Cloud Computing‎ > ‎Load Balancing‎ > ‎HAProxy‎ > ‎

SSH over SSL




Client Stunnel Config

Install stunnel
# sudo yum install -y stunnel

Certificates
The certificates have already been created in previous section.
Only create client1.pem to package client crt and key into pem and attach ths pem into Stunnel config to make Stunnel initiate ssl with HAProxy using client1.pem.
$ cd /home/cloud/certs/client1
$ cat cient1.crt client1.key > client1.pem
$ chmod 400 client1.pem

Configure stunnel to tunnel 22 (ssh) to 8088 (https):

Create config file to meet the needs of using SSH over SSL.
vi /etc/stunnel/stunnel.conf

Write these:
pid = /stunnel.pid
client=yes
fips=no
foreground=yes
cert = /home/cloud/certs/client1/client1.pem
chroot = /var/run/stunnel
setuid = nobody
setgid = nobody
output = stunnel.log
[ssh]
accept = 127.0.0.1:8088
connect = 1.0.0.5:443


Start Stunnel
$ sudo stunnel /etc/stunnel/stunnel.conf
 LOG5[8088:140150046664640]: stunnel 4.29 on x86_64-redhat-linux-gnu with OpenSSL 1.0.1e-fips 
 LOG5[8088:140150046664640]: Threading:PTHREAD SSL:ENGINE,FIPS Sockets:POLL,IPv6 Auth:LIBWRAP
 LOG5[8088:140150046664640]: 500 clients allowed

$ ps -aux | grep stunnel
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.8/FAQ
root 8086 0.0 0.1 189704 3356 pts/0 S+ 12:14 0:00 sudo stunnel /etc/stunnel/stunnel.conf
nobody 8088 0.0 0.1 109240 3356 pts/0 S+ 12:14 0:00 stunnel /etc/stunnel/stunnel.conf
nobody 8089 0.0 0.0 43636 1068 pts/0 S+ 12:14 0:00 stunnel /etc/stunnel/stunnel.conf
nobody 8090 0.0 0.0 43636 856 pts/0 S+ 12:14 0:00 stunnel /etc/stunnel/stunnel.conf
nobody 8091 0.0 0.0 43636 856 pts/0 S+ 12:14 0:00 stunnel /etc/stunnel/stunnel.conf
nobody 8092 0.0 0.0 43636 856 pts/0 S+ 12:14 0:00 stunnel /etc/stunnel/stunnel.conf
nobody 8093 0.0 0.0 43636 856 pts/0 S+ 12:14 0:00 stunnel /etc/stunnel/stunnel.conf

Test the SSH over SSL
The SSH connection from client is getting created randomly with both backend servers, via HAProxy.
$ ssh -p 8088 localhost

The authenticity of host '[localhost]:8088 ([127.0.0.1]:8088)' can't be established.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:8088' (RSA) to the list of known hosts.
cloud@localhost's password:

[cloud@CentOS66x64-Unused ~]$ ifconfig
inet addr:1.0.0.1 Bcast:1.0.0.255 Mask:255.255.255.0

Stunnel Logs on Console
 LOG5[8088:140150046660352]: ssh accepted connection from 127.0.0.1:48413
 LOG5[8088:140150046660352]: connect_blocking: connected 1.0.0.5:443  <----- HAProxy
 LOG5[8088:140150046660352]: ssh connected remote server from 1.0.0.6:41178  <---- client
 LOG5[8088:140150046660352]: Connection closed: 2765 bytes sent to SSL, 4213 bytes sent to socket





Comments