Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-stunnel', '6.7.1'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
- Overview
- Module Description - A Puppet module for managing stunnel
- Setup - The basics of getting started with pupmod-simp-stunnel
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
Please read our Contribution Guide.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
-
When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
-
All SIMP-managed security subsystems are disabled by default and must be explicitly opted into by administrators. Please review simp/simp_options for details.
Module Description
This module sets up stunnel and allows the creation of stunnel connections for services.
IMPORTANT
| Please use the stunnel::connection
define instead of including the
| stunnel
class directly.
|
| The main stunnel
class is deprecated and will be removed in a future release.
|
| The main stunnel
class manages the global stunnel configuration and
| this was deemed to be too risky for use across services that are not related.
Setup
What simp stunnel affects
simp::stunnel will manage:
- The latest version of stunnel
- Ensure the service is running
- Stunnel configuration files and daemons for each of your services
- A stunnel chroot directory for each of your services
- If
$firewall
is set totrue
, will manage the simp/iptables firewall settings required for stunnel.
Setup Requirements
There are no special requirements for using this module.
Beginning with stunnel
You can set up stunnel for a particular service using the following code:
stunnel::instance { 'service_name':
accept => 873,
connect => ['1.2.3.4:8730']
}
This will create /etc/stunnel/stunnel_service_name.conf
and spawn a system
service stunnel_service_name
.
Usage
I want to add a connection to the stunnel server
stunnel::instance { 'my_service':
connect => ['stunnel.server.int:8730'],
accept => '127.0.0.1:873'
}
I want to build a connection on the stunnel server
stunnel::connection { 'my_service':
client => false,
connect => [873],
accept => 8730
}
Reference
Please see REFERENCE.md for a full reference.
Limitations
This module is only designed to work in RHEL or CentOS 6 and 7. Any other operating systems have not been tested and results cannot be guaranteed.
Development
Please read our Contribution Guide.
Visit the project homepage and look at our issues on JIRA.
Reference
Table of Contents
Classes
stunnel
: Set up stunnelstunnel::config
: Global stunnel optionsstunnel::install
: NOTE: THIS IS A PRIVATE Defined Type Install the Stunnel componentsstunnel::instance_purge
: Purgestunnel::instance
resources that were previously managed by this modulestunnel::monolithic
: NOTE: THIS IS A PRIVATE CLASS Prevent global connection and configuratstunnel::service
: Manage the Stunnel Service
Defined types
stunnel::account
: NOTE: THIS IS A PRIVATE CLASS A define for setting up stunnel service ustunnel::connection
: Set up a stunnel connection for the service$name
stunnel::instance
: Set up a stunnel connection with a unique configuration and servicestunnel::instance::reserve_port
: NOTE: THIS IS A PRIVATE DEFINED TYPE This is a 'canary' defined type t
Resource types
stunnel_instance_purge
: Disables all services and removes all associated files forstunnel::instance
created resources that are no longer under management. This
Data types
Stunnel::Connect
: Valid entries for an stunnelconnect
entryStunnel::OcspFlags
: Valid stunnel OCSP flag options
Classes
stunnel
Set up stunnel
Parameters
The following parameters are available in the stunnel
class:
pki
app_pki_external_source
app_pki_dir
app_pki_key
app_pki_cert
app_pki_ca_dir
app_pki_crl
setuid
setgid
uid
gid
syslog
fips
haveged
pki
purge_instance_resources
pki
Data type: Variant[Enum['simp'],Boolean]
- If 'simp', include SIMP's pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/stunnel/x509
- If true, do not include SIMP's pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/stunnel/x509
- If false, do not include SIMP's pki module and do not use pki::copy
to manage certs. You will need to appropriately assign a subset of:
- app_pki_dir
- app_pki_key
- app_pki_cert
- app_pki_ca
- app_pki_ca_dir
Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })
app_pki_external_source
Data type: String
-
If pki = 'simp' or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.
-
If pki = false, this variable has no effect.
Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })
app_pki_dir
Data type: Stdlib::Absolutepath
This variable controls the source of certs in the chroot, and the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl. It defaults to /etc/pki/simp_apps/stunnel/x509.
- NOTE: Even when using a chroot, stunnel needs the certs to reside outside of the chroot path
Default value: '/etc/pki/simp_apps/stunnel/x509'
app_pki_key
Data type: Stdlib::Absolutepath
Path and name of the private SSL key file
Default value: "${app_pki_dir}/private/${facts['fqdn']}.pem"
app_pki_cert
Data type: Stdlib::Absolutepath
Path and name of the public SSL certificate
Default value: "${app_pki_dir}/public/${facts['fqdn']}.pub"
app_pki_ca_dir
Data type: Stdlib::Absolutepath
Directory external from the stunnel chroot to copy the CA certificates from.
- This should be the full path to a directory containing hashed versions of the CA certificates
Default value: "${app_pki_dir}/cacerts"
app_pki_crl
Data type: Optional[Stdlib::Absolutepath]
Directory external from the stunnel chroot to copy the Certificate Revocation List from.
Default value: undef
setuid
Data type: String
The user stunnel should run as
Default value: 'stunnel'
setgid
Data type: String
The group stunnel should run as
Default value: 'stunnel'
uid
Data type: Integer
The user id of the stunnel user
Default value: 600
gid
Data type: Integer
The group id of the stunnel group
Default value: $uid
syslog
Data type: Boolean
Whether or not to log to syslog
Default value: simplib::lookup('simp_options::syslog', { 'default_value' => false })
fips
Data type: Boolean
Set the fips global option
- NOTE: This has no effect on EL < 7 due to stunnel not accepting the fips option in that version of stunnel.
Default value: simplib::lookup('simp_options::fips', { 'default_value' => pick($facts['fips_enabled'], false) })
haveged
Data type: Boolean
Include the SIMP haveged
module to assist with entropy generation
Default value: simplib::lookup('simp_options::haveged', { 'default_value' => false })
pki
Whether or not to use the SIMP PKI subsystem
Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })
purge_instance_resources
Data type: Boolean
Enable purging of stunnel instance resources that are no longer managed
- It is highly recommended that you leave this enabled
Default value: true
stunnel::config
Global stunnel options
Parameters
The following parameters are available in the stunnel::config
class:
chroot
pki
app_pki_external_source
app_pki_dir
app_pki_key
app_pki_cert
app_pki_ca_dir
app_pki_crl
pid
setuid
setgid
uid
gid
stunnel_debug
syslog
compression
egd
engine
engine_ctrl
fips
output
rnd_bytes
rnd_file
rnd_overwrite
socket_options
chroot
Data type: Stdlib::Absolutepath
The location of the chroot jail, if it is not set to undef
If SELinux is set to Enforced or Permissive, $chroot
will be
set to undef
. This option only affects stunnel::connection
.
