Tunneling With stunnel

stunnel is tool that can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively.

We can use stunnel to bind to a port on localhost (e.g., 19200), which in turn will connect to Elastic Cloud.

Here is a sample configuration to achieve this:

; Actually verify the certificate
verify = 2
; Works for Ubuntu. Adapt to your system.
CApath = /etc/ssl/certs

pid = /var/run/stunnel4/found-us-east-1.pid

; Log level. WARN=4, DEBUG=7
debug = 4

; Service that tunnels traffic to a single region's endpoint. This configuration is not cluster specific.
accept = 19200
client = yes
; Don't cache DNS. IPs of Elastic Cloud's load balancers may change.
delay = yes
; Replace us-east-1 with your region. Valid hosts:
; - proxy-v1-us-east-1.foundcluster.com
; - proxy-v1-us-west-1.foundcluster.com
; - proxy-v1-eu-west-1.foundcluster.com
; - proxy-v1-sa-east-1.foundcluster.com
; - proxy-v1-ap-northeast-1.foundcluster.com
; - proxy-v1-ap-southeast-1.foundcluster.com

connect = proxy-v1-us-east-1.foundcluster.com:9243

To use this with Ubuntu:

  • Install the stunnel4-package, e.g. apt-get install stunnel4.
  • Put the above file in /etc/stunnel/found-us-east-1.conf
  • Make sure /etc/default/stunnel4 contains ENABLED=1
  • Run service stunnel4 start

Then you will have a service that listens to port 19200 and forwards traffic to proxy-v1-us-east-1.foundcluster.com:9243.