Securing tracd with stunnel
I would appreciate if others could go over this tutorial on securing (at least for avoiding plaintext sending of auth) tracd and provide any feedback. It works for me on trac 0.9.2.
Using stunnel version 4 or higher, you can create a tracd configuration file that passes requests on an https port to the port you specify when running tracd. In this manner, your users can access tracd using an
https:// request, ensuring their requests (and passwords) aren't being sent cleartext.
Put this file in /etc/stunnel/stunnel-tracd.conf:
# Provide the full path to your certificate-key pair file cert = /etc/stunnel/stunnel.pem # no pid pid = # change the UID and GID of the process for security reasons setuid = nobody setgid = nobody [tracd] accept = 8993 connect = localhost:8992
I also added tracd to /etc/services:
tracd 8992/tcp # trac web server
If you don't already have a certificate, you need to create a self-signed .pem certificate file, you can put it in /etc/stunnel/stunnel.pem. You do this with openssl:
openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem
The stunnel.cnf file mentioned here is in the source distribution for stunnel, in the tools subdirectory. It will ask you for your state, country, etc. After it generates the .pem file move it to where the .conf file above indicates. Note that depending on what your
umask is, you may need to adjust the permissions on the
stunnel.pem file — 600 (readable and writeable only by owner) should work.
Make sure to apply the patch in #2553 and set
base_url=https://... as of Trac 0.9.2 and later so that tracd doesn't forward to an http url.
For trac 0.11 no patching is needed (fix applied in Trac 0.10.5): read #6472 and modify trac.ini
base_url=https://... use_base_url_for_redirect = true
Now you just need to run stunnel, then tracd:
# stunnel4 /etc/stunnel/stunnel-tracd.conf # tracd -d --http11 --hostname=localhost --port 8992 --auth [your auth options here] [trac_env_directory]
Option —http11 (use HTTP/1.1 protocol version instead of HTTP/1.0) seems to cause less random disconnects.
Now trac will be accessible at https://url:8993/trac — the requests will be forwarded internally to port 8992 on localhost, which tracd is listening on. If you self-signed your certificate your browser will ask you to confirm it.
Note that the use of 'localhost' is crucial - it prevents people from the outside to bypass your SSL restriction by connecting to port 8992 directly.
Using port 443
If you are not running a webserver with https support on your server (i.e., you are not using port 443), you can make the trac URL a bit more user-friendly — simply https://url/trac — by specifying port 443 (the default https port) for the stunnel. In /etc/stunnel/stunnel-tracd.conf set:
[tracd] accept = 443 connect = localhost:8992
On RHEL/CentOS with iptables, remember to unblock that port in /etc/sysconfig/iptables:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
(above tested on RHEL 5.6)