-
-
Notifications
You must be signed in to change notification settings - Fork 46
/
stunnel.conf.erb
105 lines (92 loc) · 3.06 KB
/
stunnel.conf.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
; certificate/key is needed in server mode and optional in client mode
<% if node['stunnel']['certificate_path'] -%>
cert = <%= node['stunnel']['certificate_path'] %>
<% end -%>
<% if node['stunnel']['key_path'] %>
key = <%= node['stunnel']['key_path'] %>
<% end -%>
; protocol version (all, SSLv2, SSLv3, TLSv1)
; sslVersion = SSLv3 - intenet explorer does not work with only SSLv3
sslVersion = <%= node['stunnel']['ssl_version'] %>
options = <%= node['stunnel']['ssl_options'] %>
<% if node['stunnel']['ciphers'] -%>
ciphers = <%= node['stunnel']['ciphers'] %>
<% end -%>
; security enhancements for UNIX systems - comment them out on Win32
; for chroot a copy of some devices and files is needed within the jail
<% if node['stunnel']['use_chroot'] %>
chroot = <%= node['stunnel']['chroot_path'] %>
<% end %>
setuid = <%= node['stunnel']['user'] %>
setgid = <%= node['stunnel']['group'] %>
; PID is created inside the chroot jail
pid = <%= node['stunnel']['pidfile'] %>
; performance tunings
<% Array(node['stunnel']['socket_tunings']).each do |s| -%>
socket = <%= s %>
<% end -%>
<% if node['stunnel']['compression'] -%>
compression = <%= node['stunnel']['compression'] %>
<% end -%>
<% if node['stunnel']['config_options'] -%>
<% Array(node['stunnel']['config_options']).each do |opt| -%>
options = <%= opt %>
<% end -%>
<% end -%>
; authentication stuff needs to be configured to prevent MITM attacks
; it is not enabled by default!
;verify = 2
; don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; it's often easier to use CAfile
;CAfile = /usr/bin/etc/stunnel/certs.pem
; don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; alternatively CRLfile can be used
;CRLfile = /usr/bin/etc/stunnel/crls.pem
; debugging stuff (may useful for troubleshooting)
;debug = 7
<% if node['stunnel']['debug'] -%>
debug = <%= node['stunnel']['debug'] %>
<% end -%>
<% if node['stunnel']['output'] -%>
output = <%= node['stunnel']['output'] %>
<% end -%>
<% unless node['stunnel']['fips'].nil? -%>
; Enable/disable FIPS mode
fips = <%= node['stunnel']['fips'] ? 'yes' : 'no' %>
<% end -%>
; SSL client mode
<% if node['stunnel']['client_mode'] -%>
client = yes
<% end -%>
; service-level configuration
<% if node['stunnel']['https']['enabled'] %>
[https]
accept = <%= node['stunnel']['https']['accept_port'] %>
connect = <%= node['stunnel']['https']['connect_port'] %>
TIMEOUTclose = 0
;xforwardedfor=yes ; This line requires the haproxy patch
<% end %>
<% node['stunnel']['services'].each do |name, opts| -%>
[<%= name %>]
<% %w[connect accept key cert verify].each do |opt| -%>
<% unless opts[opt].nil? -%>
<%= opt %> = <%= opts[opt] %>
<% end -%>
<% end -%>
<% unless opts['cafile'].nil? -%>
CAfile = <%= opts['cafile'] %>
<% end -%>
<% unless opts['timeout_close'].nil? -%>
TIMEOUTclose = <%= opts['timeout_close'] ? 1 : 0 %>
<% end -%>
<% unless opts['client'].nil? -%>
client = <%= opts['client'] ? "yes" : "no" %>
<% end -%>
<% unless opts['verify_chain'].nil? -%>
verifyChain = <%= opts['verify_chain'] ? 'yes' : 'no' %>
<% end -%>
<% end -%>