|
|
| Line 34: |
Line 34: |
| * Ensure that networking with host is working and configured properly | | * Ensure that networking with host is working and configured properly |
|
| |
|
| ===Create Dockerfile=== | | ===Create Dockerfile for stunnel container image=== |
|
| |
|
| The files needed to get the Stunnel docker image working with the SSL keys obtained from LetsEncrypt are contained in the following git.charlesreid1.com repository: | | The files needed to get the Stunnel docker image working with the SSL keys obtained from LetsEncrypt are contained in the following git.charlesreid1.com repository: |
| Line 40: |
Line 40: |
| https://charlesreid1.com:3000/docker/stunnel | | https://charlesreid1.com:3000/docker/stunnel |
|
| |
|
| ===Build Docker container image from Dockerfile=== | | ===Preparing to build stunnel container image=== |
| | |
| | Before we can build the container image, we need to have the SSL certificate the server will use, as well as the stunnel configuration file. |
| | |
| | Some of this is taken care of in the docker/stunnel repository on git.charlesreid1.com: |
| | |
| | https://git.charlesreid1.com/docker/stunnel |
|
| |
|
| <pre> | | <pre> |
| Line 55: |
Line 61: |
| </pre> | | </pre> |
|
| |
|
| Then run docker build to build the image:
| | Now your SSL certificates are in-place and ready to be copied into the container. |
|
| |
|
| <pre>
| | Next we will take care of the stunnel configuration file. |
| $ docker build -t cmr_stunnel .
| | |
| </pre>
| | ===Networking/Ports Configuration=== |
| | |
| | Stunnel exposes one port externally (for clients to connect on), typically 443. This is the port on which all of the SSL-wrapped traffic will pass. We will need to map this port from the Docker container to the host, and open that port on the host's firewall. |
| | |
| | Stunnel accept encrypted traffic on that exposed port. It will unwrap the traffic, removing the SSL layer, and forward the unencrypted traffic on to another local port, typically one that is not publicly exposed. |
| | |
| | For our test, the stunnel container will listen for connections on 443. It will forward these to local port 8443. We will set up a Python HTTP server on port 8443 that only listens for local requests and responds with a "HALLO WURLLD" page. If the stunnel container is configured correctly, we should be able to send HTTP requests to the stunnel container, and have it pass those through to the Python HTTP server, which will serve up the "HALLO WURLLD" page. |
|
| |
|
| This may take a minute. Once that's finished you can fire up the docker container and get a Bash shell:
| | Start with the configuration file for stunnel. It will live in <code>/etc/stunnel/stunnel.conf</code>. Here is what we will use: |
|
| |
|
| <pre> | | <pre> |
| $ docker run -ti cmr_stunnel /bin/bash
| | output = /var/log/stunnel4/stunnel.log |
| | cert=/etc/stunnel/stunnel.pem |
| | key=/etc/stunnel/stunnel.pem |
| | pid=/var/run/stunnel4/stunnel.pid |
| | client=yes |
| | [ssh] |
| | accept = 443 |
| | connect = 127.0.0.1:8443 |
| </pre> | | </pre> |
|
| |
|
| Test that the stunnel command works.
| | This will accept inbound encrypted connections on 443, and will decrypt them and forward them along to local port 8443, where Python will be listening. Because this is a server, we are emulating inbound requests, just like a web server. Stunnel will be wrapping HTTP requests from a browser with SSL. |
|
| |
|
| ===Make Container===
| | Now we have the SSL certificates and the configuration file finished, and we are ready to build our Docker image.. |
|
| |
|
| <pre>
| | ===Build Docker stunnel container image from Dockerfile=== |
| $ mkdir ~/docker
| |
| $ cd ~/docker
| |
| $ git clone https://github.com/taskworld/docker-stunnel.git
| |
| $ cd docker-stunnel
| |
| $ docker build -t cmr_stunnel .
| |
| </pre>
| |
|
| |
|
| This last command will build an image called cmr_stunnel, using the Dockerfile that's in the directory. The image itself is added to Docker's internal images directory, so we don't have to worry about image files floating around.
