[docs] document how to setup stunnel

3 files changed, 51 insertions, 0 deletions

diff --git a/docs/examples/sip-client.conf-sample b/docs/examples/sip-client.conf-sample
new file mode 100644
index 0000000..75d45fd
--- /dev/null
+++ b/docs/examples/sip-client.conf-sample
@@ -0,0 +1,4 @@
+[sip2]
+accept  = localhost:6001
+connect = koha.example.org:6443
+client  = yes
diff --git a/docs/examples/stunnel.conf-server-sample b/docs/examples/stunnel.conf-server-sample
new file mode 100644
index 0000000..71fd8cd
--- /dev/null
+++ b/docs/examples/stunnel.conf-server-sample
@@ -0,0 +1,6 @@
+[sip2]
+
+accept  = 6443
+connect = 6001
+cert    = /etc/stunnel/ssl/sip2-cert.pem
+key     = /etc/stunnel/ssl/sip2-key.pem
diff --git a/docs/sip-howto.md b/docs/sip-howto.md
new file mode 100644
index 0000000..4022e2d
--- /dev/null
+++ b/docs/sip-howto.md
@@ -0,0 +1,41 @@
+SIP2 authentication howto
+=========================
+
+stunnel configuration
+---------------------
+
+SIP2 has no encryption built-in. To encrypt traffic, we install stunnel both on
+the server (the one with the koha instance) and the client (the vpnweb node):
+
+  sudo apt-get install stunnel4
+
+Set value to ENABLED in the config file:
+
+  /etc/default/stunnel4
+
+Configure the server, see `docs/examples/stunnel.conf-server-sample`:
+
+  [sip2]
+  accept  = 6443
+  connect = 6001
+  cert    = /etc/stunnel/ssl/sip2-cert.pem
+  key     = /etc/stunnel/ssl/sip2-key.pem
+
+You will need to generate a certificate pair for this service. For a throwaway test deployment,
+you can look in the `test/simple-ca` folder.
+
+Now configure the client side (the box where the vpnweb instance is running). Create /etc/stunnel/sip.conf:
+
+  [sip2]
+  accept  = localhost:6001
+  connect = koha.example.org:6443
+  client  = yes
+
+Now you can start the service:
+
+  sudo /etc/init.d/stunnel4 start
+
+And configure vpnweb to connect to the local port:
+
+  export VPNWEB_SIP_HOST=localhost
+  export VPNWEB_SIP_PORT=6001