# Sample stunnel configuration file # Copyright by Michal Trojnara 2002-2004 # --with changes for SuSE package # client = yes | no # client mode (remote service uses SSL) # default: no (server mode) client = no # # chroot + user (comment out to disable) # chroot = /var/lib/stunnel/ setuid = stunnel setgid = nogroup # note about the chroot feature and the "exec" keyword to start other services... # while the init script /etc/init.d/stunnel will copy the binaries and libraries # into the chroot jail, more files might be needed in the jail (configuration # files etc.) pid = /var/run/stunnel.pid # # debugging # #debug = 7 #output = stunnel.log # # Some performance tunings # # disable Nagle algorithm (a.k.a. tinygram prevention, see man 7 tcp) socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 #compression = rle # Workaround for Eudora bug #options = DONT_INSERT_EMPTY_FRAGMENTS # Authentication stuff #verify = 2 # Don't forget to c_rehash CApath; CApath is located inside chroot jail: #CApath = /certs # It's often easier to use CAfile: #CAfile = /etc/stunnel/certs.pem # Don't forget to c_rehash CRLpath; CRLpath is located inside chroot jail: #CRLpath = /crls # Alternatively you can use CRLfile: #CRLfile = /etc/stunnel/crls.pem cert = /etc/stunnel/stunnel.pem # # Examples for service-level configuration: # # [pop3s] # accept = 995 # connect = 110 # [imaps] # accept = 993 # connect = 143 # [imaps] # accept = 993 # exec = /usr/sbin/imapd # execargs = imapd # pty = no # [ssmtp] # accept = 465 # connect = 25 # [s1] # accept = 5000 # connect = mail.example.com:110 # delay = yes # [s2] # accept = 5001 # connect = mail.example.com:25 # [https] # accept = 443 # connect = 80 # TIMEOUTclose = 0 # [swat] # accept = 902 # connect = 901 # # mysql over stunnel example: # # [mysqls] <-- on the server # accept = 3307 # connect = localhost:mysql # # client = yes <-- on the client # [mysqls] # accept = 3307 # connect = remote-mysql-server.example.com:3307 # # Hint. Use the mysql client with "-h 127.0.0.1", not "-h localhost", because # "localhost" will mean it will go through the local socket and ignore the port. # # pppd over stunnel example: # (note: read http://sites.inka.de/sites/bigred/devel/tcp-tcp.html , and # look for better alternatives like cipe or openvpn.) # # [ppp] <-- on the server # accept = 2020 # exec = /usr/sbin/pppd # execargs = pppd local # # the pty option doesn't work in chroot jail without further efforts # #pty = yes # # # [ppp] <-- on the "client" # connect = host.example.com:2020 # exec = /usr/sbin/pppd # execargs = pppd local nodeflate nobsdcomp 192.168.20.20:192.168.20.21 # # the pty option doesn't work in chroot jail without further efforts # #pty = yes