Creating and Optimizing a Secure P4Web Connection With "stunnel"

Info & Tags

Article #:
639
Created:
02/13/07
Modified:
08/29/08
Tags:
2006.1, https, p4web, secure connection, stunnel

Related Articles

  1. Slow P4Web Connection in Firefox on Vista
  2. Setting Up Perforce Using Firewalls
  3. P4Web
  4. MIME Types and P4Web
  5. Installing P4WSAD Using an HTTP Proxy

Links

  1. Genererating the stunnel Private Key (pem) File
    External Site
  2. Stunnel Web Site
    External Site

SUMMARY

A new feature in P4Web 2007.2 and later is the "-ss" flag, which allows P4Web to use a secure web connection ("HTTPS") via an external tool. This allows users to encrypt their traffic over the internet.

A common tool to handle the encryption is called "stunnel", available for most Unix platforms and Windows. This article covers configuring the stunnel tool to avoid performance issues.


DETAILS

P4Web, when run in secure mode, rewrites the URLs it generates, using "https" links instead of "http". All the actual encryption is done via an external tool. One such tool is called "stunnel". You launch P4Web on one port, stunnel on another. The user's browser connects to the stunnel port, and stunnel then connects to P4Web.

Here is a sample stunnel configuration file, "stunnel.conf" (tested on Unix and Mac OS X 10.4 only): 

foreground = yes

pid = /usr/local/stunnel.pid

TIMEOUTclose = 0

[P4WEB]

accept = 5501

connect = 5500

cert = /usr/local/stunnel.pem

This file instructs stunnel to:

  • Not fork off connections in the background (good for testing).
  • It tells stunnel a place to put the file with its pid since stunnel defaults to somewhere that needs root access.
  • "listen on port 5501" for incoming connections.
  • Then connect to port 5500 (to find P4Web).
  • Where to find the SSL certificate, which you have to generate after the stunnel installation.

The "TIMEOUTclose" variable is to prevent some browsers on some platforms from being very slow (it will be slow, then do a bunch of work, then be slow again). One specific case is with Firefox on Linux. This does not appear to be a problem with Windows, but leaving the TIMEOUTclose variable in the file does not impact other platforms.

There are many ways you can create the SSL certificate -- users should review the information on the stunnel web site, particularly "Generating the stunnel Private Key (pem) File". You generate the key using these steps:

  1. Change your current directory to the stunnel directory created after decompressing the stunnel archive.
  2. Enter the command: 
    openssl req -new -x509 -nodes -config tools/stunnel.cnf -out stunnel.pem -keyout stunnel.pem
    Additionally, if you want the certificate to expire after a pre-determined length of time, add the "-days NNN" flag, where NNN is the number of days until the certificate expires. For example, if you want the expiration to occur after a year, the command would be: 
    openssl req -new -x509 -days 365 -nodes -config tools/stunnel.cnf -out stunnel.pem -keyout stunnel.pem
  3. You are asked a series of questions related to the certificate. If no errors are reported and you are returned to the prompt, the certificate will be created in the same directory as "stunnel.pem". It is recommended that you keep this with the "stunnel.conf" file.

Once the above steps are completed, you can launch P4Web with the "-ss" flag (and your usual options), and then stunnel with 

stunnel /path/to/stunnel.conf
Note: You can not connect directly to P4Web when using the "-ss" flag. If you need to run P4Web unsecured for any reason, you must run a second instance of P4Web on another port.