Defined Type: stunnel::connection

Defined in:
manifests/connection.pp

Summary

Set up a stunnel connection for the service ``$name``

Overview

NOTE: Since many of the parameters here may need to be modified on a case-by-base basis, this defined type uses capabilities presented by the “simplib::dlookup“ function to allow for either global overrides or instance-specific overrides.

Global overrides work the same way as classes (“stunnel::instance::ssl_version: ‘TLSv1.2’“) but will affect all instances of the defined type that are not specifically overridden as shown below.

Instance specific overrides preclude the need for a resource collector in that you can place the follwing in Hiera to affect a single instance named “rsync“: “Stunnel::Connection::ssl_version: ‘TLSv1.2’“

All other configuration options can be found in the stunnel man pages

Examples:

Add an Rsync listener

stunnel::connection ('rsync':
  accept       => '873',
  connect_addr => ['1.2.3.4:8730']
}

Parameters:

  • name (String)

    The service name

  • connect (Stunnel::Connect)

    Address and port to which to forward connections

    • For a client, this is the port of the stunnel server

    • For the stunnel server, this is the listening port of the tunneled service

    • Just a port indicates that you wish to listen on all interfaces

    • Examples:

      * ['my.server:3000','my.server2:3001']
* ['my.server:3000']
* ['3000']
  • accept (Variant[Simplib::Port, Simplib::Host::Port])

    Address and port upon which to accept connections

    • For a client, this is generally “localhost“

    • For a server, it should be whichever external address is appropriate

      * If this is omitted, then connections are accepted on all addresses

    • Examples:

      * '1.2.3.4:3000'
* '3000'
  • client (Boolean) (defaults to: true)

    Indicates that this connection is a client connection

  • failover (Enum['rr','prio']) (defaults to: simplib::dlookup('stunnel::connection', 'failover', $name, { 'default_value' => 'rr' }))

    The failover strategy for multiple connect targets

  • sni (Optional[String]) (defaults to: simplib::dlookup('stunnel::connection', 'sni', $name, { 'default_value' => undef }))

    See the ‘sni’ option documentation in “stunnel(8)“

    This option is only valid on EL 7+

  • app_pki_key (Optional[Stdlib::Absolutepath]) (defaults to: simplib::dlookup('stunnel::connection', 'app_pki_key', $name, { 'default_value' => undef }))

    Path and name of the private SSL key file

  • app_pki_cert (Optional[Stdlib::Absolutepath]) (defaults to: simplib::dlookup('stunnel::connection', 'app_pki_cert', $name, { 'default_value' => undef }))

    Path and name of the public SSL certificate

  • app_pki_cacert (Stdlib::Absolutepath) (defaults to: simplib::dlookup('stunnel::connection', 'app_pki_cacert', $name, { 'default_value' => '/etc/pki/simp_apps/stunnel/x509/cacerts/cacerts.pem' }))

    Path to the OpenSSL compatible CA certificates

    • NOTE: this path is relative to the chroot path if set and is expected

    to be a directory

  • app_pki_crl (Optional[Stdlib::Absolutepath]) (defaults to: simplib::dlookup('stunnel::connection', 'app_pki_crl', $name, { 'default_value' => undef }))

    Path to the OpenSSL compatible CRL directory

  • openssl_cipher_suite (Array[String]) (defaults to: simplib::dlookup('stunnel::connection', 'openssl_cipher_suite', $name, { 'default_value' => ['HIGH','-SSLv2'] }))

    OpenSSL compatible array of ciphers to allow on the system

  • curve (Optional[String]) (defaults to: simplib::dlookup('stunnel::connection', 'curve', $name, { 'default_value' => undef }))

    The ECDH curve name to use. To get a list of supported curves use: “openssl ecparam -list_curves“ on your client

  • ssl_version (Optional[String]) (defaults to: simplib::dlookup('stunnel::connection', 'ssl_version', $name, { 'default_value' => 'TLSv1.2'}))

    Dictate the SSL version that can be used on the system

    • This default, combined with the default “$ciphers“, will only negotiate at “TLSv1.1“ or higher

  • options (Array[String]) (defaults to: simplib::dlookup('stunnel::connection', 'options', $name, { 'default_value' => [] }))

    The OpenSSL library options

  • verify (Integer) (defaults to: simplib::dlookup('stunnel::connection', 'verify', $name, { 'default_value' => 2 }))

    Level of mutual authentication to perform

    • RHEL 7 Options:

