1 files changed, 46 insertions, 0 deletions

diff --git a/doc/examples/https/shell/kea-stunnel.conf b/doc/examples/https/shell/kea-stunnel.conf
new file mode 100644
index 0000000..1d40aca
--- /dev/null
+++ b/doc/examples/https/shell/kea-stunnel.conf
@@ -0,0 +1,46 @@
+;   This file contains an example stunnel TLS client configuration which
+;   enables secure transport for Kea RESTful API. An access to
+;   the service is protected by client's and server's certificate
+;   verification mechanism (as known as mutual authentication).
+;
+;   Note that the setup below (and reused nginx or httpd2 setups)
+;   are provided as an example for testing purposes only. Always
+;   consider best known security measures to protect your production
+;   environment.
+;
+;   Transport marked with ==> (vs -->) is secured against passive
+;   (i.e. eavesdropping) and active (i.e. man-in-the-middle) attacks
+;
+;   kea-shell -- 127.0.0.1 port 8888 -->
+;       stunnel == 127.0.0.1 port 443 ==>
+;           nginx -- 127.0.0.1 port 8000 -->
+;               kea-agent
+;
+;   stunnel configuration starts here.
+
+; in the case you would like to follow what happens
+;; foreground = yes
+;; debug = 7
+
+; kea service
+[kea]
+    ; client (vs server) mode
+    client = yes
+
+    ; accept requests from the kea-shell tool
+    accept = 127.0.0.1:8888
+
+    ; forward requests to the https peer
+    connect = 127.0.0.1:443
+
+    ; client certificate
+    cert = kea-client.crt
+
+    ; client private key
+    key = kea-client.key
+
+    ; check server certificate
+    verifyPeer = yes
+
+    ; server certificate
+    CAfile = kea-proxy.crt