cleanstart/stunnel

Container Documentation for Stunnel

Enterprise-grade Stunnel container for secure SSL/TLS tunneling and encryption. Provides robust encryption capabilities for network services, enabling secure communication between clients and servers. Features FIPS compliance options, security hardening, and optimized performance for enterprise deployments.

📌 Base Foundation: Security-hardened, minimal base OS designed for enterprise containerized environments from Cleanstart Registry.

Key Features Core capabilities and strengths of this container

• SSL/TLS encryption for network services
• FIPS 140-2 compliant encryption (when enabled)
• Support for multiple SSL/TLS versions
• Client and server certificate authentication

Common Use Cases Typical scenarios where this container excels

• Secure legacy applications without native SSL/TLS
• Create encrypted tunnels between network services
• Add SSL/TLS support to non-SSL aware services
• Implement secure client-server communication

Pull Latest Image Download the container image from the registry

bash
docker pull cleanstart/stunnel:latest

bash
docker pull cleanstart/stunnel:latest-dev

Basic Run Run the container with basic configuration

bash
docker run -d --name stunnel \
  -v $(pwd)/stunnel.conf:/etc/stunnel/stunnel.conf \
  -p 8443:443 \
  cleanstart/stunnel:latest

Production Deployment Deploy with production security settings

bash
  docker run -d --name stunnel-dev \
  --read-only \
  --security-opt=no-new-privileges \
  --user 1000:1000 \
  -v $(pwd):/etc/stunnel:ro \
  -p 8443:443 \
  cleanstart/stunnel:latest-dev

Volume Mount Mount configuration and certificate files

bash
  docker run -v $(pwd):/etc/stunnel:ro \
  cleanstart/stunnel:latest

Port Forwarding Run with custom port mappings

bash
docker run -p 8443:443 cleanstart/stunnel:latest

Environment Variables Configuration options available through environment variables

Security Best Practices Recommended security configurations and practices

• Use FIPS mode in regulated environments
• Implement proper certificate management
• Configure minimum required TLS version
• Enable client certificate verification when needed
• Use read-only filesystem mounts
• Run as non-root user
• Regular security updates and patches
• Implement proper logging and monitoring

Kubernetes Security Context Recommended security context for Kubernetes deployments

yaml
securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  runAsGroup: 1000
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop: ["ALL"]
    add: ["NET_BIND_SERVICE"]

Multi-Platform Images

bash
docker pull --platform linux/amd64 cleanstart/stunnel:latest
docker pull --platform linux/arm64 cleanstart/stunnel:latest

Documentation Resources

Essential links and resources for further information

CleanStart Images: [***]

Community Images:
Docker Hub: https://hub.docker.com/u/cleanstart
GitHub: https://github.com/cleanstart-containers
AWS ECR Public Gallery: [***]

Presence on Social Media:
Community: [**]
*****: []

Contribute to Container Use Cases: https://github.com/cleanstart-dev/cleanstart-use-cases/

Vulnerability Disclaimer

CleanStart offers Docker images that include third-party open-source libraries and packages maintained by independent contributors. While CleanStart maintains these images and applies industry-standard security practices, it cannot guarantee the security or integrity of upstream components beyond its control.

Users acknowledge and agree that open-source software may contain undiscovered vulnerabilities or introduce new risks through updates. CleanStart shall not be liable for security issues originating from third-party libraries, including but not limited to zero-day exploits, supply chain ***s, or contributor-introduced risks.

Security remains a shared responsibility: CleanStart provides updated images and guidance where possible, while users are responsible for evaluating deployments and implementing appropriate controls.