Windows SSL tip [no Apache, no IIS necessary]

scott · October 16, 2017, 2:42pm

After reading all I could find and struggling through Apache configurations and SSL cert conversions (all with no ultimate success), I finally had the idea to use stunnel to enable SSL on Windows. It worked beautifully! I now have SSL access on my UrBackup server running on Windows with no Apache and no IIS.

Here is the stunnel config I used.
; TLS front-end to a web server
[https]
accept = 443
connect = 55414
cert = yourcert.pem

Make sure you install stunnel as a service so it runs when nobody is logged in.

IT_Shizzle · October 16, 2017, 4:40pm

Could you please be more specific with your detail to ensure it’s clear what you used and the entire process from beginning to end to help ensure this information you are sharing with others can be put to good use as you have done?

I’m interested in knowing more about this but as-is I’m confused how to put this in place so if you get a chance, let us know with more specific detail please.

scott · October 16, 2017, 6:28pm

Absolutely. Assuming you have an installation of UrBackup working successfully with internet clients without SSL.

Install stunnel (https://www.stunnel.org/) on your UrBackup server. After the install, run the shortcut in the start menu to install it as a service. (Make sure it’s not running interactively before you try and start the service.)

Edit the stunnel configuration (run the “Edit stunnel.conf” shortcut in the start menu). Comment out every line in the file (by adding a ; to the beginning) except the following section, which you should edit as follows:

; TLS front-end to a web server
[https]
accept  = 443
connect = 55414
cert = mycert.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
TIMEOUTclose = 0

Basically, you are telling stunnel to redirect requests on port 443 (the standard https port) to port 55414 (the standard UrBackup http port). Save the config file.

Place your .pem certificate file in the same folder as the stunnel.conf file (C:\Program Files (x86)\stunnel\config\ on my system). Make sure the filename matches what you specified in the config file above.

Restart the stunnel service in Windows Services to load the config you just saved.

Now, if you navigate to https://localhost from the UrBackup server it should load the login page. You will get an SSL error because localhost doesn’t match the name on the certificate. That’s fine for now, we are just checking that stunnel is working.

At some point when you got your certificate your decided what domain name you were going to access your server as. Normally this is in the form of subdomain.doman.com, such as urbackup.example.com. Your SSL cert will be issued in that name and the url you use to access your server must match that name.

Make sure you setup your DNS properly for external requests. And make sure you open port 443 on your router (same way you did port 55415). And make sure you make an exception for stunnel in the Windows firewall for Domain (if present), Private, and Public (should be listed as an exception already, just need to check the other boxes).

If all that is set up correctly, from an internet client, you should be able to access https://urbackup.example.com and get the UrBakcup login page. You should not get an SSL error this time because your url matches the certificate. (Unless, of course, you are using a self-generated cert and then you will still get an error unless you have trusted the issuier of the cert, but that is another topic entirley.)

As the last step set the server URL in the UrBackup setting to https://urbackup.example.com (Settings / Server / Server URL)

Flatlinebb · October 16, 2017, 10:39pm

This is for Windows stunnel, correct?

IT_Shizzle · October 17, 2017, 1:33am

Very nice update and detail include. I may test this out one day but being as detailed as possible with your solution steps is important for others—and probably for you too in case two or three years goes by, you suddenly have a problem, need to migrate the server, etc. and having some good notes to review may be of tremendous help. I’d give you an up vote for the post if it were an option. I’m assuming this is strictly Windows too by the way based on the word “Windows” in the title (IIS too I suppose).

scott · October 17, 2017, 2:07am

I’m using this as a solution on Windows. However, stunnel appears to be available on Linux, so you could probably get it to work there as well. You are on your own figuring that out though.

Flatlinebb · October 17, 2017, 10:44pm

Your config file works well on my Debian Linux server. The syntax for stunnel on Windows and Linux configuration files is exactly the same. Thanks for the write up!

Mark_E_Mark · October 26, 2017, 8:57pm

Thanks so much for this @scott , that’s some serious improvement over the other nonsense.

@uroni this should be a sticky or otherwise promoted/documented somehow.

smcclos · March 31, 2018, 5:14am

Excellent tip. I needed to tinker around with getting the certificate file, but once that was done, it worked like a champ

I needed to create the certificate on a Linux machine.

3c2b2ff5 · August 22, 2019, 8:20pm

Hi,
with stunnel you can either use http or https, which means the http request will get and error if you are accepting https and vice versa. I prefer to user apache2 and redirect http to https which acts as a reverse proxy for the fcgi.
So I installed today urbackup on debian 10 and got the apache2 with ssl to work. I used the home:uroni project hier:

https://software.opensuse.org/download.html?project=home%3Auroni&package=urbackup-server

After installing apache2 all you need to do is to enable the ssl, proxy and the proxy_fcgi modules:

a2enmod ssl proxy proxy_fcgi

then disable the default vhost:

a2dissite 000-default.conf

create urbackup vhost:

vim /etc/apache2/sites-available/urbackup.conf

with the following content:

<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	ServerName urbackup.local.domain
	DocumentRoot /usr/share/urbackup/www/
	Redirect permanent / https://urbackup.local.domain/

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		ServerAdmin webmaster@localhost
		ServerName urbackup.local.domain
		DocumentRoot /usr/share/urbackup/www/

		ServerSignature Off
		SSLProxyEngine On
		ProxyPreserveHost On
		ProxyPass "/x" "fcgi://localhost:55413"

		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined

		SSLEngine on
		SSLCertificateFile	/etc/ssl/certs/mycert.crt
		SSLCertificateKeyFile /etc/ssl/private/mykey.key

		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars
		</Directory>
	</VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

You need to adjust the ServerName and the mycert.crt and mykey.key.
Last step is to enable you vhost and restart apache2:

a2ensite urbackup.conf
service apache2 restart

I hope this will help some one.