| | From the git repo checked out above, which contains a Dockerfile, run docker build to build the image: |
|
| |
|
| {{Scroll box|
| |
| <pre> | | <pre> |
| $ docker build -t cmr_stunnel . | | $ docker build -t cmr_stunnel . |
| Sending build context to Docker daemon 53.76 kB
| |
| Step 1/4 : FROM ubuntu
| |
| latest: Pulling from library/ubuntu
| |
| d54efb8db41d: Pull complete
| |
| f8b845f45a87: Pull complete
| |
| e8db7bf7c39f: Pull complete
| |
| 9654c40e9079: Pull complete
| |
| 6d9ef359eaaa: Pull complete
| |
| Digest: sha256:dd7808d8792c9841d0b460122f1acf0a2dd1f56404f8d1e56298048885e45535
| |
| Status: Downloaded newer image for ubuntu:latest
| |
| ---> 0ef2e08ed3fa
| |
| Step 2/4 : RUN apt-get update
| |
| ---> Running in 39b44f53986d
| |
| Get:1 http://archive.ubuntu.com/ubuntu xenial InRelease [247 kB]
| |
| kGet:2 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB]
| |
| Get:3 http://archive.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
| |
| Get:4 http://archive.ubuntu.com/ubuntu xenial/main Sources [1103 kB]
| |
| Get:5 http://archive.ubuntu.com/ubuntu xenial/restricted Sources [5179 B]
| |
| Get:6 http://archive.ubuntu.com/ubuntu xenial/universe Sources [9802 kB]
| |
| Get:7 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages [1558 kB]
| |
| Get:8 http://archive.ubuntu.com/ubuntu xenial/restricted amd64 Packages [14.1 kB]
| |
| Get:9 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages [9827 kB]
| |
| Get:10 http://archive.ubuntu.com/ubuntu xenial-updates/main Sources [299 kB]
| |
| Get:11 http://archive.ubuntu.com/ubuntu xenial-updates/restricted Sources [3202 B]
| |
| Get:12 http://archive.ubuntu.com/ubuntu xenial-updates/universe Sources [183 kB]
| |
| Get:13 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [631 kB]
| |
| Get:14 http://archive.ubuntu.com/ubuntu xenial-updates/restricted amd64 Packages [13.2 kB]
| |
| Get:15 http://archive.ubuntu.com/ubuntu xenial-updates/universe amd64 Packages [560 kB]
| |
| Get:16 http://archive.ubuntu.com/ubuntu xenial-security/main Sources [78.6 kB]
| |
| Get:17 http://archive.ubuntu.com/ubuntu xenial-security/restricted Sources [2779 B]
| |
| Get:18 http://archive.ubuntu.com/ubuntu xenial-security/universe Sources [28.5 kB]
| |
| Get:19 http://archive.ubuntu.com/ubuntu xenial-security/main amd64 Packages [290 kB]
| |
| Get:20 http://archive.ubuntu.com/ubuntu xenial-security/restricted amd64 Packages [12.8 kB]
| |
| Get:21 http://archive.ubuntu.com/ubuntu xenial-security/universe amd64 Packages [120 kB]
| |
| Fetched 25.0 MB in 5s (4806 kB/s)
| |
| Reading package lists...
| |
| ---> 538192504900
| |
| Removing intermediate container 39b44f53986d
| |
| Step 3/4 : RUN apt-get -y install stunnel
| |
| ---> Running in b4054aeb5ffc
| |
| Reading package lists...
| |
| Building dependency tree...
| |
| Reading state information...