      * level 0 - Request and ignore peer certificate.
* level 1 - Verify peer certificate if present.
* level 2 - Verify peer certificate.
* level 3 - Verify peer with locally installed certificate.
* level 4 - Ignore CA chain and only verify peer certificate.
* default - No verify
  • ocsp (Optional[Simplib::URI]) (defaults to: simplib::dlookup('stunnel::connection', 'ocsp', $name, { 'default_value' => undef }))

    The OCSP responder to use for certificate validation

  • ocsp_flags (Stunnel::OcspFlags) (defaults to: simplib::dlookup('stunnel::connection', 'ocsp_flags', $name, { 'default_value' => [] }))

    The OCSP server flags

  • local (Optional[String]) (defaults to: simplib::dlookup('stunnel::connection', 'local', $name, { 'default_value' => undef }))

    The outgoing IP to which to bind

    By default, stunnel binds to all interfaces

  • protocol (Optional[String]) (defaults to: simplib::dlookup('stunnel::connection', 'protocol', $name, { 'default_value' => undef }))

    The application protocol to negotiate SSL.

    • RHEL/CentOS 7+: [cifs|connect|imap|nntp|pgsql|pop3|proxy|smtp]

  • protocol_authentication (Optional[Enum['basic','NTLM']]) (defaults to: simplib::dlookup('stunnel::connection', 'protocol_authentication', $name, { 'default_value' => undef }))

    Authentication type for protocol negotiations

  • protocol_host (Optional[String]) (defaults to: simplib::dlookup('stunnel::connection', 'protocol_host', $name, { 'default_value' => undef }))

    The destination address for protocol negotiations

  • protocol_password (Optional[String]) (defaults to: simplib::dlookup('stunnel::connection', 'protocol_password', $name, { 'default_value' => undef }))

    The password for protocol negotiations

  • protocol_username (Optional[String]) (defaults to: simplib::dlookup('stunnel::connection', 'protocol_username', $name, { 'default_value' => undef }))

    The username for protocol negotiations

  • delay (Boolean) (defaults to: simplib::dlookup('stunnel::connection', 'delay', $name, { 'default_value' => false }))

    Delay DNS lookup for “connect“ option

  • engine_num (Optional[Integer]) (defaults to: simplib::dlookup('stunnel::connection', 'engine_num', $name, { 'default_value' => undef }))

    The engine number from which to read the private key

  • pty (Boolean) (defaults to: simplib::dlookup('stunnel::connection', 'pty', $name, { 'default_value' => false }))

    Reserve and assign a pty to a program that is run by stunnel inetd-style using the “exec“ option

  • renegotiation (Boolean) (defaults to: simplib::dlookup('stunnel::connection', 'renegotiation', $name, { 'default_value' => true }))

    Support SSL renegotiation

  • reset (Boolean) (defaults to: simplib::dlookup('stunnel::connection', 'reset', $name, { 'default_value' => true }))

    Attempt to use TCP “RST“ flag to indicate an error

  • retry (Boolean) (defaults to: simplib::dlookup('stunnel::connection', 'retry', $name, { 'default_value' => false }))

    Reconnect a “connect+exec“ session after it has been disconnected

  • session_cache_size (Optional[Integer]) (defaults to: simplib::dlookup('stunnel::connection', 'session_cache_size', $name, { 'default_value' => undef }))

    The maximum number of internal session cache entries

    • Set to 0 for “unlimited“ (**not advised**)

    • This option is only valid on EL 7+

  • session_cache_timeout (Optional[Integer]) (defaults to: simplib::dlookup('stunnel::connection', 'session_cache_timeout', $name, { 'default_value' => undef }))

    The number of seconds to keep cached SSL sessions

  • stack (Optional[Integer]) (defaults to: simplib::dlookup('stunnel::connection', 'stack', $name, { 'default_value' => undef }))

    Thread stack size in bytes

  • timeout_busy (Optional[Integer]) (defaults to: simplib::dlookup('stunnel::connection', 'timeout_busy', $name, { 'default_value' => undef }))

    Time to wait for expected data in seconds

  • timeout_close (Optional[Integer]) (defaults to: simplib::dlookup('stunnel::connection', 'timeout_close', $name, { 'default_value' => undef }))

    Time to wait for close notify in seconds

  • timeout_connect (Optional[Integer]) (defaults to: simplib::dlookup('stunnel::connection', 'timeout_connect', $name, { 'default_value' => undef }))

    Time to wait for a remote host connection in seconds

  • timeout_idle (Optional[Integer]) (defaults to: simplib::dlookup('stunnel::connection', 'timeout_idle', $name, { 'default_value' => undef }))

    Time to keep an idle connection in seconds

  • trusted_nets (Simplib::Netlist) (defaults to: pick(simplib::dlookup('stunnel::connection', 'trusted_nets', $name, {'default_value' => undef }), simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })))

