Windows SSL tip [no Apache, no IIS necessary]


#1

After reading all I could find and struggling through Apache configurations and SSL cert conversions (all with no ultimate success), I finally had the idea to use stunnel to enable SSL on Windows. It worked beautifully! I now have SSL access on my UrBackup server running on Windows with no Apache and no IIS.

Here is the stunnel config I used.
; TLS front-end to a web server
[https]
accept = 443
connect = 55414
cert = yourcert.pem

Make sure you install stunnel as a service so it runs when nobody is logged in.


#2

Could you please be more specific with your detail to ensure it’s clear what you used and the entire process from beginning to end to help ensure this information you are sharing with others can be put to good use as you have done?

I’m interested in knowing more about this but as-is I’m confused how to put this in place so if you get a chance, let us know with more specific detail please.


#3

Absolutely. Assuming you have an installation of UrBackup working successfully with internet clients without SSL.

Install stunnel (https://www.stunnel.org/) on your UrBackup server. After the install, run the shortcut in the start menu to install it as a service. (Make sure it’s not running interactively before you try and start the service.)

Edit the stunnel configuration (run the “Edit stunnel.conf” shortcut in the start menu). Comment out every line in the file (by adding a ; to the beginning) except the following section, which you should edit as follows:

; TLS front-end to a web server
[https]
accept  = 443
connect = 55414
cert = mycert.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
TIMEOUTclose = 0

Basically, you are telling stunnel to redirect requests on port 443 (the standard https port) to port 55414 (the standard UrBackup http port). Save the config file.

Place your .pem certificate file in the same folder as the stunnel.conf file (C:\Program Files (x86)\stunnel\config\ on my system). Make sure the filename matches what you specified in the config file above.

Restart the stunnel service in Windows Services to load the config you just saved.

Now, if you navigate to https://localhost from the UrBackup server it should load the login page. You will get an SSL error because localhost doesn’t match the name on the certificate. That’s fine for now, we are just checking that stunnel is working.

At some point when you got your certificate your decided what domain name you were going to access your server as. Normally this is in the form of subdomain.doman.com, such as urbackup.example.com. Your SSL cert will be issued in that name and the url you use to access your server must match that name.

Make sure you setup your DNS properly for external requests. And make sure you open port 443 on your router (same way you did port 55415). And make sure you make an exception for stunnel in the Windows firewall for Domain (if present), Private, and Public (should be listed as an exception already, just need to check the other boxes).

If all that is set up correctly, from an internet client, you should be able to access https://urbackup.example.com and get the UrBakcup login page. You should not get an SSL error this time because your url matches the certificate. (Unless, of course, you are using a self-generated cert and then you will still get an error unless you have trusted the issuier of the cert, but that is another topic entirley.)

As the last step set the server URL in the UrBackup setting to https://urbackup.example.com (Settings / Server / Server URL)


#4

This is for Windows stunnel, correct?


#5

Very nice update and detail include. I may test this out one day but being as detailed as possible with your solution steps is important for others—and probably for you too in case two or three years goes by, you suddenly have a problem, need to migrate the server, etc. and having some good notes to review may be of tremendous help. I’d give you an up vote for the post if it were an option. I’m assuming this is strictly Windows too by the way based on the word “Windows” in the title (IIS too I suppose).


#6

I’m using this as a solution on Windows. However, stunnel appears to be available on Linux, so you could probably get it to work there as well. You are on your own figuring that out though. :wink:


#7

Your config file works well on my Debian Linux server. The syntax for stunnel on Windows and Linux configuration files is exactly the same. Thanks for the write up!


#8

Thanks so much for this @scott , that’s some serious improvement over the other nonsense.

@uroni this should be a sticky or otherwise promoted/documented somehow.


#9

Excellent tip. I needed to tinker around with getting the certificate file, but once that was done, it worked like a champ

I needed to create the certificate on a Linux machine.