rsync-ssl confusion

[Danathar]

I'm having a devil of a time understanding how exactly rsync-ssl works operationally (with an example on the server side). How is the server side SSL set up?

How is authentication happening? Is it just based on the certificate?

Edit: I found this

https://web.archive.org/web/20190410083254/http://dozzie.jarowit.net/trac/wiki/RsyncSSL (Wayne, you should include something like this on your man page).

Now we want to dispense with one daemon on the server side. stunnel in server mode, instead of connecting to some
TCP port can spawn an external program (config options exec and execargs). Very much like inetd. On the other side,
rsync can work under inetd. Combining these two, you get stunnel spawning rsync. Single daemon instead of two, and
nobody can connect to rsync daemon unless connects to stunnel first.

The wording is a bit confusing above. Seems like it was hastily written. Not really complaining, smart people have stuff in their mind appearing faster then they can write on occasion ;)

I'm on a systemd enabled debian server, seems like the suggestion is to run stunnel (in my case under systemd), telling stunnel to spawn rsync on startup as opposed to having two daemons running under systemd (stunnel and rsync separately)? Is this what is being suggested? Certainly seems efficient, though I've never spawned a process off of another with systemd. I don't think if you shut down stunnel via systemctl that it would kill the spawned rsync (or would it? how if so?).

I can only use what comes with MacOS on the client side (security will not allow SSH outbound) and it comes with rsync and librassl but no stunnel (apple soft-links openssl to librassl). I'm allowed to copy the rsync-ssl script over to my Mac and use that if I can get it working. I'm hoping that Apple's use of librassl as oppsed to openssl does not break my plans.

Apologies If my mind is being dense. Evidently nobody uses rsync-ssl or they do and nobody posts examples on their setup on the internet because I'm the only one who can't seem to grok it.

thanks ahead of time for any assistance!

[WayneD]

See https://download.samba.org/pub/rsync/rsyncd.conf.5#SSL_TLS_Daemon_Setup for 2 example setups. They are both proxy setups, and expect that you use the Proxy Protocol standard that haproxy invented and nginx supports (which ensures that rsync gets the real IP info from the proxy side of the connection). If you do any IP-based rsync authentication, be sure that you limit access to rsync's non-tls port, as you don't want someone connecting to the backend port and pretending to be a proxy. If you don't have haproxy or nginx installed, I suggest going with haproxy as it is super small and super simple -- it just proxies things, and does it well.

A forking approach is also possible, but is not documented.

[Danathar]

Ooo...I didn't think I'd be able to reverse proxy it via nginx. That's handy as I have that running with the certs all up and running. I'll look at haproxy as well I was not aware of that.

Thanks. I'll certainly take a look at it.

I'm a bit embarrassed that I didn't think to look at the rsyncd.conf man page. Very helpful!