Start a conversation

Use SSL Encryption to Secure Your Trac System

Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are cryptographic protocols that provide secure communications on the Internet. There are slight differences between SSL and TLS, but they essentially provide the same protection.

For Hosted Systems

If we host your Trac System, adding or updating your SSL certificate is a straightforward process.

1. Provide us with an Apache x509 Compatible certificate, along with any intermediate/root files and the matching key.

2. If a custom URL is being used, point your domain to This will allow you to use a URL other than "", for example, "" or otherwise.

For Non-Hosted Systems

HTTPS Encryption and Web Certificate

There are several options for implementing TLS encryption for your Trac server.  A preferred method is to use a web server for https proxying such as Apache or Nginx.  Another option is using a dedicated proxying application such as HAProxy.  Both of these could be running on a separate physical server.  Only internal traffic between the proxy and the Trac System server would then be plaintext. As an alternative, a 3rd party application (like Stunnel) may be installed on your Trac System server.

What is Stunnel?

Stunnel is a program that encrypts all data connections to your Trac server. Stunnel facilitates this by acting as a proxy between users' browsers and the Trac application. So, a user would open web browser and enter in your server address, i.e. Stunnel receives the encrypted request, decrypts the request, and then forwards the request to the Trac application. The Trac application will then issue a response back to Stunnel, Stunnel encrypts the response, and then forwards the encrypted response back to the user's browser. With this method, all network traffic from the server to the client is encrypted while the Trac application communicates with Stunnel in an unencrypted format.

Installing Stunnel

Click on this link to download and install the latest stable win64-installer. Once the .exe file has downloaded, install Stunnel using the default options.

Secure Certificate Files

The necessary SSL Files are a certificate (typically cert.pem) and a key  file (typically key.pem). You will need to obtain your own Apache X509-compatible certificate from a "Trusted" source, such as DigiCert, GoDaddy, or VeriSign. These are just a few of the options available to you; in all, the mainstream browsers (Firefox, Chrome, Safari, etc) only trust about 100 of the major Certificate Authorities (CA).

If you choose to obtain your own certificate, be sure to retrieve an Apache X509-compatible certificate, as this is the only certificate type that is compatible with the Trac System. Some CA's will provide you with a chained certificate, which we will have to combine in order to make the file compatible. Place the certificate and key files in your  Stunnel installation directory (C:\Program Files (x86)\stunnel). Keep a copy of your req.pem (CSR) file to request your new certificate when it expires.

Stunnel Config File

The Stunnel configuration file (Stunnel.conf) is located in the C:\Program Files (x86)\stunnel\ directory. You will need to edit this file to secure your Trac site. Below is a good default config file. Simply replace the contents of Stunnel.conf with this, and edit the IP Address on line 17.

Sample stunnel configuration file by Redrock Software

; identify the private key and public certificate files
cert = cert.pem
key = key.pem

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Some debugging stuff useful for troubleshooting
; debug = 7 for verbose logging 1 for emerg only
debug = 3
output = stunnel.log

; Service-level configuration
accept = 443
connect =
TIMEOUTclose = 0

Trac System Prefs.ini File

Open the Prefs.ini file in the Trac application folder. Edit the following lines to match the sample values.

If a school is NOT using stunnel at all, set:


If a school is using stunnel, but redirect=None,


If a school is using stunnel, and redirect=, (it is set to a url)


Full example:


The  Trac application is now listening for standard HTTP connections on port  80. Those connections will come from users accessing the Trac  application across the network. The Trac application is also listening  for standard HTTP connections on port 81. The HTTP connections on port  81 are coming from the Stunnel application, which is listening for HTTPS  connections on port 443.

Force All Connections on Secure Port

After the server connections have been tested and confirmed on ports 80 and 443, you can now force all users to connect on the secure port 443. Open the Prefs.ini file in the Trac application folder and make the following change:
redirect=https://[Your URL]/tracweb40/default.html

The  Trac application now listens for a standard HTTP connection on port 80  and redirects all requests to the address entered in the redirect  setting, which should be your secure HTTPS address. Now the connection  is on the secure HTTPS port 443 and Stunnel receives the request.  Stunnel makes the local HTTP connection to the Trac application on port  81 and responds back to the user's browser on the secure port 443. All  network traffic on your Trac system is directed to the secure connection  on port 443.

Configure Stunnel as a Service

To set stunnel as a service, run the following command in a Command Prompt window.
stunnel.exe -install

You  will receive a prompt informing you that the service was installed. You  can now access the Services from your Administrator Tool and start  Stunnel as a service.

More Questions?
We hope that you found this newsletter helpful. As always, if you have any questions on this or any other features, please feel free to let us know by clicking the Start a conversation button at the top of the screen or to book your training, visit or Trac.Cloud
Thank you for your continued support!

Choose files or drag and drop files
Was this article helpful?
  1. Aidan Murray

  2. Posted