    Set this if you don’t want to allow all IP addresses to access this connection

    • This only makes sense for servers

  • firewall (Boolean) (defaults to: pick(simplib::dlookup('stunnel::connection', 'firewall', $name, {'default_value' => undef }), simplib::lookup('simp_options::firewall', { 'default_value' => false })))

    Include the SIMP “iptables“ module to manage the firewall

  • tcpwrappers (Boolean) (defaults to: pick(simplib::dlookup('stunnel::connection', 'tcpwrappers', $name, {'default_value' => undef }), simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false })))

    Include the SIMP “tcpwrappers“ module to manage tcpwrappers

  • exec (Optional[String]) (defaults to: simplib::dlookup('stunnel::connection', 'exec', $name, { 'default_value' => undef }))
  • execargs (Array[String]) (defaults to: simplib::dlookup('stunnel::connection', 'execargs', $name, { 'default_value' => [] }))

See Also:

  • stunnelstunnel.conf(5)
  • stunnelstunnel.conf(8)
  • stunnelstunnel.conf(5)
  • stunnelstunnel.conf(8)

Author:



199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
 
# File 'manifests/connection.pp', line 199

define stunnel::connection (
  Stunnel::Connect                            $connect,
  Variant[Simplib::Port, Simplib::Host::Port] $accept,
  Boolean                                     $client                  = true,
  Enum['rr','prio']                           $failover                = simplib::dlookup('stunnel::connection', 'failover', $name, { 'default_value' => 'rr' }),
  Optional[String]                            $sni                     = simplib::dlookup('stunnel::connection', 'sni', $name, { 'default_value' => undef }),
  Optional[Stdlib::Absolutepath]              $app_pki_key             = simplib::dlookup('stunnel::connection', 'app_pki_key', $name, { 'default_value' => undef }),
  Optional[Stdlib::Absolutepath]              $app_pki_cert            = simplib::dlookup('stunnel::connection', 'app_pki_cert', $name, { 'default_value' => undef }),
  Stdlib::Absolutepath                        $app_pki_cacert          = simplib::dlookup('stunnel::connection', 'app_pki_cacert', $name, { 'default_value' => '/etc/pki/simp_apps/stunnel/x509/cacerts/cacerts.pem' }),
  Optional[Stdlib::Absolutepath]              $app_pki_crl             = simplib::dlookup('stunnel::connection', 'app_pki_crl', $name, { 'default_value' => undef }),
  Array[String]                               $openssl_cipher_suite    = simplib::dlookup('stunnel::connection', 'openssl_cipher_suite', $name, { 'default_value' => ['HIGH','-SSLv2'] }),
  Optional[String]                            $curve                   = simplib::dlookup('stunnel::connection', 'curve', $name, { 'default_value' => undef }),
  Optional[String]                            $ssl_version             = simplib::dlookup('stunnel::connection', 'ssl_version', $name, { 'default_value' => 'TLSv1.2'}),
  Array[String]                               $options                 = simplib::dlookup('stunnel::connection', 'options', $name, { 'default_value' => [] }),
  Integer                                     $verify                  = simplib::dlookup('stunnel::connection', 'verify', $name, { 'default_value' => 2 }),
  Optional[Simplib::URI]                      $ocsp                    = simplib::dlookup('stunnel::connection', 'ocsp', $name, { 'default_value' => undef }),
  Stunnel::OcspFlags                          $ocsp_flags              = simplib::dlookup('stunnel::connection', 'ocsp_flags', $name, { 'default_value' => [] }),
  Optional[String]                            $local                   = simplib::dlookup('stunnel::connection', 'local', $name, { 'default_value' => undef }),
  Optional[String]                            $protocol                = simplib::dlookup('stunnel::connection', 'protocol', $name, { 'default_value' => undef }),
  Optional[Enum['basic','NTLM']]              $protocol_authentication = simplib::dlookup('stunnel::connection', 'protocol_authentication', $name, { 'default_value' => undef }),
  Optional[String]                            $protocol_host           = simplib::dlookup('stunnel::connection', 'protocol_host', $name, { 'default_value' => undef }),
  Optional[String]                            $protocol_username       = simplib::dlookup('stunnel::connection', 'protocol_username', $name, { 'default_value' => undef }),
  Optional[String]                            $protocol_password       = simplib::dlookup('stunnel::connection', 'protocol_password', $name, { 'default_value' => undef }),
  Boolean                                     $delay                   = simplib::dlookup('stunnel::connection', 'delay', $name, { 'default_value' => false }),
  Optional[Integer]                           $engine_num              = simplib::dlookup('stunnel::connection', 'engine_num', $name, { 'default_value' => undef }),
  Optional[String]                            $exec                    = simplib::dlookup('stunnel::connection', 'exec', $name, { 'default_value' => undef }),
  Array[String]                               $execargs                = simplib::dlookup('stunnel::connection', 'execargs', $name, { 'default_value' => [] }),
  Boolean                                     $pty                     = simplib::dlookup('stunnel::connection', 'pty', $name, { 'default_value' => false }),
  Boolean                                     $renegotiation           = simplib::dlookup('stunnel::connection', 'renegotiation', $name, { 'default_value' => true }),
  Boolean                                     $reset                   = simplib::dlookup('stunnel::connection', 'reset', $name, { 'default_value' => true }),
  Boolean                                     $retry                   = simplib::dlookup('stunnel::connection', 'retry', $name, { 'default_value' => false }),
  Optional[Integer]                           $session_cache_size      = simplib::dlookup('stunnel::connection', 'session_cache_size', $name, { 'default_value' => undef }),
  Optional[Integer]                           $session_cache_timeout   = simplib::dlookup('stunnel::connection', 'session_cache_timeout', $name, { 'default_value' => undef }),
  Optional[Integer]                           $stack                   = simplib::dlookup('stunnel::connection', 'stack', $name, { 'default_value' => undef }),
  Optional[Integer]                           $timeout_busy            = simplib::dlookup('stunnel::connection', 'timeout_busy', $name, { 'default_value' => undef }),
  Optional[Integer]                           $timeout_close           = simplib::dlookup('stunnel::connection', 'timeout_close', $name, { 'default_value' => undef }),
  Optional[Integer]                           $timeout_connect         = simplib::dlookup('stunnel::connection', 'timeout_connect', $name, { 'default_value' => undef }),
  Optional[Integer]                           $timeout_idle            = simplib::dlookup('stunnel::connection', 'timeout_idle', $name, { 'default_value' => undef }),
  Simplib::Netlist                            $trusted_nets            = pick(simplib::dlookup('stunnel::connection', 'trusted_nets', $name, {'default_value' => undef }), simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })),
  Boolean                                     $firewall                = pick(simplib::dlookup('stunnel::connection', 'firewall', $name, {'default_value' => undef }), simplib::lookup('simp_options::firewall', { 'default_value' => false })),
  Boolean                                     $tcpwrappers             = pick(simplib::dlookup('stunnel::connection', 'tcpwrappers', $name, {'default_value' => undef }), simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false }))
) {