| |
| The following additional packages will be installed:
| |
| ifupdown iproute2 isc-dhcp-client isc-dhcp-common libatm1 libdns-export162
| |
| libgdbm3 libisc-export160 libmnl0 libperl5.22 libssl1.0.0 libwrap0
| |
| libxtables11 netbase openssl perl perl-modules-5.22 rename tcpd
| |
| Suggested packages:
| |
| ppp rdnssd iproute2-doc resolvconf avahi-autoipd isc-dhcp-client-ddns
| |
| apparmor ca-certificates perl-doc libterm-readline-gnu-perl
| |
| | libterm-readline-perl-perl make logcheck-database
| |
| The following NEW packages will be installed:
| |
| ifupdown iproute2 isc-dhcp-client isc-dhcp-common libatm1 libdns-export162
| |
| libgdbm3 libisc-export160 libmnl0 libperl5.22 libssl1.0.0 libwrap0
| |
| libxtables11 netbase openssl perl perl-modules-5.22 rename stunnel4 tcpd
| |
| 0 upgraded, 20 newly installed, 0 to remove and 6 not upgraded.
| |
| Need to get 9866 kB of archives.
| |
| After this operation, 49.7 MB of additional disk space will be used.
| |
| Get:1 http://archive.ubuntu.com/ubuntu xenial/main amd64 libatm1 amd64 1:2.5.1-1.5 [24.2 kB]
| |
| Get:2 http://archive.ubuntu.com/ubuntu xenial/main amd64 libmnl0 amd64 1.0.3-5 [12.0 kB]
| |
| Get:3 http://archive.ubuntu.com/ubuntu xenial/main amd64 libgdbm3 amd64 1.8.3-13.1 [16.9 kB]
| |
| Get:4 http://archive.ubuntu.com/ubuntu xenial/main amd64 libwrap0 amd64 7.6.q-25 [46.2 kB]
| |
| Get:5 http://archive.ubuntu.com/ubuntu xenial/main amd64 perl-modules-5.22 all 5.22.1-9 [2641 kB]
| |
| Get:6 http://archive.ubuntu.com/ubuntu xenial/main amd64 libperl5.22 amd64 5.22.1-9 [3371 kB]
| |
| Get:7 http://archive.ubuntu.com/ubuntu xenial/main amd64 perl amd64 5.22.1-9 [237 kB]
| |
| Get:8 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 libssl1.0.0 amd64 1.0.2g-1ubuntu4.6 [1082 kB]
| |
| Get:9 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 openssl amd64 1.0.2g-1ubuntu4.6 [492 kB]
| |
| Get:10 http://archive.ubuntu.com/ubuntu xenial/main amd64 netbase all 5.3 [12.9 kB]
| |
| Get:11 http://archive.ubuntu.com/ubuntu xenial/universe amd64 stunnel4 amd64 3:5.30-1 [146 kB]
| |
| Get:12 http://archive.ubuntu.com/ubuntu xenial/main amd64 iproute2 amd64 4.3.0-1ubuntu3 [522 kB]
| |
| Get:13 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 ifupdown amd64 0.8.10ubuntu1.2 [54.9 kB]
| |
| Get:14 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 libisc-export160 amd64 1:9.10.3.dfsg.P4-8ubuntu1.5 [153 kB]
| |
| Get:15 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 libdns-export162 amd64 1:9.10.3.dfsg.P4-8ubuntu1.5 [665 kB]
| |
| Get:16 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 isc-dhcp-client amd64 4.3.3-5ubuntu12.6 [223 kB]
| |
| Get:17 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 isc-dhcp-common amd64 4.3.3-5ubuntu12.6 [105 kB]
| |
| Get:18 http://archive.ubuntu.com/ubuntu xenial/main amd64 libxtables11 amd64 1.6.0-2ubuntu3 [27.2 kB]
| |
| Get:19 http://archive.ubuntu.com/ubuntu xenial/main amd64 rename all 0.20-4 [12.0 kB]
| |
| Get:20 http://archive.ubuntu.com/ubuntu xenial/main amd64 tcpd amd64 7.6.q-25 [23.0 kB]
| |
| debconf: delaying package configuration, since apt-utils is not installed
| |
| Fetched 9866 kB in 1s (5131 kB/s)
| |
| Selecting previously unselected package libatm1:amd64.
| |
| (Reading database ... 7256 files and directories currently installed.)
| |
| Preparing to unpack .../libatm1_1%3a2.5.1-1.5_amd64.deb ...
| |
| Unpacking libatm1:amd64 (1:2.5.1-1.5) ...
