Sabnzbd and Stunnel
Posted: May 15th, 2011, 4:35 am
Version: Ubuntu 11.04 latest = 0.5.6-1ubuntu1
OS: Ubuntu 11.04
Install-type: linux repository
Skin : Plush
Firewall Software: None
Are you using IPV6? IPv6 is enabled but i dunno if it's used (guess no)
Is the issue reproducible? dunno
Hi everyone !
I'm not happy with Sabnzbd's default SSL features. I would like mutual authentification based on PKI and (my own) CA, and even better, whitelisting after that, whereas Sabnzbd's default SSL server only enables server authentication.
So I tried to use Stunnel 4.29 to do the job
here is stunnel.conf
--
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/bp.pem
key = /etc/stunnel/bp.key
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib
; Authentication stuff
verify = 3
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
CApath = /certs
; It's often easier to use CAfile
CAfile = /etc/stunnel/ca.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log
; Service-level configuration
[https]
accept = 443
connect = 80
TIMEOUTclose = 0
[sabnzbd]
accept = 9090
connect = 8080
;TIMEOUTclose = 0
--
Unfortunately, when using Firefox 4, I can login and check the main page, but i get errors when I try to go to the config page. It looks like Firefox 4.01 tries to switch to http instead of https (and keeping port 9090). I dunno if it's a firefox bug, a stunnel bug or Sabnzbd's.
FWIW, I've tried SSH-tunneling, and it seems to work (but i'm not happy with the authentication stuff, because it won't allow x509 based client authentication, and won't allow all the nice browser extensions, or iphone apps, to work that easily).
I would appreciate any help to make it work.
Thanks
OS: Ubuntu 11.04
Install-type: linux repository
Skin : Plush
Firewall Software: None
Are you using IPV6? IPv6 is enabled but i dunno if it's used (guess no)
Is the issue reproducible? dunno
Hi everyone !
I'm not happy with Sabnzbd's default SSL features. I would like mutual authentification based on PKI and (my own) CA, and even better, whitelisting after that, whereas Sabnzbd's default SSL server only enables server authentication.
So I tried to use Stunnel 4.29 to do the job
here is stunnel.conf
--
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/bp.pem
key = /etc/stunnel/bp.key
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib
; Authentication stuff
verify = 3
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
CApath = /certs
; It's often easier to use CAfile
CAfile = /etc/stunnel/ca.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log
; Service-level configuration
[https]
accept = 443
connect = 80
TIMEOUTclose = 0
[sabnzbd]
accept = 9090
connect = 8080
;TIMEOUTclose = 0
--
Unfortunately, when using Firefox 4, I can login and check the main page, but i get errors when I try to go to the config page. It looks like Firefox 4.01 tries to switch to http instead of https (and keeping port 9090). I dunno if it's a firefox bug, a stunnel bug or Sabnzbd's.
FWIW, I've tried SSH-tunneling, and it seems to work (but i'm not happy with the authentication stuff, because it won't allow x509 based client authentication, and won't allow all the nice browser extensions, or iphone apps, to work that easily).
I would appreciate any help to make it work.
Thanks