astlinux-devel Mailing List for AstLinux

OK, I'll change the STUNNELSERVS delimiter from colon (:) to tilde (~) in 0.7.8 .

> /Me hates that I chose : as the field separator early on.  How short sighted!

Don't beat yourself up. :-) Arno (from AIF) did the exact same thing until he switched to a tilde a few years ago.  A common choice in the past.

Lonnie



On Apr 14, 2011, at 12:01 PM, Kristian Kielhofner wrote:

> Very interesting indeed...
> 
> I would completely support that configuration change!
> 
> /Me hates that I chose : as the field separator early on.  How short sighted!
> 
> On Thu, Apr 14, 2011 at 12:59 PM, Lonnie Abelbeck
> <li...@lo...> wrote:
>> Kristian,
>> 
>> Another interesting feature of stunnel is to listen on IPv6 and connect to legacy IPv4-only services.
>> 
>> Just a couple changes to stunnel.init are needed to automatically support that.
>> 
>> If we ever wanted to support local IPv6 "connect's" we would have to change the STUNNELSERVS delimiter from a colon to a tilde as we have done elsewhere.  Or use a dns name for the local host with a AAAA record.
>> 
>> Lonnie
>> 
> 
> -- 
> Kristian Kielhofner
> 
> 

Very interesting indeed...

I would completely support that configuration change!

/Me hates that I chose : as the field separator early on.  How short sighted!

On Thu, Apr 14, 2011 at 12:59 PM, Lonnie Abelbeck
<li...@lo...> wrote:
> Kristian,
>
> Another interesting feature of stunnel is to listen on IPv6 and connect to legacy IPv4-only services.
>
> Just a couple changes to stunnel.init are needed to automatically support that.
>
> If we ever wanted to support local IPv6 "connect's" we would have to change the STUNNELSERVS delimiter from a colon to a tilde as we have done elsewhere.  Or use a dns name for the local host with a AAAA record.
>
> Lonnie
>

-- 
Kristian Kielhofner

Kristian,

Another interesting feature of stunnel is to listen on IPv6 and connect to legacy IPv4-only services.

Just a couple changes to stunnel.init are needed to automatically support that.

If we ever wanted to support local IPv6 "connect's" we would have to change the STUNNELSERVS delimiter from a colon to a tilde as we have done elsewhere.  Or use a dns name for the local host with a AAAA record.

Lonnie


On Apr 13, 2011, at 4:31 PM, Kristian Kielhofner wrote:

> OpenVPN is used to build SSL encrypted layer 3 or layer 2 tunnels
> between two points.
> 
> Stunnel is used to add SSL functionality to any application that uses
> a TCP socket.  So, for example:
> 
> FreeSWITCH includes an XML-RPC webserver.  It doesn't support SSL or TLS.
> 
> You could configure FreeSWITCH to listen on localhost.  You would then
> configure stunnel to listen on a network facing TCP port (with SSL/TLS
> enabled in stunnel).  This port would accept TLS/SSL encrypted traffic
> and transparently proxy it back to FreeSWITCH listening on localhost.
> You could then access the stunnel port with a standard web browser
> using HTTPS and it "just works" even though FreeSWITCH doesn't support
> SSL natively.
> 
> I use stunnel to transparently encrypt HTTP traffic from a network
> security camera.  I then access the AstLinux machine over the internet
> with HTTPS and AstLinux/stunnel implements the SSL that my network
> security camera vendor should have implemented themselves :).  I can
> do this from any web browser.  If I was using openvpn I'd need to
> install an openvpn client and build a full blown tunnel.
> 
> On Wed, Apr 13, 2011 at 5:17 PM, Lonnie Abelbeck
> <li...@lo...> wrote:
>> Kristian,
>> 
>> Thanks for your comments, but how is this different (solution wise) from using the more general OpenVPN between boxes?
>> 
>> Do you prefer we continue supporting stunnel by default in AstLinux?  A change has to be made either way.
>> 
>> Lonnie
>> 
>> 
>> On Apr 13, 2011, at 3:42 PM, Kristian Kielhofner wrote:
>> 
>>> Stunnel is not for VPN services.  It's to "bolt on" SSL to other
>>> daemons, etc that don't have it.  FreeSWITCH socket, Asterisk AMI,
>>> come to mind.  I like it.
>>> 
>>> On Wed, Apr 13, 2011 at 4:37 PM, Lonnie Abelbeck
>>> <li...@lo...> wrote:
>>>> Devs,
>>>> 
>>>> If there are no objections, let's remove stunnel support from the default image.
>>>> 
>>>> With all our VPN choices stunnel seems superfluous for our solution.  I assume no-one uses it.  We will note it in the ChangeLog.
>>>> 
>>>> The version we currently use has moved to their obsolete directory, seems like a good time to uncheck it.
>>>> 
>>>> Lonnie
>>> --
>>> Kristian Kielhofner
>>> 
>>> 
>> 
>> 
> 
> 
> 
> -- 
> Kristian Kielhofner
> 
> 

On Apr 14, 2011, at 4:30 AM, Michael Keuter wrote:

>> Devs,
>> 
>> We have a relatively smooth solution (CF + USB Combo Booting) with 
>> the upcoming runnix-0.3.3 and AstLinux 0.7.8.
>> 
>> Given a box that can't directly boot off of USB...
>> ===
>> 1) Raw byte transfer ('dd', physdiskwrite, etc.) an AstLinux image 
>> to both a USB drive and a CF card.
>> 
>> 2) Mount the CF card on a common OS (OS X, Linux, etc.).
>>    A) Rename the disk from "RUNNIX" to "BOOTONLY" (or use 
>> dosfslabel in Linux).
>>    B) Delete the "os" directory.
>>    C) Eject the CF card, remove the card.
>> 
>> 3) Mount the USB drive on a common OS (OS X, Linux, etc.).
>>    A) In the "os" directory edit the text file 
>> "astlinux-xxxxx.run.conf", the line beginning with KCMD=, add the 
>> space separated
>>      option rootdelay=10 after the 'astlive' value in the line.
>>    B) Eject the USB drive, remove the drive.
>> 
>> 4) Finally, install both the CF card and USB drive in your box for 
>> the AstLinux system. Boot as a normal installation.
>>    All files will be stored on the USB drive.
>> ===
>> 
>> Starting with AstLinux 0.7.8 upgrade-run-image from the CLI or 
>> upgrades via the web interface will automatically propagate the 
>> rootdelay=10 KCMD value on upgrades, so upgrades on a USB drive 
>> works just like a CF card.
>> 
>> Note: With runnix-0.3.3 and later, advanced users will notice that 
>> this 'secondary' disk only requires the AstLinux "os" distribution 
>> directory and a dosfslabel of RUNNIX on a small (128MB) FAT16 
>> partition.  The remainder of the unformatted disk will be formatted 
>> during the AstLinux setup process.
>> 
>> Lonnie
> 
> Should we note this new behavior in the "ChangeLog.txt" or a Wiki page?
> 
> Michael

I was thinking a Wiki "Tips and Tricks" item.

Lonnie

>Devs,
>
>We have a relatively smooth solution (CF + USB Combo Booting) with 
>the upcoming runnix-0.3.3 and AstLinux 0.7.8.
>
>Given a box that can't directly boot off of USB...
>===
>1) Raw byte transfer ('dd', physdiskwrite, etc.) an AstLinux image 
>to both a USB drive and a CF card.
>
>2) Mount the CF card on a common OS (OS X, Linux, etc.).
>     A) Rename the disk from "RUNNIX" to "BOOTONLY" (or use 
>dosfslabel in Linux).
>     B) Delete the "os" directory.
>     C) Eject the CF card, remove the card.
>
>3) Mount the USB drive on a common OS (OS X, Linux, etc.).
>     A) In the "os" directory edit the text file 
>"astlinux-xxxxx.run.conf", the line beginning with KCMD=, add the 
>space separated
>       option rootdelay=10 after the 'astlive' value in the line.
>     B) Eject the USB drive, remove the drive.
>
>4) Finally, install both the CF card and USB drive in your box for 
>the AstLinux system. Boot as a normal installation.
>     All files will be stored on the USB drive.
>===
>
>Starting with AstLinux 0.7.8 upgrade-run-image from the CLI or 
>upgrades via the web interface will automatically propagate the 
>rootdelay=10 KCMD value on upgrades, so upgrades on a USB drive 
>works just like a CF card.
>
>Note: With runnix-0.3.3 and later, advanced users will notice that 
>this 'secondary' disk only requires the AstLinux "os" distribution 
>directory and a dosfslabel of RUNNIX on a small (128MB) FAT16 
>partition.  The remainder of the unformatted disk will be formatted 
>during the AstLinux setup process.
>
>Lonnie

Should we note this new behavior in the "ChangeLog.txt" or a Wiki page?

Michael

http://www.mksolutions.info

On Apr 13, 2011, at 7:14 PM, David Kerr wrote:

> 
> 
> On Wed, Apr 13, 2011 at 5:31 PM, Kristian Kielhofner <kri...@gm...> wrote:
> 
> I use stunnel to transparently encrypt HTTP traffic from a network
> security camera.  I then access the AstLinux machine over the internet
> with HTTPS and AstLinux/stunnel implements the SSL that my network
> security camera vendor should have implemented themselves :).  I can
> do this from any web browser.  If I was using openvpn I'd need to
> install an openvpn client and build a full blown tunnel.
> 
> 
> Kristian,  Sounds interesting.  How would I do this?  I have a panasonic IP camera inside my network that listens on port X.  In astlinux I just forward port X to the internal IP address of the camera using the firewall configuration page.   How would I configure astlinux to listen for a HTTPS request on a port, unencrypt it, and forward it to the internal IP on port X? 
> 
> Thanks,
> David

David,

Assume, camera on 192.168.101.13, port 80, with HTTPS listening on port 8443...

Disable your Firewall NAT EXT->LAN rule

Add a Firewall Pass EXT->Local to port 8443

Then add to /mnt/kd/rc.conf.d/user.conf
--
STUNNELSERVS="8443:192.168.101.13:80"
STUNNELUSER="root"
--
$ gen-rc-conf
$ service stunnel init

It seems to be quite chatty to the syslog though.

Lonnie

On Wed, Apr 13, 2011 at 5:31 PM, Kristian Kielhofner <
kri...@gm...> wrote:
>
>
> I use stunnel to transparently encrypt HTTP traffic from a network
> security camera.  I then access the AstLinux machine over the internet
> with HTTPS and AstLinux/stunnel implements the SSL that my network
> security camera vendor should have implemented themselves :).  I can
> do this from any web browser.  If I was using openvpn I'd need to
> install an openvpn client and build a full blown tunnel.
>
>
Kristian,  Sounds interesting.  How would I do this?  I have a panasonic IP
camera inside my network that listens on port X.  In astlinux I just forward
port X to the internal IP address of the camera using the firewall
configuration page.   How would I configure astlinux to listen for a HTTPS
request on a port, unencrypt it, and forward it to the internal IP on port
X?

Thanks,
David