| |
| Selecting previously unselected package libmnl0:amd64.
| |
| Preparing to unpack .../libmnl0_1.0.3-5_amd64.deb ...
| |
| Unpacking libmnl0:amd64 (1.0.3-5) ...
| |
| Selecting previously unselected package libgdbm3:amd64.
| |
| Preparing to unpack .../libgdbm3_1.8.3-13.1_amd64.deb ...
| |
| Unpacking libgdbm3:amd64 (1.8.3-13.1) ...
| |
| Selecting previously unselected package libwrap0:amd64.
| |
| Preparing to unpack .../libwrap0_7.6.q-25_amd64.deb ...
| |
| Unpacking libwrap0:amd64 (7.6.q-25) ...
| |
| Selecting previously unselected package perl-modules-5.22.
| |
| Preparing to unpack .../perl-modules-5.22_5.22.1-9_all.deb ...
| |
| Unpacking perl-modules-5.22 (5.22.1-9) ...
| |
| Selecting previously unselected package libperl5.22:amd64.
| |
| Preparing to unpack .../libperl5.22_5.22.1-9_amd64.deb ...
| |
| Unpacking libperl5.22:amd64 (5.22.1-9) ...
| |
| Selecting previously unselected package perl.
| |
| Preparing to unpack .../perl_5.22.1-9_amd64.deb ...
| |
| Unpacking perl (5.22.1-9) ...
| |
| Selecting previously unselected package libssl1.0.0:amd64.
| |
| Preparing to unpack .../libssl1.0.0_1.0.2g-1ubuntu4.6_amd64.deb ...
| |
| Unpacking libssl1.0.0:amd64 (1.0.2g-1ubuntu4.6) ...
| |
| Selecting previously unselected package openssl.
| |
| Preparing to unpack .../openssl_1.0.2g-1ubuntu4.6_amd64.deb ...
| |
| Unpacking openssl (1.0.2g-1ubuntu4.6) ...
| |
| Selecting previously unselected package netbase.
| |
| Preparing to unpack .../archives/netbase_5.3_all.deb ...
| |
| Unpacking netbase (5.3) ...
| |
| Selecting previously unselected package stunnel4.
| |
| Preparing to unpack .../stunnel4_3%3a5.30-1_amd64.deb ...
| |
| Unpacking stunnel4 (3:5.30-1) ...
| |
| Selecting previously unselected package iproute2.
| |
| Preparing to unpack .../iproute2_4.3.0-1ubuntu3_amd64.deb ...
| |
| Unpacking iproute2 (4.3.0-1ubuntu3) ...
| |
| Selecting previously unselected package ifupdown.
| |
| Preparing to unpack .../ifupdown_0.8.10ubuntu1.2_amd64.deb ...
| |
| Unpacking ifupdown (0.8.10ubuntu1.2) ...
| |
| Selecting previously unselected package libisc-export160.
| |
| Preparing to unpack .../libisc-export160_1%3a9.10.3.dfsg.P4-8ubuntu1.5_amd64.deb ...
| |
| Unpacking libisc-export160 (1:9.10.3.dfsg.P4-8ubuntu1.5) ...
| |
| Selecting previously unselected package libdns-export162.
| |
| Preparing to unpack .../libdns-export162_1%3a9.10.3.dfsg.P4-8ubuntu1.5_amd64.deb ...
| |
| Unpacking libdns-export162 (1:9.10.3.dfsg.P4-8ubuntu1.5) ...
| |
| Selecting previously unselected package isc-dhcp-client.
| |
| Preparing to unpack .../isc-dhcp-client_4.3.3-5ubuntu12.6_amd64.deb ...
| |
| Unpacking isc-dhcp-client (4.3.3-5ubuntu12.6) ...
| |
| Selecting previously unselected package isc-dhcp-common.
| |
| Preparing to unpack .../isc-dhcp-common_4.3.3-5ubuntu12.6_amd64.deb ...
| |
| Unpacking isc-dhcp-common (4.3.3-5ubuntu12.6) ...
| |
| Selecting previously unselected package libxtables11:amd64.