- Do NOT make this anything under
/var/run
Default value: '/var/stunnel'
pki
Data type: Variant[Enum['simp'],Boolean]
- If
simp
, include SIMP'spki
module and usepki::copy
to manage application certs in/etc/pki/simp_apps/stunnel/x509
- If
true
, do not include SIMP's pki module, but still usepki::copy
to manage certs in/etc/pki/simp_apps/stunnel/x509
- If
false
, do not include SIMP's pki module and do not usepki::copy
to manage certs. You will need to appropriately assign a subset of:- app_pki_dir
- app_pki_key
- app_pki_cert
- app_pki_ca_dir
Default value: $stunnel::pki
app_pki_external_source
Data type: String
-
If pki =
simp
ortrue
, this is the directory from which certs will be copied, viapki::copy
-
If pki =
false
, this variable has no effect
Default value: $stunnel::app_pki_external_source
app_pki_dir
Data type: Stdlib::Absolutepath
The source of certs in the chroot, and the basepath of $app_pki_key
,
$app_pki_cert
, $app_pki_ca
, $app_pki_ca_dir
, and
$app_pki_crl
- NOTE: Even when using a chroot, stunnel needs the certs to reside outside of the chroot path
Default value: $stunnel::app_pki_dir
app_pki_key
Data type: Stdlib::Absolutepath
Path and name of the private SSL key file
Default value: $stunnel::app_pki_key
app_pki_cert
Data type: Stdlib::Absolutepath
Path and name of the public SSL certificate
Default value: $stunnel::app_pki_cert
app_pki_ca_dir
Data type: Stdlib::Absolutepath
Since stunnel runs in a chroot, you need to copy the appropriate CA certificates in from an external source
- This should be the full path to a directory containing hashed versions of the CA certificates
Default value: $stunnel::app_pki_ca_dir
app_pki_crl
Data type: Optional[Stdlib::Absolutepath]
Since stunnel runs in a chroot, you need to copy the appropriate CRL in from an external source
Default value: $stunnel::app_pki_crl
pid
Data type: Optional[Stdlib::Absolutepath]
The PID file
- Relative to the chroot jail!
- Let the startup script handle it by default
Default value: undef
setuid
Data type: String
The user stunnel should run as
Default value: $stunnel::setuid
setgid
Data type: String
The group stunnel should run as
Default value: $stunnel::setgid
uid
Data type: Integer
The UID of the stunnel user
Default value: $stunnel::uid
gid
Data type: Integer
The GID of the stunnel user
Default value: $stunnel::gid
stunnel_debug
Data type: String
The debug level for logging
Default value: 'err'
syslog
Data type: Boolean
Enable logging to syslog
Default value: $stunnel::syslog
compression
Data type: Optional[Enum['zlib','rle']]
The compression type to use for this service
Default value: undef
egd
Data type: Optional[String]
The path to the Entropy Gathering Daemon socket used to feed the OpenSSL Random Number Generator
Default value: undef
engine
Data type: String
If $egd
is set, sets the Hardware Engine to be used
Default value: 'auto'
engine_ctrl
Data type: Optional[String]
If $egd
is set, sets the Hardware Engine Control parameters
Default value: undef
fips
Data type: Boolean
Set the fips
global option
-
We don't enable FIPS mode by default since we want to be able to use TLS1.2
-
NOTE: This has no effect on EL < 7 due to stunnel not accepting the fips option in that version of stunnel
Default value: $stunnel::fips
output
Data type: Optional[Stdlib::Absolutepath]
The path to a log output file to use
Default value: undef
rnd_bytes
Data type: Optional[Integer]
The number of bytes to read from the random seed file
Default value: undef
rnd_file
Data type: Optional[Stdlib::Absolutepath]
The path to the random seed data file
Default value: undef
rnd_overwrite
Data type: Boolean
Overwrite the random seed file with new random data
Default value: true
socket_options
Data type: Array[String]
Default value: []
stunnel::install
NOTE: THIS IS A PRIVATE Defined Type
Install the Stunnel components
Parameters
The following parameters are available in the stunnel::install
class:
version
Data type: Variant[String, Integer]
The version of stunnel to install
- Accepts anything that the
ensure
parameter of thepackage
resource can handle
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
stunnel::instance_purge
The native type has an autobefore
that will ensure ordering.
It is highly recommended that you always include this class if you have ever used the stunnel defined types. If you choose not to, then you will likely have stunnel instance processes that remain on your system and which may not function properly.
Parameters
The following parameters are available in the stunnel::instance_purge
class:
purge_dirs
Data type: Array[Stdlib::Absolutepath]
The directories to search for files to purge
Default value: [ '/etc/stunnel', '/etc/rc.d/init.d', '/etc/systemd/system' ]
stunnel::monolithic
NOTE: THIS IS A PRIVATE CLASS
Prevent global connection and configuration from being instantiated when only stunnel::instance resources are required.
stunnel::service
Manage the Stunnel Service
Defined types
stunnel::account
NOTE: THIS IS A PRIVATE CLASS A define for setting up stunnel service users and groups
This is necessary so that services using the same user and group can successfully be spawned via a define.
Parameters
The following parameters are available in the stunnel::account
defined type:
name
The user name for the account
groupname
Data type: String
The group name for the account
Default value: $name
uid
Data type: Integer
The UID of the user
Default value: 600
gid
Data type: Integer
The GID of the user
Default value: 600
home
Data type: Stdlib::Absolutepath
The home directory of the user
Default value: '/var/run/stunnel'
shell
Data type: Stdlib::Absolutepath
The shell for the user
Default value: '/sbin/nologin'
stunnel::connection
NOTE: Since many of the parameters here may need to be modified on a
case-by-base basis, this defined type uses capabilities presented by the
simplib::dlookup
function to allow for either global overrides or
instance-specific overrides.
Global overrides work the same way as classes
(stunnel::instance::ssl_version: 'TLSv1.2'
) but will affect all
instances of the defined type that are not specifically overridden as shown
below.
