From the stunnel website:
stunnel is an open-source multi-platform application used to provide a universal TLS/SSL tunneling service. stunnel can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively
-
5.72,5,latest,stable(Dockerfile)
These examples show how you would proxy Redis clients that do not support TLS/SSL to a TLS-secured Redis server on Azure (should apply similarly to AWS).
This example uses the default trusted root CA chain from Alpine Linux:
docker run -itd \
-e STUNNEL_CLIENT=yes \
-e STUNNEL_SERVICE=redis \
-e STUNNEL_ACCEPT=6379 \
-e STUNNEL_CONNECT=myredis.redis.cache.windows.net:6380 \
-e STUNNEL_CHECK_HOST=myredis.redis.cache.windows.net \
-e STUNNEL_VERIFY_CHAIN=yes \
-p 6379:6379 \
inveniem/stunnelThis example shows how to provide your own trusted root certificate chain:
docker run -itd \
-e STUNNEL_CLIENT=yes \
-e STUNNEL_SERVICE=redis \
-e STUNNEL_ACCEPT=6379 \
-e STUNNEL_CONNECT=myredis.redis.cache.windows.net:6380 \
-e STUNNEL_CHECK_HOST=myredis.redis.cache.windows.net \
-e STUNNEL_VERIFY_CHAIN=yes \
-p 6379:6379 \
-v /etc/ssl/private/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro \
inveniem/stunnelThis loads the custom certificate chain from
/etc/ssl/private/ca-certificates.crt on the host system into
/etc/ssl/certs/ca-certificates.crt in the container, which is the default
location the container looks for the certificates. The location within the
container can be overridden by setting the STUNNEL_CAFILE environment
variable.
These examples show you would secure an LDAP server running in a container
named directory so that clients can connect to it over LDAPS.
docker run -itd --name ldaps --link directory:ldap \
-e STUNNEL_SERVICE=ldaps \
-e STUNNEL_ACCEPT=636 \
-e STUNNEL_CONNECT=ldap:389 \
-p 636:636 \
inveniem/stunnelThis will automatically generate a self-signed certificate that expires in 365 days.
docker run -itd --name ldaps --link directory:ldap \
-e STUNNEL_SERVICE=ldaps \
-e STUNNEL_ACCEPT=636 \
-e STUNNEL_CONNECT=ldap:389 \
-p 636:636 \
-v /etc/ssl/private/server.key:/etc/stunnel/stunnel.key:ro \
-v /etc/ssl/private/server.crt:/etc/stunnel/stunnel.pem:ro \
inveniem/stunnelThis accomplishes the following:
-
Loads the server private key from
/etc/ssl/private/server.keyon the host system into/etc/stunnel/stunnel.keyin the container, which is the default location the container looks for the key. The location within the container can be overridden by setting theSTUNNEL_KEYenvironment variable. -
Loads the server certificate from
/etc/ssl/private/server.crton the host system into/etc/stunnel/stunnel.pemin the container, which is the default location the container looks for the certificate. The location within the container can be overridden by setting theSTUNNEL_CRTenvironment variable.
By default, the container configures stunnel to use only ciphers indicated as
"Modern" by Mozilla's SSL Configuration Generator
(as of 2024-03-24).
For a variety of reasons, including a desire for more security, a need for compatibility with legacy systems and/or a delay in getting updates from vendors, this default may not work for everyone's needs.
This example shows how to provide your own list of allowed ciphers:
docker run -itd --name ldaps --link directory:ldap \
-e STUNNEL_SERVICE=ldaps \
-e STUNNEL_ACCEPT=636 \
-e STUNNEL_CONNECT=ldap:389 \
-e "STUNNEL_CIPHERS_1_3=TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256"
-p 636:636 \
-v /etc/ssl/private/server.key:/etc/stunnel/stunnel.key:ro \
-v /etc/ssl/private/server.crt:/etc/stunnel/stunnel.pem:ro \
inveniem/stunnelThis example demonstrates how to connect to a service that as been secured with a pre-shared key (PSK):
docker run -itd \
-e STUNNEL_CLIENT=yes \
-e STUNNEL_SERVICE=myservice \
-e STUNNEL_CONNECT=myservice.net:1234 \
-e STUNNEL_ACCEPT=6379 \
-e STUNNEL_PSK=/etc/stunnel/stunnel.psk \
-v /etc/ssl/private/server.psk:/etc/stunnel/stunnel.psk:ro \
-p 6379:6379 \
inveniem/stunnelThis example demonstrates how to secure a service with a pre-shared key (PSK):
docker run -itd \
-e STUNNEL_SERVICE=myservice \
-e STUNNEL_CONNECT=myservice.net:1234 \
-e STUNNEL_ACCEPT=6379 \
-e STUNNEL_PSK=/etc/stunnel/stunnel.psk \
-v /etc/ssl/private/server.psk:/etc/stunnel/stunnel.psk:ro \
-p 6379:6379 \
inveniem/stunnelThe MIT License (MIT)
Copyright © 2015-2017 Jacob Blain Christen
Portions Copyright © 2017-2018, Emmanuel Frecon
Portions Copyright © 2018, Frederik Weber
Portions Copyright © 2018, "The Goofball (goofball222)"
Portions Copyright © 2019-2024, InveniemPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.