| |
| Preparing to unpack .../libxtables11_1.6.0-2ubuntu3_amd64.deb ...
| |
| Unpacking libxtables11:amd64 (1.6.0-2ubuntu3) ...
| |
| Selecting previously unselected package rename.
| |
| Preparing to unpack .../archives/rename_0.20-4_all.deb ...
| |
| Unpacking rename (0.20-4) ...
| |
| Selecting previously unselected package tcpd.
| |
| Preparing to unpack .../tcpd_7.6.q-25_amd64.deb ...
| |
| Unpacking tcpd (7.6.q-25) ...
| |
| Processing triggers for libc-bin (2.23-0ubuntu5) ...
| |
| Processing triggers for systemd (229-4ubuntu16) ...
| |
| Setting up libatm1:amd64 (1:2.5.1-1.5) ...
| |
| Setting up libmnl0:amd64 (1.0.3-5) ...
| |
| Setting up libgdbm3:amd64 (1.8.3-13.1) ...
| |
| Setting up libwrap0:amd64 (7.6.q-25) ...
| |
| Setting up perl-modules-5.22 (5.22.1-9) ...
| |
| Setting up libperl5.22:amd64 (5.22.1-9) ...
| |
| Setting up perl (5.22.1-9) ...
| |
| update-alternatives: using /usr/bin/prename to provide /usr/bin/rename (rename) in auto mode
| |
| Setting up libssl1.0.0:amd64 (1.0.2g-1ubuntu4.6) ...
| |
| debconf: unable to initialize frontend: Dialog
| |
| debconf: (TERM is not set, so the dialog frontend is not usable.)
| |
| debconf: falling back to frontend: Readline
| |
| Setting up openssl (1.0.2g-1ubuntu4.6) ...
| |
| Setting up netbase (5.3) ...
| |
| Setting up stunnel4 (3:5.30-1) ...
| |
| Warning: The home dir /var/run/stunnel4 you specified can't be accessed: No such file or directory
| |
| Adding system user `stunnel4' (UID 105) ...
| |
| Adding new group `stunnel4' (GID 106) ...
| |
| Adding new user `stunnel4' (UID 105) with group `stunnel4' ...
| |
| Not creating home directory `/var/run/stunnel4'.
| |
| invoke-rc.d: could not determine current runlevel
| |
| invoke-rc.d: policy-rc.d denied execution of start.
| |
| Setting up iproute2 (4.3.0-1ubuntu3) ...
| |
| Setting up ifupdown (0.8.10ubuntu1.2) ...
| |
| Creating /etc/network/interfaces.
| |
| Setting up libisc-export160 (1:9.10.3.dfsg.P4-8ubuntu1.5) ...
| |
| Setting up libdns-export162 (1:9.10.3.dfsg.P4-8ubuntu1.5) ...
| |
| Setting up isc-dhcp-client (4.3.3-5ubuntu12.6) ...
| |
| Setting up isc-dhcp-common (4.3.3-5ubuntu12.6) ...
| |
| Setting up libxtables11:amd64 (1.6.0-2ubuntu3) ...
| |
| Setting up rename (0.20-4) ...
| |
| update-alternatives: using /usr/bin/file-rename to provide /usr/bin/rename (rename) in auto mode
| |
| Setting up tcpd (7.6.q-25) ...
| |
| Processing triggers for libc-bin (2.23-0ubuntu5) ...
| |
| Processing triggers for systemd (229-4ubuntu16) ...