Instance specific overrides preclude the need for a resource collector in
that you can place the follwing in Hiera to affect a single instance named
rsync
: Stunnel::Connection[rsync]::ssl_version: 'TLSv1.2'
All other configuration options can be found in the stunnel man pages
- See also
- stunnel.conf(5)
- stunnel.conf(8)
- stunnel.conf(5)
- stunnel.conf(8)
Examples
Add an Rsync listener
stunnel::connection ('rsync':
accept => '873',
connect_addr => ['1.2.3.4:8730']
}
Parameters
The following parameters are available in the stunnel::connection
defined type:
name
connect
accept
client
failover
sni
app_pki_key
app_pki_cert
app_pki_cacert
app_pki_crl
openssl_cipher_suite
curve
ssl_version
options
verify
ocsp
ocsp_flags
local
protocol
protocol_authentication
protocol_host
protocol_password
protocol_username
delay
engine_num
pty
renegotiation
reset
retry
session_cache_size
session_cache_timeout
stack
timeout_busy
timeout_close
timeout_connect
timeout_idle
trusted_nets
firewall
tcpwrappers
exec
execargs
name
Data type: String
The service name
connect
Data type: Stunnel::Connect
Address and port to which to forward connections
-
For a client, this is the port of the stunnel server
-
For the stunnel server, this is the listening port of the tunneled service
-
Just a port indicates that you wish to listen on all interfaces
-
Examples:
- ['my.server:3000','my.server2:3001']
- ['my.server:3000']
- ['3000']
accept
Data type: Variant[Simplib::Port, Simplib::Host::Port]
Address and port upon which to accept connections
-
For a client, this is generally
localhost
-
For a server, it should be whichever external address is appropriate
- If this is omitted, then connections are accepted on all addresses
-
Examples:
- '1.2.3.4:3000'
- '3000'
client
Data type: Boolean
Indicates that this connection is a client connection
Default value: true
failover
Data type: Enum['rr','prio']
The failover strategy for multiple connect targets
Default value: simplib::dlookup('stunnel::connection', 'failover', $name, { 'default_value' => 'rr' })
sni
Data type: Optional[String]
See the 'sni' option documentation in stunnel(8)
This option is only valid on EL 7+
Default value: simplib::dlookup('stunnel::connection', 'sni', $name, { 'default_value' => undef })
app_pki_key
Data type: Optional[Stdlib::Absolutepath]
Path and name of the private SSL key file
Default value: simplib::dlookup('stunnel::connection', 'app_pki_key', $name, { 'default_value' => undef })
app_pki_cert
Data type: Optional[Stdlib::Absolutepath]
Path and name of the public SSL certificate
Default value: simplib::dlookup('stunnel::connection', 'app_pki_cert', $name, { 'default_value' => undef })
app_pki_cacert
Data type: Stdlib::Absolutepath
Path to the OpenSSL compatible CA certificates
- NOTE: this path is relative to the chroot path if set and is expected to be a directory
Default value: simplib::dlookup('stunnel::connection', 'app_pki_cacert', $name, { 'default_value' => '/etc/pki/simp_apps/stunnel/x509/cacerts/cacerts.pem' })
app_pki_crl
Data type: Optional[Stdlib::Absolutepath]
Path to the OpenSSL compatible CRL directory
Default value: simplib::dlookup('stunnel::connection', 'app_pki_crl', $name, { 'default_value' => undef })
openssl_cipher_suite
Data type: Array[String]
OpenSSL compatible array of ciphers to allow on the system
Default value: simplib::dlookup('stunnel::connection', 'openssl_cipher_suite', $name, { 'default_value' => ['HIGH','-SSLv2'] })
curve
Data type: Optional[String]
The ECDH curve name to use. To get a list of supported curves use:
openssl ecparam -list_curves
on your client
Default value: simplib::dlookup('stunnel::connection', 'curve', $name, { 'default_value' => undef })
ssl_version
Data type: Optional[String]
Dictate the SSL version that can be used on the system
- This default, combined with the default
$ciphers
, will only negotiate atTLSv1.1
or higher
Default value: simplib::dlookup('stunnel::connection', 'ssl_version', $name, { 'default_value' => 'TLSv1.2'})
options
Data type: Array[String]
The OpenSSL library options
Default value: simplib::dlookup('stunnel::connection', 'options', $name, { 'default_value' => [] })
verify
Data type: Integer
Level of mutual authentication to perform
- RHEL 7 Options:
- level 0 - Request and ignore peer certificate.
- level 1 - Verify peer certificate if present.
- level 2 - Verify peer certificate.
- level 3 - Verify peer with locally installed certificate.
- level 4 - Ignore CA chain and only verify peer certificate.
- default - No verify
Default value: simplib::dlookup('stunnel::connection', 'verify', $name, { 'default_value' => 2 })
ocsp
Data type: Optional[Simplib::URI]
The OCSP responder to use for certificate validation
Default value: simplib::dlookup('stunnel::connection', 'ocsp', $name, { 'default_value' => undef })
ocsp_flags
Data type: Stunnel::OcspFlags
The OCSP server flags
Default value: simplib::dlookup('stunnel::connection', 'ocsp_flags', $name, { 'default_value' => [] })
local
Data type: Optional[String]
The outgoing IP to which to bind
By default, stunnel binds to all interfaces
Default value: simplib::dlookup('stunnel::connection', 'local', $name, { 'default_value' => undef })
protocol
Data type: Optional[String]
The application protocol to negotiate SSL.
- RHEL/CentOS 7+: [cifs|connect|imap|nntp|pgsql|pop3|proxy|smtp]
Default value: simplib::dlookup('stunnel::connection', 'protocol', $name, { 'default_value' => undef })
protocol_authentication
Data type: Optional[Enum['basic','NTLM']]
Authentication type for protocol negotiations
Default value: simplib::dlookup('stunnel::connection', 'protocol_authentication', $name, { 'default_value' => undef })
protocol_host
Data type: Optional[String]
The destination address for protocol negotiations
Default value: simplib::dlookup('stunnel::connection', 'protocol_host', $name, { 'default_value' => undef })
protocol_password
Data type: Optional[String]
The password for protocol negotiations
Default value: simplib::dlookup('stunnel::connection', 'protocol_password', $name, { 'default_value' => undef })
protocol_username
Data type: Optional[String]
The username for protocol negotiations
Default value: simplib::dlookup('stunnel::connection', 'protocol_username', $name, { 'default_value' => undef })
delay
Data type: Boolean
Delay DNS lookup for connect
option
Default value: simplib::dlookup('stunnel::connection', 'delay', $name, { 'default_value' => false })
engine_num
Data type: Optional[Integer]
The engine number from which to read the private key
Default value: simplib::dlookup('stunnel::connection', 'engine_num', $name, { 'default_value' => undef })
pty
Data type: Boolean
Reserve and assign a pty to a program that is run by stunnel inetd-style
using the exec
option
Default value: simplib::dlookup('stunnel::connection', 'pty', $name, { 'default_value' => false })
renegotiation
Data type: Boolean
Support SSL renegotiation
Default value: simplib::dlookup('stunnel::connection', 'renegotiation', $name, { 'default_value' => true })
