我的 VPS 上有一个 Debian 11 系统,带有 stunnel 来封装 SSH(不要问为什么)。
我有一个配置文件/etc/stunnel/proxy-ssh.conf:
[proxy-ssh]
cert = /etc/ssl/private/le-vps1.merlin-vrn.tk-key+fullchain.pem
accept = 1443
connect = 22
如果我手动启动它,它会开始:
# ss -lnpt | grep -c 1443
0
# stunnel /etc/stunnel/proxy-ssh.conf
# ss -lnpt | grep 1443
LISTEN 0 128 0.0.0.0:1443 0.0.0.0:* users:(("stunnel",pid=10121,fd=10))
syslog包含以下内容:
Oct 11 09:12:02 vps1 stunnel: LOG5[ui]: stunnel 5.56 on x86_64-pc-linux-gnu platform
Oct 11 09:12:02 vps1 stunnel: LOG5[ui]: Compiled with OpenSSL 1.1.1k 25 Mar 2021
Oct 11 09:12:02 vps1 stunnel: LOG5[ui]: Running with OpenSSL 1.1.1w 11 Sep 2023
Oct 11 09:12:02 vps1 stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
Oct 11 09:12:02 vps1 stunnel: LOG5[ui]: Reading configuration from file /etc/stunnel/proxy-ssh.conf
Oct 11 09:12:02 vps1 stunnel: LOG5[ui]: UTF-8 byte order mark not detected
Oct 11 09:12:02 vps1 stunnel: LOG5[ui]: FIPS mode disabled
Oct 11 09:12:02 vps1 stunnel: LOG5[ui]: Configuration successful
Oct 11 09:12:02 vps1 stunnel: LOG5[ui]: Binding service [proxy-ssh] to :::1443: Address already in use (98)
Oct 11 09:12:24 vps1 stunnel: LOG5[0]: Service [proxy-ssh] accepted connection from xx.xx.xxx.xx:51104
Oct 11 09:12:24 vps1 stunnel: LOG5[0]: s_connect: connected ::1:22
Oct 11 09:12:24 vps1 stunnel: LOG5[0]: Service [proxy-ssh] connected remote server from ::1:59156
Oct 11 09:12:25 vps1 systemd[1]: Started Session 73843673 of user yyyy.
所以它有效(你可以看到它接受了连接)。我不清楚为什么它说Binding service [proxy-ssh] to :::1443: Address already in use (98),当ss清楚地显示没有任何东西正在侦听端口 1443 时,但这并不妨碍其操作。
Debian 附带了一个 systemd 模板单元[email protected]。我应该启用并启动一个服务[email protected]来使用我的配置文件运行 stunnel proxy-ssh.conf,所以我手动终止了 stunnel 并运行该服务:
# systemctl status [email protected]
● [email protected] - TLS tunnel for network daemons - per-config-file service
Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
Active: inactive (dead) since Wed 2023-10-11 09:26:36 +04; 4min 55s ago
Docs: man:stunnel4(8)
Process: 10314 ExecStart=/usr/bin/stunnel4 /etc/stunnel/proxy-ssh.conf (code=exited, status=0/SUCCESS)
Main PID: 10314 (code=exited, status=0/SUCCESS)
root@vps1:/var/log# ss -lnpt | grep -c 1443
0
root@vps1:/var/log# systemctl start [email protected]
root@vps1:/var/log# ss -lnpt | grep -c 1443
0
syslog有以下内容:
Oct 11 09:32:03 vps1 systemd[1]: Started TLS tunnel for network daemons - per-config-file service.
Oct 11 09:32:03 vps1 stunnel: LOG5[ui]: stunnel 5.56 on x86_64-pc-linux-gnu platform
Oct 11 09:32:03 vps1 stunnel: LOG5[ui]: Compiled with OpenSSL 1.1.1k 25 Mar 2021
Oct 11 09:32:03 vps1 stunnel: LOG5[ui]: Running with OpenSSL 1.1.1w 11 Sep 2023
Oct 11 09:32:03 vps1 stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
Oct 11 09:32:03 vps1 stunnel: LOG5[ui]: Reading configuration from file /etc/stunnel/proxy-ssh.conf
Oct 11 09:32:03 vps1 stunnel: LOG5[ui]: UTF-8 byte order mark not detected
Oct 11 09:32:03 vps1 stunnel: LOG5[ui]: FIPS mode disabled
Oct 11 09:32:03 vps1 stunnel: LOG5[ui]: Configuration successful
Oct 11 09:32:03 vps1 stunnel: LOG5[ui]: Binding service [proxy-ssh] to :::1443: Address already in use (98)
Oct 11 09:33:33 vps1 systemd[1]: [email protected]: State 'stop-sigterm' timed out. Killing.
Oct 11 09:33:33 vps1 systemd[1]: [email protected]: Failed with result 'timeout'.
请注意“正常初始化序列”之后和宣布失败之前的 1.5 分钟延迟。在延迟期间,服务正在通过某些状态进行转换,我碰巧在状态: 中发现了它Active: deactivating (stop-sigterm) since Wed 2023-10-11 09:32:03 +04; 43s ago。最后进入失败状态:
● [email protected] - TLS tunnel for network daemons - per-config-file service
Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
Active: failed (Result: timeout) since Wed 2023-10-11 09:33:33 +04; 5min ago
Docs: man:stunnel4(8)
Process: 10546 ExecStart=/usr/bin/stunnel4 /etc/stunnel/proxy-ssh.conf (code=exited, status=0/SUCCESS)
Main PID: 10546 (code=exited, status=0/SUCCESS)
服务文件没有任何花哨的东西;这与我用来启动它的命令相同。
这是什么问题以及如何解决这个问题?
答案1
现在事实证明,它需要将 stunnel 配置为在前台运行:
foreground = yes
[proxy-ssh]
cert = /etc/ssl/private/le-vps1.merlin-vrn.tk-key+fullchain.pem
accept = 1443
connect = 22
之后,服务立即启动并按预期工作。