尝试将 stunnel 日志目录的权限设置为“nobody:nobody”,但这不起作用。所以我没有正确理解正在发生的事情。如果我保留“chroot”和“pid”行,它会起作用吗?我确信这是我看不到的显而易见的事情,有什么想法吗?
我在 Centos 7 上运行这个
答案1
谢谢特里格和善行难陀我找到了一种通过将日志文件放入/var/run/stunnel目录中来完成这项工作的方法。然后,重新启动后,我重新创建目录sudo mkdir /var/run/stunnel,然后设置权限,sudo chown nobody:nobody /var/run/stunnel尽管这在重新启动后至少在运行时消失,但我可以在测试期间和启动后在后台看到日志。我仍然不明白为什么chroot不会像导致日志文件问题一样影响密钥和证书位置?
答案2
我可以通过使用日志文件的相对路径来解决该问题,例如:
输出 = stunnel.log
chroot = /var/run/stunnel