--- /dev/null
+# Copyright (C) 2013 W. Trevor King <wking@tremily.us>
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# * Redistributions of source code must retain the above copyright notice, this
+# list of conditions and the following disclaimer.
+#
+# * Redistributions in binary form must reproduce the above copyright notice,
+# this list of conditions and the following disclaimer in the documentation
+# and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+FROM NAMESPACE/gentoo-syslog:TAG
+MAINTAINER A. U. Thor <author@example.com>
+#VOLUME ["PORTAGE:/usr/portage:ro", "PORTAGE/distfiles:/usr/portage/distfiles:rw"]
+RUN emerge -v net-misc/stunnel
+RUN eselect news read new
+RUN rc-update add stunnel default
+
+# Configure stunnel
+RUN echo 'cert = /etc/stunnel/stunnel.pem' > /etc/stunnel/stunnel.conf
+RUN echo 'pid = /run/stunnel/stunnel.pid' >> /etc/stunnel/stunnel.conf
+RUN echo '[stunnel]' >> /etc/stunnel/stunnel.conf
+RUN echo 'accept = 9999' >> /etc/stunnel/stunnel.conf
+RUN echo 'connect = NETLOC' >> /etc/stunnel/stunnel.conf
+
+# Container networking happens automatically
+RUN sed -i 's/need net$/use net/' /etc/init.d/*
+
+CMD sed -i "s|NETLOC|${SERVER_PORT#tcp://}|" /etc/stunnel/stunnel.conf && rc default && tail -F /var/log/messages
+EXPOSE 9999
--- /dev/null
+Use this [stunnel][] image to wrap other containers in SSL/TLS
+encryption using Docker's [linking][]. You'll want to
+[volume-mount][volume-mount] your SSL keys, since you may want
+different keys in every stunnel container.
+
+ $ docker run -d -name postgresql-0 wking/postgresql
+ $ docker run -d -name postgresql-0-ssl -v /etc/postgresql-0-ssl/stunnel.pem:/etc/stunnel/stunnel.pem -link postgresql-0:server -p 5432:9999 wking/stunnel
+
+[PostgreSQL][] [uses plaintext commands to initiate SSL/TLS
+encryption][SSLRequest] so you can't use `psql` to connect directly to
+this client. You can use it for protocols that use SSL/TLS from the
+start (e.g. HTTPS). If you need support for an initially unencrypted
+protocol, your best bet is to avoid stunnel and use the SSL/TLS
+support in the server itself. Failing that, you can always setup a
+client-side stunnel, and have both the server and client think they're
+talking in the clear.
+
+[stunnel]: https://www.stunnel.org/
+[linking]: http://docs.docker.io/en/latest/use/port_redirection/#linking-a-container
+[volume-mount]: http://docs.docker.io/en/latest/use/working_with_volumes/#mount-a-host-directory-as-a-container-volume
+[PostgreSQL]: http://postgresql.io/
+[SSLRequest]: http://www.postgresql.org/docs/devel/static/protocol-flow.html#AEN100370
projects / dockerfile.git / commitdiff