| |
| ---> 2b56eadc5b36
| |
| Removing intermediate container b4054aeb5ffc
| |
| Step 4/4 : CMD stunnel
| |
| ---> Running in aa489cb72225
| |
| ---> 2b197f506e02
| |
| Removing intermediate container aa489cb72225
| |
| Successfully built 2b197f506e02
| |
| </pre> | | </pre> |
| }}
| |
|
| |
|
| Once that's finished we should be able to see the new image in the list of docker images available: | | This may take a minute. Once that's finished make sure Docker now lists the image: |
|
| |
|
| <pre> | | <pre> |
| Line 280: |
Line 106: |
| </pre> | | </pre> |
|
| |
|
| ===Networking/Ports Configuration=== | | ===Run the Docker stunnel conainer image=== |
| | |
| | You can fire up the docker container and get a Bash shell: |
| | |
| | <pre> |
| | $ docker run -ti cmr_stunnel /bin/bash |
| | </pre> |
| | |
| | Test that the stunnel command works. |
| | |
| | Now that stunnel is running okay, and the certificates are working, let's get the networking and ports figured out. |
| | |
| | ===Port Mapping=== |
|
| |
|
| The way Stunnel works is to expose 1 port externally (for clients to connect on), typically 443. This is the port on which all of the SSL-wrapped traffic will pass.
| | Docker networking guide provides some useful info: https://docs.docker.com/engine/userguide/networking/ |
|
| |
|
| Stunnel will also expose that traffic to some other port, typically a local port - the external, encrypted traffic passes through stunnel and is stripped of the encryption layer, and is forwarded in to a local port, usually a local service that is not externally exposed.
| | We can specify three networks: the host network, a bridge network (shared between host and container only), or no network at all. |
|
| |
|
| We will set up the Stunnel container to listen on port 443 for encrypted traffic. That traffic will be passed along to local port 8443, where we will have a Python web server with a simple "HALLO WURLD" page listening. | | We want to attach the container to the outside world via the standard network interface onboard the host. Use <code>--network=host</code> when running the container . |
|
| |
|
| Start with the configuration file for stunnel. It will live in <code>/etc/stunnel/stunnel.conf</code>. Here is what we will use:
| | ok, |
|
| |
|
| <pre>
| | but now prob is, |
| output = /var/log/stunnel4/stunnel.log
| |
| cert=/etc/stunnel/stunnel.pem
| |
| key=/etc/stunnel/stunnel.pem
| |
| pid=/var/run/stunnel4/stunnel.pid
| |
| client=yes
| |
| [ssh]
| |
| accept = 443
| |
| connect = 127.0.0.1:8443
| |
| </pre>
| |
|
| |
|
| This will accept inbound encrypted connections on 443, and will decrypt them and forward them along to local port 8443, where Python will be listening. Because this is a server, we are emulating inbound requests, just like a web server. Stunnel will be wrapping HTTP requests from a browser with SSL.
| | how to id self, container missing ifconfig |
|
| |
|
| Now that we have an Stunnel configuration file ready to go we can start the stunnel docker image and use this configuration file for that stunnel instance.
| |
|
| |
|
| ===Loading Image with Correct Config Files===
| |
|
| |
|
| [[Docker/Boats/Wifi/ConfigFail1]]
| |
|
| |
|
| ===Load Image with Networking/Ports Configured=== | | ===Load Image with Networking/Ports Configured=== |
Wifi Boat Overview
Services
UGR wifi boat ships the following services in Docker containers:
- stunnel server
- web server (hello world, report, file management)
- https web server 9hello world)
- mongodb database
Stretch goals:
- Data to inform the server about processes that are running? How to install a program that runs on the pi and tries to call home and send updates on information going on with the operating system, running processes, etc.?
Please make a note:
- The UGR wifi boat does not receive or process raw packet data. The Raspberry Pi device will extract network data, either by using a tool that extracts relevant information or by running a tool like scapy or aircrack on the Raspberry Pi to capture and process network data local to the Pi. Only small, digested, processed data is sent back to the server.
Getting Set Up For The Boat
Make sure your node is all set: Deployment/New Node Checklist
Make sure docker installed: Docker/Installing
Boat Containers
Stunnel
Stunnel is a server/client service that allows arbitrary traffic to be transported through an encrypted HTTP over SSL layer (HTTPS). Since port 443 is usually open even on locked-down networks, this is an extremely handy tool for punching through firewalls. Due to the nature of encrypted traffic, the contents of an HTTPS packet cannot be inspected, so services that would otherwise be blocked due to their protocols, like SSH, can pass in and out of the network just fine by being wrapped up in HTTPS.
