Edgewall Software

Changes between Initial Version and Version 1 of STunnelTracd


Ignore:
Timestamp:
Jan 5, 2006, 1:40:57 AM (16 years ago)
Author:
brian whitman <trac_bwhitman@…>
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • STunnelTracd

    v1 v1  
     1= Securing tracd with stunnel =
     2
     3I could not find a good tutorial on securing (at least for avoiding plaintext sending of auth) tracd. I would appreciate if others could go over this and confirm, but it seems to work. This is using trac 0.9.2.
     4
     5Using stunnel-4.14, you can create a tracd configuration file that passes requests on an https port to the port you specify when running tracd. In this manner, your users can access tracd using an https:// request, ensuring their requests (and passwords) aren't being sent cleartext.
     6
     7I put this file in /etc/stunnel/stunnel-tracd.conf:
     8
     9{{{
     10# Provide the full path to your certificate-key pair file
     11cert = /etc/stunnel/stunnel.pem
     12
     13# no pid
     14pid =
     15
     16# change the UID and GID of the process for security reasons
     17setuid = nobody
     18setgid = nobody
     19
     20[tracd]
     21accept  = 8993
     22connect = 8992
     23}}}
     24
     25I also added tracd to /etc/services:
     26{{{
     27tracd       8992/tcp                        # trac web server
     28}}}
     29
     30You need to create a .pem certificate file, I put it in /etc/stunnel/stunnel.pem. You do this with openssl:
     31
     32{{{
     33openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem
     34}}}
     35
     36The stunnel.cnf file mentioned here is in the source distribution for stunnel, in the tools subdirectory. It will ask you for your state, country, etc. After it generates the .pem file move it to where the .conf file above indicates.
     37
     38Now you just need to run stunnel, then tracd:
     39
     40{{{
     41# /usr/sbin/stunnel /etc/stunnel/stunnel-tracd.conf
     42# tracd -d --port 8992 --auth [your auth options here!!] [trac_env_directory]
     43}}}
     44
     45Now trac will be accessible at https://url:8993/trac -- the requests will be forwarded internally to port 8992, which tracd is listening on. Make sure to apply the patch in [http://projects.edgewall.com/trac/ticket/2553 ticket 2553] as of trac 0.9.2 so that tracd doesn't forward to an http url.
     46
     47
     48