reset
Data type: Boolean
Attempt to use TCP RST
flag to indicate an error
Default value: simplib::dlookup('stunnel::connection', 'reset', $name, { 'default_value' => true })
retry
Data type: Boolean
Reconnect a connect+exec
session after it has been disconnected
Default value: simplib::dlookup('stunnel::connection', 'retry', $name, { 'default_value' => false })
session_cache_size
Data type: Optional[Integer]
The maximum number of internal session cache entries
-
Set to 0 for
unlimited
(not advised) -
This option is only valid on EL 7+
Default value: simplib::dlookup('stunnel::connection', 'session_cache_size', $name, { 'default_value' => undef })
session_cache_timeout
Data type: Optional[Integer]
The number of seconds to keep cached SSL sessions
Default value: simplib::dlookup('stunnel::connection', 'session_cache_timeout', $name, { 'default_value' => undef })
stack
Data type: Optional[Integer]
Thread stack size in bytes
Default value: simplib::dlookup('stunnel::connection', 'stack', $name, { 'default_value' => undef })
timeout_busy
Data type: Optional[Integer]
Time to wait for expected data in seconds
Default value: simplib::dlookup('stunnel::connection', 'timeout_busy', $name, { 'default_value' => undef })
timeout_close
Data type: Optional[Integer]
Time to wait for close notify in seconds
Default value: simplib::dlookup('stunnel::connection', 'timeout_close', $name, { 'default_value' => undef })
timeout_connect
Data type: Optional[Integer]
Time to wait for a remote host connection in seconds
Default value: simplib::dlookup('stunnel::connection', 'timeout_connect', $name, { 'default_value' => undef })
timeout_idle
Data type: Optional[Integer]
Time to keep an idle connection in seconds
Default value: simplib::dlookup('stunnel::connection', 'timeout_idle', $name, { 'default_value' => undef })
trusted_nets
Data type: Simplib::Netlist
Set this if you don't want to allow all IP addresses to access this connection
- This only makes sense for servers
Default value: pick(simplib::dlookup('stunnel::connection', 'trusted_nets', $name, {'default_value' => undef }), simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] }))
firewall
Data type: Boolean
Include the SIMP iptables
module to manage the firewall
Default value: pick(simplib::dlookup('stunnel::connection', 'firewall', $name, {'default_value' => undef }), simplib::lookup('simp_options::firewall', { 'default_value' => false }))
tcpwrappers
Data type: Boolean
Include the SIMP tcpwrappers
module to manage tcpwrappers
Default value: pick(simplib::dlookup('stunnel::connection', 'tcpwrappers', $name, {'default_value' => undef }), simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false }))
exec
Data type: Optional[String]
Default value: simplib::dlookup('stunnel::connection', 'exec', $name, { 'default_value' => undef })
execargs
Data type: Array[String]
Default value: simplib::dlookup('stunnel::connection', 'execargs', $name, { 'default_value' => [] })
stunnel::instance
NOTE: Since many of the parameters here may need to be modified on a
case-by-base basis, this defined type uses capabilities presented by the
simplib::dlookup
function to allow for either global overrides or
instance-specific overrides.
Global overrides work the same way as classes
(stunnel::instance::ssl_version: 'TLSv1.2'
) but will affect all
instances of the defined type that are not specifically overridden as shown
below.
Instance specific overrides preclude the need for a resource collector in
that you can place the follwing in Hiera to affect a single instance named
rsync
: Stunnel::Instance[rsync]::ssl_version: 'TLSv1.2'
- Creates /etc/stunnel/stunnel_managed_by_puppet_rsync.conf
- Spawns service 'stunnel_managed_by_puppet_rsync' from the configuration file
Any instances created with this defined type will be removed from the system if no longer managed to prevent conflicts.
Instances created with versions of the module prior to 6.3.0 may need to be independently removed since there is no safe way to remove those files.
All other configuration options can be found in the stunnel man pages
- See also
- stunnel.conf(5)
- stunnel.conf(8)
Examples
Add an Rsync listener
stunnel::instance {'rsync':
accept => 873,
connect => ['1.2.3.4:8730']
}
Parameters
The following parameters are available in the stunnel::instance
defined type:
name
connect
accept
trusted_nets
haveged
firewall
tcpwrappers
pki
app_pki_external_source
app_pki_dir
app_pki_key
app_pki_cert
app_pki_ca_dir
app_pki_cacert
app_pki_crl
chroot
client
fips
openssl_cipher_suite
ssl_version
options
uid
gid
pid
systemd_wantedby
systemd_requiredby
client
compression
curve
delay
egd
engine
engine_ctrl
engine_num
exec
execargs
failover
local
ocsp
ocsp_flags
output
protocol
protocol_host
protocol_username
protocol_password
protocol_authentication
pty
renegotiation
reset
retry
rnd_bytes
rnd_file
rnd_overwrite
session_cache_size
session_cache_timeout
setuid
setgid
sni
socket_options
stack
stunnel_debug
syslog
timeout_busy
timeout_close
timeout_connect
timeout_idle
verify
name
Data type: String
The name of the stunnel process.
connect
Data type: Stunnel::Connect
Address and port to which to forward connections
-
For a client, this is the port of the stunnel server
-
For the stunnel server, this is the listening port of the tunneled service
-
Just a port indicates that you wish to listen on all interfaces
-
Examples:
- ['my.server:3000','my.server2:3001']
- ['my.server:3000']
- ['3000']
accept
Data type: Variant[Simplib::Port, Simplib::Host::Port]
Address and port upon which to accept connections
-
For a client, this is generally
localhost
-
For a server, it should be whichever external address is appropriate
- If this is omitted, then connections are accepted on all addresses
-
Examples:
- '1.2.3.4:3000'
- '3000'
trusted_nets
Data type: Simplib::Netlist
Set this if you don't want to allow all IP addresses to access this connection
- This only makes sense for servers
Default value: simplib::dlookup('stunnel::instance', 'trusted_nets', $name, { 'default_value' => simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] }) })
haveged
Data type: Boolean
Include haveged
support when setting up stunnel (highly recommended)
Default value: simplib::dlookup('stunnel::instance', 'haveged', $name, { 'default_value' => simplib::lookup('simp_options::haveged', { 'default_value' => true }) })
firewall
Data type: Boolean
Include the SIMP iptables
module to manage the firewall
Default value: simplib::dlookup('stunnel::instance', 'firewall', $name, { 'default_value' => simplib::lookup('simp_options::firewall', { 'default_value' => false }) })
tcpwrappers
Data type: Boolean
Include the SIMP tcpwrappers
module to manage tcpwrappers
Default value: simplib::dlookup('stunnel::instance', 'tcpwrappers', $name, { 'default_value' => simplib::lookup('simp_options::tcpwrappers', { 'default_value' => false }) })
pki
Data type: Variant[Enum['simp'],Boolean]
- If
simp