Here's how the Stunnel Docker container will be set up:
- Create a Dockerfile or download a prepared one (they are easy enough to make that it is worth doing yourself.)
- Make a Docker Stunnel container image
- Run a Docker Stunnel container image
- Ensure that Stunnel is working and configured properly (ignoring network)
- Ensure that networking with host is working and configured properly
Create Dockerfile for stunnel container image
The files needed to get the Stunnel docker image working with the SSL keys obtained from LetsEncrypt are contained in the following git.charlesreid1.com repository:
https://charlesreid1.com:3000/docker/stunnel
Preparing to build stunnel container image
Before we can build the container image, we need to have the SSL certificate the server will use, as well as the stunnel configuration file.
Some of this is taken care of in the docker/stunnel repository on git.charlesreid1.com:
https://git.charlesreid1.com/docker/stunnel
$ mkdir ~/docker
$ cd ~/docker
$ git clone https://charlesreid1.com:3000/docker/stunnel
$ cd docker-stunnel
Run the sudo_prep.sh script to make copies of the Let's Encrypt keys in the current directory:
$ sudo ./sudo_prep.sh
Now your SSL certificates are in-place and ready to be copied into the container.
Next we will take care of the stunnel configuration file.
Networking/Ports Configuration
Stunnel exposes one port externally (for clients to connect on), typically 443. This is the port on which all of the SSL-wrapped traffic will pass. We will need to map this port from the Docker container to the host, and open that port on the host's firewall.
Stunnel accept encrypted traffic on that exposed port. It will unwrap the traffic, removing the SSL layer, and forward the unencrypted traffic on to another local port, typically one that is not publicly exposed.
For our test, the stunnel container will listen for connections on 443. It will forward these to local port 8443. We will set up a Python HTTP server on port 8443 that only listens for local requests and responds with a "HALLO WURLLD" page. If the stunnel container is configured correctly, we should be able to send HTTP requests to the stunnel container, and have it pass those through to the Python HTTP server, which will serve up the "HALLO WURLLD" page.
Start with the configuration file for stunnel. It will live in /etc/stunnel/stunnel.conf. Here is what we will use:
output = /var/log/stunnel4/stunnel.log
cert=/etc/stunnel/stunnel.pem
key=/etc/stunnel/stunnel.pem
pid=/var/run/stunnel4/stunnel.pid
client=yes
[ssh]
accept = 443
connect = 127.0.0.1:8443
This will accept inbound encrypted connections on 443, and will decrypt them and forward them along to local port 8443, where Python will be listening. Because this is a server, we are emulating inbound requests, just like a web server. Stunnel will be wrapping HTTP requests from a browser with SSL.
Now we have the SSL certificates and the configuration file finished, and we are ready to build our Docker image..
Build Docker stunnel container image from Dockerfile
From the git repo checked out above, which contains a Dockerfile, run docker build to build the image:
$ docker build -t cmr_stunnel .
This may take a minute. Once that's finished make sure Docker now lists the image:
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
cmr_stunnel latest 2b197f506e02 59 seconds ago 219 MB
Run the Docker stunnel conainer image
You can fire up the docker container and get a Bash shell:
$ docker run -ti cmr_stunnel /bin/bash
Test that the stunnel command works.
Now that stunnel is running okay, and the certificates are working, let's get the networking and ports figured out.
Port Mapping
Docker networking guide provides some useful info: https://docs.docker.com/engine/userguide/networking/
We can specify three networks: the host network, a bridge network (shared between host and container only), or no network at all.
We want to attach the container to the outside world via the standard network interface onboard the host. Use --network=host when running the container .
ok,
but now prob is,
how to id self, container missing ifconfig
Load Image with Networking/Ports Configured
Links
Stunnel documentation (man page): https://www.stunnel.org/static/stunnel.html
Stunnel Dockerfile that is about as simple as it is going to get: https://github.com/taskworld/docker-stunnel/blob/master/Dockerfile
Note: ufw needs to accept, not drop, traffic: [1]
Note: container needs to bind to 0.0.0.0, not localhost, or it won't be accessible outside the container: [2]