Stunnel and MySQL

Server Config

1. cd /etc/stunnel
2. Create a certificate:
   openssl req -x509 -nodes -days 365 -newkey rsa:1024 \
-keyout stunnel.pem -out stunnel.pem
3. The stunnel.conf file contains the following lines:

   cert = /etc/stunnel/stunnel.pem
setuid = nobody
setgid = nobody
pid = /tmp/stunnel.pid
debug = 7
output = stunnel.log
[mysqls]
accept = 3309
connect = 3306


4. stunnelis started

Client Config

1. Create a certificate as above (not strictly necessary but otherwise the connection is open to a man in the middle attack)
2. stunnel.conf contains the following lines:

   
cert =/etc/stunnel/stunnel.pem
pid = /tmp/stunnel.pid
setuid = nobody
setgid = nobody
debug=7
output=stunnel.log
client = yes
[3309]
accept = 3309
connect = mysql.example.com:3309


3. stunnel is started
4. The mysql client is invoked with the following:
   mysql -h mysql.example.com -u mysqluser -p -P 3309
   The hostname must be specified so that mysql will not attempt to bind with a local mysqld via a local socket.
   mysqluser needs to be granted rights on the appropriate databases with the host being localhost.localdomain. Something like
   grant all on db.* to mysqluser@'localhost.localdomain' identified by 'SecretPw';
   (this is done on a mysql client running on mysql.example.com by an administrator).

Broken Symlinks

for i in `find / -type l`; do [ -e $i ] || echo link $i is broken; done