  $_dport = split(String($accept),':')[-1]

  stunnel::instance::reserve_port { $_dport: }

  include 'stunnel::monolithic'

  # Validation for RHEL Options
  if $stunnel::fips {
    if $ssl_version { simplib::validate_array_member($ssl_version,['TLSv1','TLSv1.1','TLSv1.2']) }
  }
  else {
    if $ssl_version {
      simplib::validate_array_member($ssl_version,['all','SSLv2','SSLv3','TLSv1','TLSv1.1','TLSv1.2'])
    }
  }
  if $protocol {
    simplib::validate_array_member($protocol,['cifs','connect','imap','nntp','pgsql','pop3','proxy','smtp'])
  }

  if $app_pki_key {
    $_app_pki_key = $app_pki_key
  }
  else {
    $_app_pki_key = $stunnel::app_pki_key
  }
  if $app_pki_cert {
    $_app_pki_cert = $app_pki_cert
  }
  else {
    $_app_pki_cert = $stunnel::app_pki_cert
  }
  if $app_pki_cacert {
    $_app_pki_cacert = $app_pki_cacert
  }
  else {
    $_app_pki_cacert = $stunnel::app_pki_cacert
  }
  if $app_pki_crl {
    $_app_pki_crl = $app_pki_crl
  }
  else {
    $_app_pki_crl = $stunnel::app_pki_crl
  }

  concat::fragment { "stunnel_connection_${name}":
    target  => '/etc/stunnel/stunnel.conf',
    content => template('stunnel/connection_conf.erb')
  }

  # The rules are pulled together from the accept_* and connect_*
  # variables.
  #
  # This is only enabled if the system is a server.
  if $firewall and !$client {
    include 'iptables'

    iptables::listen::tcp_stateful { "allow_stunnel_${name}":
      trusted_nets => $trusted_nets,
      dports       => [Integer($_dport)]
    }
  }

  if !$client and $tcpwrappers {
    include 'tcpwrappers'

    tcpwrappers::allow { "allow_stunnel_${name}":
      svc     => $name,
      # Needed to work around a bug in the version of stunnel shipped with EL7.9
      pattern => 'ALL'
    }
  }
}