, include SIMP'spki
module and usepki::copy
to manage application certs in/etc/pki/simp_apps/stunnel/x509
- If
true
, do not include SIMP's pki module, but still usepki::copy
to manage certs in/etc/pki/simp_apps/stunnel/x509
- If
false
, do not include SIMP's pki module and do not usepki::copy
to manage certs. You will need to appropriately assign a subset of:- app_pki_dir
- app_pki_key
- app_pki_cert
- app_pki_ca_dir
Default value: simplib::dlookup('stunnel::instance', 'pki', $name, { 'default_value' => simplib::lookup('simp_options::pki', { 'default_value' => false }) })
app_pki_external_source
Data type: String
-
If pki =
simp
ortrue
, this is the directory from which certs will be copied, viapki::copy
-
If pki =
false
, this variable has no effect
Default value: simplib::dlookup('stunnel::instance', 'app_pki_external_source', $name, { 'default_value' => simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' }) })
app_pki_dir
Data type: Stdlib::Absolutepath
The source of certs in the chroot, and the basepath of $app_pki_key
,
$app_pki_cert
, $app_pki_ca
, $app_pki_ca_dir
, and
$app_pki_crl
- NOTE: Even when using a chroot, stunnel needs the certs to reside outside of the chroot path
Default value: simplib::dlookup('stunnel::instance', 'app_pki_dir', $name, { 'default_value' => "/etc/pki/simp_apps/stunnel_${name}/x509" })
app_pki_key
Data type: Stdlib::Absolutepath
Path and name of the private SSL key file
Default value: simplib::dlookup('stunnel::instance', 'app_pki_key', $name, { 'default_value' => "${app_pki_dir}/private/${facts['fqdn']}.pem" })
app_pki_cert
Data type: Stdlib::Absolutepath
Path and name of the public SSL certificate
Default value: simplib::dlookup('stunnel::instance', 'app_pki_cert', $name, { 'default_value' => "${app_pki_dir}/public/${facts['fqdn']}.pub" })
app_pki_ca_dir
Data type: Stdlib::Absolutepath
Since stunnel runs in a chroot, you need to copy the appropriate CA certificates in from an external source
- This should be the full path to a directory containing hashed versions of the CA certificates
Default value: simplib::dlookup('stunnel::instance', 'app_pki_ca_dir', $name, { 'default_value' => "${app_pki_dir}/cacerts" })
app_pki_cacert
Data type: Stdlib::Absolutepath
The path to the full CA certificate for the Stunnel connections
Default value: simplib::dlookup('stunnel::instance', 'app_pki_cacert', $name, { 'default_value' => "${app_pki_dir}/cacerts/cacerts.pem" })
app_pki_crl
Data type: Optional[Stdlib::Absolutepath]
Since stunnel runs in a chroot, you need to copy the appropriate CRL in from an external source
Default value: simplib::dlookup('stunnel::instance', 'app_pki_crl', $name, { 'default_value' => undef })
chroot
Data type: Optional[Stdlib::Absolutepath]
The location of the chroot jail. If left unset, and selinux is NOT disabled,
it will default to /var/stunnel_<local bind port>
.
- Do NOT make this anything under
/var/run
Default value: simplib::dlookup('stunnel::instance', 'chroot', $name, { 'default_value' => undef })
client
Data type: Boolean
Indicates that this connection is a client connection
Default value: true
fips
Data type: Boolean
Set the fips
global option
- We don't enable FIPS mode by default since we want to be able to use TLS1.2
Default value: simplib::dlookup('stunnel::instance', 'fips', $name, { 'default_value' => simplib::lookup('simp_options::fips', { 'default_value' => pick($facts['fips_enabled'], false) }) })
openssl_cipher_suite
Data type: Array[String]
OpenSSL compatible array of ciphers to allow on the system
Default value: simplib::dlookup('stunnel::instance', 'openssl_cipher_suite', $name, { 'default_value' => ['HIGH','-SSLv2'] })
ssl_version
Data type: Optional[String]
Dictate the SSL version that can be used on the system
- This default, combined with the default
$ciphers
, will only negotiate atTLSv1.1
or higher
Default value: simplib::dlookup('stunnel::instance', 'ssl_version', $name, { 'default_value' => 'TLSv1.2'})
options
Data type: Array[String]
The OpenSSL library options
Default value: simplib::dlookup('stunnel::instance', 'options', $name, { 'default_value' => [] })
uid
Data type: Integer
The user id of the stunnel user
Default value: simplib::dlookup('stunnel::instance', 'uid', $name, { 'default_value' => 600 })
gid
Data type: Integer
The group id of the stunnel group
Default value: simplib::dlookup('stunnel::instance', 'gid', $name, { 'default_value' => $uid })
pid
Data type: Optional[Stdlib::Absolutepath]
Leave undef if no PID is desired. Default on systemd systems.
Default value: simplib::dlookup('stunnel::instance', 'pid', $name, { 'default_value' => undef })
systemd_wantedby
Data type: Optional[Array[String]]
Systemd services or targets that want stunnel
Default value: simplib::dlookup('stunnel::instance', 'systemd_wantedby', $name, { 'default_value' => undef })
systemd_requiredby
Data type: Optional[Array[String]]
Systemd services or targets that require stunnel
Default value: simplib::dlookup('stunnel::instance', 'systemd_requiredby', $name, { 'default_value' => undef })
client
Default value: true
compression
Data type: Optional[Enum['zlib','rle']]
Default value: simplib::dlookup('stunnel::instance', 'compression', $name, { 'default_value' => undef })
curve
Data type: Optional[String]
Default value: simplib::dlookup('stunnel::instance', 'curve', $name, { 'default_value' => undef })
delay
Data type: Boolean
Default value: simplib::dlookup('stunnel::instance', 'delay', $name, { 'default_value' => false })
egd
Data type: Optional[String]
Default value: simplib::dlookup('stunnel::instance', 'egd', $name, { 'default_value' => undef })
engine
Data type: String
Default value: simplib::dlookup('stunnel::instance', 'engine', $name, { 'default_value' => 'auto' })
engine_ctrl
Data type: Optional[String]
Default value: simplib::dlookup('stunnel::instance', 'engine_ctrl', $name, { 'default_value' => undef })
engine_num
Data type: Optional[Integer]
Default value: simplib::dlookup('stunnel::instance', 'engine_num', $name, { 'default_value' => undef })
exec
Data type: Optional[String]
Default value: simplib::dlookup('stunnel::instance', 'exec', $name, { 'default_value' => undef })
execargs
Data type: Array[String]
Default value: simplib::dlookup('stunnel::instance', 'execargs', $name, { 'default_value' => [] })
failover
Data type: Enum['rr','prio']
Default value: simplib::dlookup('stunnel::instance', 'failover', $name, { 'default_value' => 'rr' })
local
Data type: Optional[String]
Default value: simplib::dlookup('stunnel::instance', 'local', $name, { 'default_value' => undef })
ocsp
Data type: Optional[Simplib::URI]
Default value: simplib::dlookup('stunnel::instance', 'ocsp', $name, { 'default_value' => undef })
ocsp_flags
Data type: Stunnel::OcspFlags
Default value: simplib::dlookup('stunnel::instance', 'ocsp_flags', $name, { 'default_value' => [] })
output
Data type: Optional[Stdlib::Absolutepath]
Default value: simplib::dlookup('stunnel::instance', 'output', $name, { 'default_value' => undef })
