stunnel is unstable

G

Grisu2

n3wb
Apr 2, 2019
17
3
Austria
Hello,

i installed BlueIris on Windows 10 x64 Redstone5. (4 Cores, 8GB Ram as Proxmox-VM).
Blue Iris running Stable, stunnel not.
stunnel Version is 5.50, installed as Service.

The service is configured to automatically restart when crashed, unfortunately this happens very often when streaming via web interface.

stunnel Configuration:
[blueiris]
accept = 443
connect = 80
cert = Certs/wildcard.domain.net.cer
key = Certs/wildcard.domain.net.key
CAfile = Certs/Domain_CA.cer
TIMEOUTclose = 0
reset = no

When i connect over lighttpd Reverse Proxy,
or connect via http direct, than its stable.

Someone a helpful idea?
 
"multiple settings wrong", why do you think that ?
you read my text ? problem is stunnel, not blue iris.
the connection via http is stable, only connects over stunnel (https) crashes !

Does Blue Iris have a problem running on port 80 ??
In any case, this is not used by another service on the system.

the stunnel log says ok, when restart no helpfull lines in logfile, only:
2019.04.02 00:37:43 LOG5[main]: stunnel 5.50 on x64-pc-mingw32-gnu platform
2019.04.02 00:37:43 LOG5[main]: Compiled/running with OpenSSL 1.1.1a 20 Nov 2018
2019.04.02 00:37:43 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI
2019.04.02 00:37:43 LOG5[main]: Reading configuration from file stunnel.conf
2019.04.02 00:37:43 LOG5[main]: UTF-8 byte order mark detected
2019.04.02 00:37:43 LOG6[main]: Initializing service [blueiris]
2019.04.02 00:37:43 LOG6[main]: Loading certificate from file: Certs/wildcard.domain.net.cer
2019.04.02 00:37:43 LOG6[main]: Certificate loaded from file: Certs/wildcard.domain.net.cer
2019.04.02 00:37:43 LOG6[main]: Loading private key from file: Certs/wildcard.domain.net.key
2019.04.02 00:37:43 LOG6[main]: Private key loaded from file: Certs/wildcard.domain.net.key
2019.04.02 00:37:43 LOG6[main]: Client CA: C=AT, ST=Austria, L=tralala, O=domain.net, OU=CA, CN=ca.domain.net, emailAddress=administrator@domain.net
2019.04.02 00:37:43 LOG6[main]: DH initialization not needed
2019.04.02 00:37:43 LOG5[main]: Configuration successful
2019.04.02 00:37:43 LOG6[main]: Service [blueiris] (FD=572) bound to 0.0.0.0:443
2019.04.02 00:38:43 LOG6[cron]: Executing cron jobs
2019.04.02 00:38:43 LOG6[cron]: Cron jobs completed in 0 seconds
2019.04.02 00:39:24 LOG5[0]: Service [blueiris] accepted connection from 10.8.5.101:63254
2019.04.02 00:39:24 LOG6[0]: Peer certificate not required
2019.04.02 00:39:24 LOG6[0]: No peer certificate received
2019.04.02 00:39:24 LOG6[0]: Session id: 8C1F5984C1E9DECFEA13C36359EE6E89A09E61010AB6FBB5BD5C861AFBD6CDB1
2019.04.02 00:39:24 LOG6[0]: No peer certificate received
2019.04.02 00:39:24 LOG6[0]: Session id: 2A721CCE2D9B7A051D444C7431E68B8D83DCB592D9C6A56E9B5ED34FC85801D1
2019.04.02 00:39:24 LOG6[0]: TLS accepted: new session negotiated
2019.04.02 00:39:24 LOG6[0]: TLSv1.3 ciphersuite: TLS_AES_128_GCM_SHA256 (128-bit encryption)
2019.04.02 00:39:24 LOG6[0]: s_connect: connecting 127.0.0.1:80
2019.04.02 00:39:24 LOG5[0]: s_connect: connected 127.0.0.1:80
2019.04.02 00:39:24 LOG6[0]: persistence: 127.0.0.1:80 cached
2019.04.02 00:39:24 LOG5[0]: Service [blueiris] connected remote server from 127.0.0.1:56469
2019.04.02 00:39:24 LOG6[0]: TLS closed (SSL_read)


Edit: i changed the post title :)
 
Last edited:
The stable reverse proxy variant with lighttpd under Debian looks like this:

apt-get install lighttpd
lighty-enable-mod proxy
/etc/init.d/lighttpd force-reload

nano /etc/lighttpd/lighttpd.conf
server.modules = (
"mod_access",
"mod_alias",
"mod_compress",
"mod_redirect",
)

server.document-root = "/var/www/html"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/var/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
server.port = 80


index-file.names = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"

#Streaming (!)
server.stream-request-body = 1
server.stream-response-body = 1

# SSL engine (change the "ssl.pemfile" and destination "host")
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/certs/wildcard.domain.net.pem"
}

$HTTP["host"] == "px5.domain.net" {
proxy.server = ( "" => ( (
"host" => "10.8.5.13",
"port" => 80
) ) )
}



I would rather have the opportunity to set up the https service directly on the Windows 10 machine, which seems not really possible via stunnel.
 
You may be able to do it with nginx, which has a windows release. I've never played with the windows version of it, but I've put together a page about configuring it. bp2008/ui3
 
You must log in or register to reply here.
Top Bottom