💾 Archived View for thebackupbox.net › ~epoch › blog › stunnel captured on 2024-12-17 at 10:13:10. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-07-09)
-=-=-=-=-=-=-
update: 2022-02-27
I stopped using stunnel and wrote my own thing that does significanly less things.
//git.thebackupbox.net/tlswrap/blob/refs/heads/master:/tlswrap.c
Since gemini needs SNI...
and I'd like to not have to write code to do TLS shit.
I've started using stunnel for this. :)
Have to use a new version of stunnel. At least 5.something.
I first tried to do SNI with inetd mode
(where inetd launches stunnel after connection)
but I couldn't figure out how to set the sni =
line for sni sections, since the first half of
the value (before the :) is supposed to be the
subsection name, and inetd mode doesn't use one
of those.
Here's my stunnel.conf.
foreground = quiet [https] accept = 443 setuid = www-data setgid = www-data exec = /service/https/fixvars_stunnel.sh cert = /etc/letsencrypt/for_stunnel/https.pem [gemini] accept = 1965 setuid = gemini setgid = gemini exec = /service/gemini/fixvars_stunnel.sh execArgs = fixvars_stunnel.sh default cert = /etc/letsencrypt/for_stunnel/gemini.pem [sni1] sni = gemini:epo.k.vu cert = /etc/letsencrypt/for_stunnel/gemini.pem exec = /service/gemini/fixvars_stunnel.sh execArgs = fixvars_stunnels.sh shorten [sni2] sni = gemini:*.thebackupbox.net cert = /etc/letsencrypt/for_stunnel/gemini.pem exec = /service/gemini/fixvars_stunnel.sh execArgs = fixvars_stunnels.sh hacking
stunnels gets ran by
supervise (from
) with a run file of:
#!/bin/sh exec stunnel /usr/local/etc/stunnel/stunnel.conf
the "fixvars_stunnels.sh" script is something to set a couple env vars that stunnel doesn't have by default
like, PATH, REMOTE_ADDR instead of REMOTE_HOST
and then it execs geminid which is another shell-script that speaks gemini.