protocol
Data type: Optional[String]
Default value: simplib::dlookup('stunnel::instance', 'protocol', $name, { 'default_value' => undef })
protocol_host
Data type: Optional[String]
Default value: simplib::dlookup('stunnel::instance', 'protocol_host', $name, { 'default_value' => undef })
protocol_username
Data type: Optional[String]
Default value: simplib::dlookup('stunnel::instance', 'protocol_username', $name, { 'default_value' => undef })
protocol_password
Data type: Optional[String]
Default value: simplib::dlookup('stunnel::instance', 'protocol_password', $name, { 'default_value' => undef })
protocol_authentication
Data type: Optional[Enum['basic','NTLM']]
Default value: simplib::dlookup('stunnel::instance', 'protocol_authentication', $name, { 'default_value' => undef })
pty
Data type: Boolean
Default value: simplib::dlookup('stunnel::instance', 'pty', $name, { 'default_value' => false })
renegotiation
Data type: Boolean
Default value: simplib::dlookup('stunnel::instance', 'renegotiation', $name, { 'default_value' => true })
reset
Data type: Boolean
Default value: simplib::dlookup('stunnel::instance', 'reset', $name, { 'default_value' => true })
retry
Data type: Boolean
Default value: simplib::dlookup('stunnel::instance', 'retry', $name, { 'default_value' => false })
rnd_bytes
Data type: Optional[Integer]
Default value: simplib::dlookup('stunnel::instance', 'rnd_bytes', $name, { 'default_value' => undef })
rnd_file
Data type: Optional[Stdlib::Absolutepath]
Default value: simplib::dlookup('stunnel::instance', 'rnd_file', $name, { 'default_value' => undef })
rnd_overwrite
Data type: Boolean
Default value: simplib::dlookup('stunnel::instance', 'rnd_overwrite', $name, { 'default_value' => true })
session_cache_size
Data type: Optional[Integer]
Default value: simplib::dlookup('stunnel::instance', 'session_cache_size', $name, { 'default_value' => undef })
session_cache_timeout
Data type: Optional[Integer]
Default value: simplib::dlookup('stunnel::instance', 'session_cache_timeout', $name, { 'default_value' => undef })
setuid
Data type: String
Default value: simplib::dlookup('stunnel::instance', 'setuid', $name, { 'default_value' => 'stunnel' })
setgid
Data type: String
Default value: simplib::dlookup('stunnel::instance', 'setgid', $name, { 'default_value' => 'stunnel' })
sni
Data type: Optional[String]
Default value: simplib::dlookup('stunnel::instance', 'sni', $name, { 'default_value' => undef })
socket_options
Data type: Array[String]
Default value: simplib::dlookup('stunnel::instance', 'socket_options', $name, { 'default_value' => [] })
stack
Data type: Optional[Integer]
Default value: simplib::dlookup('stunnel::instance', 'stack', $name, { 'default_value' => undef })
stunnel_debug
Data type: String
Default value: simplib::dlookup('stunnel::instance', 'stunnel_debug', $name, { 'default_value' => 'err' })
syslog
Data type: Boolean
Default value: simplib::dlookup('stunnel::instance', 'syslog', $name, { 'default_value' => simplib::lookup('simp_options::syslog', { 'default_value' => false }) })
timeout_busy
Data type: Optional[Integer]
Default value: simplib::dlookup('stunnel::instance', 'timeout_busy', $name, { 'default_value' => undef })
timeout_close
Data type: Optional[Integer]
Default value: simplib::dlookup('stunnel::instance', 'timeout_close', $name, { 'default_value' => undef })
timeout_connect
Data type: Optional[Integer]
Default value: simplib::dlookup('stunnel::instance', 'timeout_connect', $name, { 'default_value' => undef })
timeout_idle
Data type: Optional[Integer]
Default value: simplib::dlookup('stunnel::instance', 'timeout_idle', $name, { 'default_value' => undef })
verify
Data type: Integer
Default value: simplib::dlookup('stunnel::instance', 'verify', $name, { 'default_value' => 2 })
stunnel::instance::reserve_port
NOTE: THIS IS A PRIVATE DEFINED TYPE
This is a 'canary' defined type that allow us to fail a compile in the case
that the stunnel::interface
and stunnel::connection
defined types have an
overlapping listen port.
Resource types
stunnel_instance_purge
Disables all services and removes all associated files for
stunnel::instance
created resources that are no longer under
management.
This is required so that newly created resources do not have port conflicts upon starting a new service.
Example:
stunnel_instance_purge { 'stunnel_managed_by_puppet': dirs => [ '/etc/stunnel', '/etc/rc.d/init.d', '/etc/systemd/system' ] }
This will disable all services that start with $namevar
and will
subsequently remove all files in the directories specified in the
$dirs
Array that match ${dir}/${namevar}.*
.
WARNING: BE VERY CAREFUL THAT ${namevar} IS PRECISE
Properties
The following properties are available in the stunnel_instance_purge
type.
dirs
Valid values: /^\//
The directories from which the files matching "${name}.*" should be purged
Parameters
The following parameters are available in the stunnel_instance_purge
type.
name
namevar
The prefix name of the services to disable and files to remove
provider
The specific backend to use for this stunnel_instance_purge
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
verbose
Valid values: true
, false
, yes
, no
Provide verbose output in the change message regarding services to be purged
Data types
Stunnel::Connect
Valid entries for an stunnel connect
entry
Alias of
Variant[Array[Simplib::Port], Array[Simplib::Netlist::Port], Simplib::Netlist::Port]
Stunnel::OcspFlags
Valid stunnel OCSP flag options
Alias of
Tuple[Pattern[/(?i:NOCERTS|NOINTERN|NOSIGS|NOCHAIN|NOVERIFY|NOEXPLICIT|NOCASIGN|NODELEGATED|NOCHECKS|TRUSTOTHER|RESPID_KEY|NOTIME)/], 0]
- Wed Oct 27 2021 Trevor Vaughan tvaughan@onyxpoint.com - 6.7.1
- Fixed
- Set all tcpwrappers connections to allow 'ALL' to work around a bug in the version of stunnel that ships with EL7.9 where a tcpwrappers deny will cause 100% CPU usage and hung process
- Thu Jun 17 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.7.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Wed Jan 13 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.6.1
- Removed EL6 support
- Tue Dec 10 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.6.0
- Add support for EL8
- Added REFERENCE.md
- Updated README.md
- Set default for stunnel::connection::ssl_version to TLSv1.2 for EL8 compatibility
- Set default for stunnel::instance::ssl_version to TLSv1.2 for EL8 compatibility
- Add an stunnel::instance_purge class to remedy the 'floating services' issue
- Set the stunnel::connection::app_pki_crl parameter to
undef
by default due to issues with pointing the setting to an absent directory in EL8 - Set the stunnel::instance::app_pki_crl parameter to
undef
by default due to issues with pointing the setting to an absent directory in EL8 - Update valid ssl_version entries
- Update acceptance tests to pass data between all combinations of nodes
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 6.6.0
- Support puppetlabs/concat 6.x.
