THTTPD 下网站托管的 SSL 连接

Question

所有，

我有一个网站，可以通过端口 86 很好地通过 HTTP 访问。现在需要添加 SSL 来保护连接。该网站由 thttpd 网络服务器提供服务，是的，它不支持 SSL。我当时通过谷歌搜索了很多。建议通过 Stunnel 将 SSL 添加到 thttpd。

更新：

这是我的 stunnel.conf：

; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2013
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
chroot = /usr/local/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = nogroup
fips = no
; PID is created inside the chroot jail
pid = /stunnel.pid

; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/stunnel.pem
;key = /usr/local/etc/stunnel/mail.pem

; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /usr/local/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively CRLfile can be used
;CRLfile = /usr/local/etc/stunnel/crls.pem

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************

; Example SSL server mode services

;[pop3s]
;accept  = 995
;connect = 110

;[imaps]
;accept  = 993
;connect = 143

;[ssmtp]
;accept  = 465
;connect = 25

; Example SSL client mode services

;[gmail-pop3]
;client = yes
;accept = 127.0.0.1:110
;connect = pop.gmail.com:995

;[gmail-imap]
;client = yes
;accept = 127.0.0.1:143
;connect = imap.gmail.com:993

;[gmail-smtp]
;client = yes
;accept = 127.0.0.1:25
;connect = smtp.gmail.com:465

; Example SSL front-end to a web server

[https]
accept  = 443
connect = 86
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0

; vim:ft=dosini  

这是我得到的结果：

linux-1ryy:/usr/local/etc/stunnel # /usr/local/bin/stunnel
Clients allowed=500
stunnel 4.56 on i686-pc-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
Reading configuration from file /usr/local/etc/stunnel/stunnel.conf
FIPS mode is disabled
Compression not enabled
Snagged 64 random bytes from /root/.rnd
Wrote 1024 new random bytes to /root/.rnd
PRNG seeded successfully
Initializing service [https]
Certificate: /usr/local/etc/stunnel/stunnel.pem
Certificate loaded
Key file: /usr/local/etc/stunnel/stunnel.pem
Private key loaded
Using DH parameters from /usr/local/etc/stunnel/stunnel.pem
DH initialized with 1024-bit key
ECDH initialized with curve prime256v1
SSL options set: 0x01000004
Configuration successful
Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)
Closing service [https]
Service [https] closed (FD=7)
Sessions cached before flush: 0
Sessions cached after flush: 0
Service [https] closed
str_stats: 10 block(s), 883 data byte(s), 420 control byte(s)

这里是运行/usr/local/bin/stunnel之前的端口监听信息：

linux-1ryy:/usr/local/etc/stunnel # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      5484/mysqld
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      336/xinetd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1558/sshd
tcp        0      0 :::86                   :::*                    LISTEN      5536/thttpd
tcp        0      0 :::22                   :::*                    LISTEN      1558/sshd

这里是运行后的端口监听信息：

linux-1ryy:/usr/local/etc/stunnel # netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      5484/mysqld
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      336/xinetd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1558/sshd
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      23145/stunnel
tcp        0      0 :::86                   :::*                    LISTEN      5536/thttpd
tcp        0      0 :::22                   :::*                    LISTEN      1558/sshd

我现在不知道出了什么问题。任何建议将不胜感激。

添加：

如果我关闭防火墙，我可以通过https://<my-ip-address>成功访问。但是，我仍然收到此错误消息：

Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)

想知道为什么...

Answer 1

从 netstat 中可以看出，端口 443 (pid=10833) 上已经有一个 stunnel 进程（以及端口 8443 上的另一个，pid=11191），这就是为什么在端口 443 上启动另一个 stunnel 进程失败的原因

Error binding service [https] to 0.0.0.0:443
bind: Address already in use (98)