Creating an HTTPS client with Stunnel, for BLOGging specifically
Supplied by Charlie Lindahl < stunnel@cyberchuck.org >
Using STUNNEL to encrypt non-SSL client/server via Apache/SSL
*OR / AND*
Using a non-SSL BLOGging client to access a non-SSL BLOG service
To whet the audience's appetite some, here's a quick ASCII diagram of my environment.
Non-encrypted configuration
+---------+ | | +--------+ +---------+
| non-SSL | ---- | | --- | Apache | -- | non-SSL |
| enabled | | | | w/o | | enabled |
| client | | | | SSL | | server |
+---------+ | | +--------+ +---------+
CLIENT NET WEB SERVER SERVICE
Encrypted version with STUNNEL
+---------+ | | +--------+ +---------+
| non-SSL | -ST- | | --- | Apache | -- | non-SSL |
| enabled | | | | WITH | | enabled |
| client | | | | SSL | | server |
+---------+ | | +--------+ +---------+
CLIENT NET WEB SERVER SERVICE
Note the position of STUNNEL : the "-ST-" in the diagram above.
Before I get into more specifics of my application, let me make some
important points:
- Only the client side needs to have STUNNEL, since SSL is provided within Apache
- As with straight STUNNEL, no modifications are required to the client *or*
the application server
- Apache in general (and/or with SSL) has a *lot* of security options
on the server side which can be utilized to protect the service
Specifics of my situation:
- Blog service Moveable Type (http://www.moveabletype.org/)
- Web server: Apache with SSL on LINUX
- Client OSs: Windows (predominant), Macintosh (both MacOS and OS X), LINUX/UNIX
The Moveable Type allows *authorized* end users to update a Blog (basically
a very flexible HTML-based diary).
Although the blog itself is a (set of) statically-generated HTML pages, to
update (add/modify/delete) entries requires an authenticated client (hence the
need for encryption).
MT comes with a web-based client which works fine under "https/SSL"
(standard browser-to-SSL-server stuff). However, this web-based client has some
limitations due to the standard limitations of the browser: no WYSIWYG editing
is the primary limitation.
MT also provides a BLOG API which utilizes XMLRPC.
Quite a few very nice standalone blogging clients exist for the various platforms
(Windows, Mac, UNIX/LINUX); see REFERENCES (below) for links. Unforunately,
I've been unable to configure the clients to run "bare" SSL/HTTPS
over the MT BLOG API.
Enter STUNNEL.
Specific server configuration details
Since I'm running Apache/SSL which uses the same SSL layer (openSSL) that STUNNEL
does, no extra configuration is required (i.e., no separate STUNNEL process
is needed on the server side).
Specific client configuration details
I'm using Windows (NT/Win2K/XP) for the client.
Steps:
- Download the Windows STUNNEL client and SSL libraries (if required)
- Edit the configuration file
- Start up STUNNEL from the command line
- Point my blog client to the STUNNEL pipe
- Blog away!
I'll leave step one as an exercise for the reader :)
Step 2 specifics: STUNNEL 4.x requires the use of a configuration
file.
Below is my specific example (hostname changed to protect the innocent):
client=yes
verify=0
[psuedo-https]
accept = 8080
connect = mybloghost.mydomain:443
TIMEOUTclose = 0
After starting STUNNEL on my Windows host (either manually
or as a service) I configure my BLOG client as follows (w.bloggar
as an example):
In File/Account Properties dialog, API tab:
HOST: localhost
PAGE: /moveabletype-home/mt-xmlrpc.cgi
PORT: 8080
Note for w.bloggar users: Do *not* click on the HTTPS button (redundant!)
Now I can blog to my heart's content from home!
Some reference links
|