- Tue Jun 04 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 6.5.0
- Add v2 compliance_markup data
- Fri Apr 12 2019 Joseph Sharkey shark.bruhaha@gmail.com - 6.4.2
- Removed out of date doc/
- Updated tests for pup6 support and removed pup4 support
- Tue Mar 19 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.4.2
- Use simplib::nets2ddq in lieu of simplib's deprecated Puppet 3 nets2ddq
- Use Puppet Integer instead of simplib's deprecated Puppet 3 to_integer
- Use Puppet String instead of simplib's deprecated Puppet 3 to_string
- Use simplib::validate_array_member in lieu of simplib's deprecated Puppet 3 validate_array_member
- Wed Mar 06 2019 Michael Morrone michael.morrone@onyxpoint.com - 6.4.1
- If statement evaluating boolean parameter prevented RNDoverwrite being set to 'no'. Fixed logic, updated tests, and changed default value to maintain default behavior.
- Mon Mar 04 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.4.1
- Expanded the upper limit of the concat and stdlib Puppet module versions
- Updated URLs in the README.md
- Mon Jan 21 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.4.0
- Add ability for users to override stunnel::connection and stunnel::instance options either globally or by specific identified instance.
- Fixed stunnel::connection and stunnel::instance template bugs
- sni is not applicable on EL6
- retry is only applicable when exec is specified and needs to be translated from a boolean to 'yes'/'no'
- session is only applicable on EL6
- Thu Dec 06 2018 Chris Tessmer chris.tessmer@onyxpoint.com - 6.3.4
- Fix bug that broke
puppet describe <anything>
- Fri Sep 14 2018 Adam Yohrling adam.yohrling@onyxpoint.com - 6.3.3
- Add support for Puppet5
- Clean up acceptance tests to use facts for hostname, domain
- Update badges and contribution guide URL in README.md
- Tue Sep 11 2018 Nicholas Markowski nicholas.markowski@onyxpoint.com - 6.3.3
- Updated $app_pki_external_source to accept any string. This matches the functionality of pki::copy.
- Tue Jul 17 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.3.2
- Fix the service name used by stunnel so that tcpwrappers would not incorrectly drop connections.
- Mon Apr 23 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 6.3.2
- Updated selinux settings in acceptance tests to reflect removal of simp_options::selinux setting and use selinux::ensure setting.
- Tue Apr 03 2018 Nick Miller nick.miller@onyxpoint.com - 6.3.1
- Added two new parameters to the stunnel::instance define:
- systemd_wantedby: sent to the WantedBy systemd unit install directive
- systemd_requiredby: sent to the RequiredBy systemd unit install directive
- These should allow ordering during boot. For example, if you have NFS set up over stunnel, you want stunnel to start before NFS.
- Fixed the systemd startup scripts to properly pre-create the PID directory if required
- Tue Mar 27 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.3.0
- Ensure init.d script is absent if systemd system because puppet was finding it and running it and setting permissions on root to stunnel:stunnel.
- Ensure pid file name is not left undefined to prevent unplanned results.
- Added check to make sure chroot has not evaluated to '/'.
- Tue Mar 06 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.3.0
- Fixed bug in which the stunnel systemd pre-exec script failed to execute completely, because one command did not have a fully qualified path.
- Reworked stunnel systemd pre-exec scripts to only emit error messages when errors have occurred.
- Wed Dec 13 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.3.0
- Isolated the 'instance' logic away from the 'connection' logic
- Added a private 'monolithic' class that arranges everything properly for the legacy stunnel connections
- Ensure that 'instances' and 'connections' do not conflict by using a 'reserve_port' class
- Add a native type that will clean up all instances that would be randomly created by the 'stunnel::instance' defines and will come before both legacy and new stunnel connections so that we do not have random left over services that may conflict with new services
- Fri Nov 17 2017 Nick Miller nick.miller@onyxpoint.com - 6.2.1
- Add feature to systemd init script to kill stunnels started from the previous version of the module
- Fixed bug where
stunnel::config::pid
was being ignored
- Wed Oct 25 2017 Nick Miller nick.miller@onyxpoint.com - 6.2.0
- Added acceptance test to switch between SELinux enabled and disabled
- Renamed them to make more sense
- Updated SysV scripts for safety concerns
- PKI now is now owned by the proper $setuid
- Renamed templates to make more sense
- Manage PID dir in Puppet when possible
- Fixed bug where PID dir was being created with SELinux contexts even when SELinux was disabled
- Added systemd unit to
connection
for use on EL7 systems - Switched tenplates to use a safe name
- Added support for Puppet 5
- Tue Jun 20 2017 Nick Markowski nmarkowski@keywcorp.com - 6.1.0
- Added a define, stunnel::instance
- Creates standalone connections with their own configurations and services
- Adds systemd support
- Possible to chroot when selinux is permissive/enforcing
- Backwards compatible with existing stunnel configurations
- stunnel::connection is unofficially deprecated until the SIMP-7 release, at which point stunnel::instance will replace stunnel::connection
- Update puppet requirement in metadata.json
- Fri Mar 17 2017 Ryan Russell-Yates, Liz Nemsick - 6.0.1-0
- Flesh out README
- Remove OBE 'pe' requirement from metadata.json
- Update puppet version in .travis.yaml
- Wed Jan 11 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0
- Updated pki::copy to use the new scheme.
- Application certs now managed in /etc/pki/simp_apps/stunnel/x509
- Removed parameters from README because we are puppet-strings-ified.
- Removed redundant parameter $libwrap
- Thu Dec 29 2016 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0
- Updated the stunnel::connection connect parameter to take an array of simplib::netlist::port
- Sun Dec 25 2016 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0
- Moved
stunnel::add
tostunnel::connection
for syntactic correctness - Updated to work with the new IPTables module
- Thu Dec 08 2016 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0
- Updated global catalysts.
- Refactored the module.
- Fixed bug whereby 'chroot = false' is written to stunnel.conf when selinux is enabled.
- Wed Nov 23 2016 Jeanne Greulich jgreulich@onyxpoint.com - 5.0.0-0
- Fix dependancies for simp 6 bump
- Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 5.0.0-0
- Updated to compliance_markup version 2
- Wed Nov 16 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0
- Updated iptables dependency version
- Updated openldap dependency version
- Wed Oct 12 2016 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-0
- Updated to use the version of 'simpcat' that does not conflict with 'puppetlabs/concat'.
- Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com,Ryan Russell-Yates ryan.russellyates@gmail.com - 4.2.8-0
- Validate compliance_markup mapping
- Create Functional README.md for Forge
- Fri Jul 08 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.7-0
- Incorrectly referenced the global $::use_simp_pki in ::stunnel
- Wed Jul 06 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.6-0
- Ensure that the PKI copy is performed prior to copying the system cacerts into the stunnel chroot.
