Edgewall Software

Version 7 (modified by anonymous, 16 years ago) ( diff )

Securing tracd with stunnel

I would appreciate if others could go over this tutorial on securing (at least for avoiding plaintext sending of auth) tracd and confirm. It works for me on trac 0.9.2. Would apprecaite any feedback.

Using stunnel version 4 or higher, you can create a tracd configuration file that passes requests on an https port to the port you specify when running tracd. In this manner, your users can access tracd using an https:// request, ensuring their requests (and passwords) aren't being sent cleartext.

Put this file in /etc/stunnel/stunnel-tracd.conf:

# Provide the full path to your certificate-key pair file
cert = /etc/stunnel/stunnel.pem

# no pid
pid = 

# change the UID and GID of the process for security reasons
setuid = nobody
setgid = nobody

accept  = 8993
connect = 8992

I also added tracd to /etc/services:

tracd       8992/tcp                        # trac web server

If you don't already have a certificate, you need to create a self-signed .pem certificate file, you can put it in /etc/stunnel/stunnel.pem. You do this with openssl:

openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem

The stunnel.cnf file mentioned here is in the source distribution for stunnel, in the tools subdirectory. It will ask you for your state, country, etc. After it generates the .pem file move it to where the .conf file above indicates.

Make sure to apply the patch in ticket 2553 as of trac 0.9.2 so that tracd doesn't forward to an http url.

Now you just need to run stunnel, then tracd:

# /usr/sbin/stunnel /etc/stunnel/stunnel-tracd.conf
# tracd -d --port 8992 --auth [your auth options here] [trac_env_directory]

Now trac will be accessible at https://url:8993/trac — the requests will be forwarded internally to port 8992, which tracd is listening on. If you self-signed your certificate your browser will ask you to confirm it.

This does not prevent people from accessing tracd at the original port over http! To do so using this method you need to block the 8992 port from outside access using iptables or a firewall.

Note: See TracWiki for help on using the wiki.