# What I use stunnel for and how

update: 2022-02-27
I stopped using stunnel and wrote my own thing that does significanly less things.
=> //git.thebackupbox.net/tlswrap/blob/refs/heads/master:/tlswrap.c

Since gemini needs SNI...
and I'd like to not have to write code to do TLS shit.
I've started using stunnel for this. :)
Have to use a new version of stunnel. At least 5.something.
=> https://www.stunnel.org/pipermail/stunnel-users/2016-November/005651.html 5.37
I first tried to do SNI with inetd mode
(where inetd launches stunnel after connection)
but I couldn't figure out how to set the sni =
line for sni sections, since the first half of
the value (before the :) is supposed to be the
subsection name, and inetd mode doesn't use one
of those.

Here's my stunnel.conf.

```
foreground = quiet

[https]
accept = 443
setuid = www-data
setgid = www-data
exec = /service/https/fixvars_stunnel.sh
cert = /etc/letsencrypt/for_stunnel/https.pem

[gemini]
accept = 1965
setuid = gemini
setgid = gemini
exec = /service/gemini/fixvars_stunnel.sh
execArgs = fixvars_stunnel.sh default
cert = /etc/letsencrypt/for_stunnel/gemini.pem

[sni1]
sni = gemini:epo.k.vu
cert = /etc/letsencrypt/for_stunnel/gemini.pem
exec = /service/gemini/fixvars_stunnel.sh
execArgs = fixvars_stunnels.sh shorten

[sni2]
sni = gemini:*.thebackupbox.net
cert = /etc/letsencrypt/for_stunnel/gemini.pem
exec = /service/gemini/fixvars_stunnel.sh
execArgs = fixvars_stunnels.sh hacking
```

stunnels gets ran by
supervise (from
=> http://cr.yp.to/daemontools.html daemontools
) with a run file of:
```
#!/bin/sh
exec stunnel /usr/local/etc/stunnel/stunnel.conf
```

the "fixvars_stunnels.sh" script is something to set a couple env vars that stunnel doesn't have by default
like, PATH, REMOTE_ADDR instead of REMOTE_HOST
and then it execs geminid which is another shell-script that speaks gemini.