- Thu Jun 30 2016 Nick Markowski nmarkowski@keywcorp.com - 4.2.5-0
- Use_haveged is now a global catalyst.
- Mon Jun 27 2016 Nick Markowski nmarkowski@keywcorp.com - 4.2.4-0
- Pupmod-haveged now included by default to assist with entropy generation.
- Tue Jun 21 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.3-0
- Ensure that
$use_iptables
is handled properly.
- Wed May 18 2016 Chris Tessmer chris.tessmer@onypoint.com - 4.2.2-0
- Sanitize code for
STRICT_VARIABLES=yes
- Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.comm - 4.2.1-0
- Migrated use_simp_pki to a global catalyst.
- Fixed several ordering issues.
- Increase safety by moving the public and private keys out of the chroot jail.
- Tue Mar 01 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.2.0-11
- Added compliance function support
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.2.0-10
- migration to simplib and simpcat (lib/ only)
- Tue Jul 21 2015 Nick Markowski nmarkowski@keywcorp.com - 4.2.0-9
- Moved stunnel's default pid location back to /var/run/stunnel/stunnel.pid.
- Stunnel's init script now only creates and chowns the pid file directory if it does not exist, which is needed because stunnel runs as the stunnel user
- Wed Jul 01 2015 Nick Markowski nmarkowski@keywcorp.com - 4.2.0-8
- Stunnel's default pid file location moved from /var/run/stunnel/stunnel.pid to /var/run/stunnel.pid
- Thu Apr 02 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-7
- Fixed a scoping error in the template
- Fri Feb 27 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-6
- Fixed a non-scoped call to @options in the stunnel ERB file.
- Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-5
- Migrated to the new 'simp' environment.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-4
- Changed puppet-server requirement to puppet
- Thu Nov 06 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-3
- Fix chroot detection in SELinux mode.
- Tue Nov 04 2014 Trevor Vaughan tvaughan@onxypoint.com - 4.2.0-2
- Ensure that renegotiation and reset only apply on RHEL>6 systems.
- Sun Nov 02 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-1
- Updated to add the FIPS global option to the stunnel configuration.
- Tue Oct 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-0
- CVE-2014-3566: Updated protocols to mitigate POODLE.
- Updated all of the stunnel module to properly handle both RHEL6 and RHEL7.
- Now support multiple connect options.
- The connect/accept hosts and ports are no longer separate.
- Fri Aug 08 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-4
- Change 'delay' to 'no' by default to ensure that DNS lookups happen before entering the chroot jail. This currently does not work in RHEL7.
- Add nsswitch.conf to the chroot jail.
- Fri Aug 08 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4
- Move stunnel outside of a chroot jail when SELinux is set to enforcing.
- Fri Apr 04 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3
- Now simply include 'stunnel' in 'stunnel::add' instead of raising an exception.
- Wed Mar 26 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2
- Moved stunnel::stunnel_add to stunnel::add
- Replaced all of the PKI copy code with a call to the new pki::copy define.
- Fixed a bug with the CA path and CRL path in the stunnel configuration file.
- Wed Mar 12 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-1
- Updated module for hiera/puppet3, and lint tests.
- Copied pki keys and certs to <chroot_path>/etc/stunnel/pki
- Added rspec tests.
- Tue Jan 28 2014 Kendall Moore kmoore@keywcorp.com 4.1.0-0
- Update to remove warnings about IPTables not being detected. This is a nuisance when allowing other applications to manage iptables legitimately.
- Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com - 4.0.0-12
- Updated all erb templates to properly scope variables.
- Fri Jun 07 2013 Kendall Moore kmoore@keywcorp.com 4.0.0-11
- Updated the stunnel start script to allow for the occurence of both pid and chroot to appear in a hostname
- Mon Jan 07 2013 Maintenance 4.0.0-10
- Created a test to install and configure stunnel and to make sure that the stunnel service is running.
- Created a test to add an stunnel on the first open port start at number 1024 and ensure that the chosen port is in state LISTEN and owned by stunnel.
- Tue Nov 27 2012 Maintenance 4.0.0-9
- Fixed the stunnel init script to have proper startup output.
- Updated to set the umask for stunnel open files to 1048576 for heavily loaded systems.
- Updated the stunnel init script to allow unlimited processes since there is one per connection.
- Mon Nov 05 2012 Maintenance 4.0.0-8
- Removed the useless CRL copy exec.
- Removed the PKI Cert copy exec and replaced it with a recursive copy/purge file resource.
- Fri Sep 28 2012 Maintenance 4.0.0-7
- Moved the chroot run directory for stunnel from /var/run/stunnel to /var/stunnel since /var/run gets cleaned out upon reboot.
- Fri Aug 10 2012 Maintenance 4.0.0-6
- Update to set max open files ulimit to unlimited in the init script.
- Wed Apr 11 2012 Maintenance 4.0.0-5
- Moved mit-tests to /usr/share/simp...
- Updated pp files to better meet Puppet's recommended style guide.
- Fri Mar 02 2012 Maintenance 4.0.0-4
- Improved test stubs.
- Mon Dec 26 2011 Maintenance 4.0-3
- Updated the spec file to not require a separate file list.
- Scoped all of the top level variables.
- Tue Oct 25 2011 Maintenance 4.0-2
- Added a note about the transparent mode of stunnel not working properly in RHEL6.
- Mon Oct 10 2011 Maintenance 4.0-1
- Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.
- Tue Jul 12 2011 Maintenance 4.0-0
- Stunnel doesn't care if we're using LDAP or not, so don't check for the value when setting up key permissions.
- Mon Apr 18 2011 Maintenance - 2.0.0-1
- Changed puppet://$puppet_server/ to puppet:///
- Ensure that stunnel does not restart when 'resolv.conf' or 'hosts' is updated.
- Ensure that the stunnel service watches for changes in the entire certificate space.
- Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
- Updated to use concat_build and concat_fragment types.
- Tue Jan 11 2011 Maintenance 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Tue Oct 26 2010 Maintenance - 1-2
- Converting all spec files to check for directories prior to copy.
- Wed Jul 14 2010 Maintenance 1.0-1
- Updated stunnel to start at runlevel 15 and ensured that it updated its chkconfig entires approprately
- Tue May 25 2010 Maintenance 1.0-0
- Code refactoring.
- Thu Feb 18 2010 Maintenance 0.1-11
- Added a paramater $client_nets to the stunnel_add define to allow users to lock down access to the encrypted port via IPTables.
- Thu Oct 08 2009 Maintenance 0.1-10
- Finally fixed the problem with cert verification. All uses of stunnel can now set verify to 1 or 2.
Dependencies
- puppetlabs/concat (>= 6.4.0 < 8.0.0)
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
- simp/haveged (>= 0.3.0 < 1.0.0)
- simp/iptables (>= 6.4.0 < 7.0.0)
- simp/pki (>= 6.0.0 < 7.0.0)
- simp/simplib (>= 3.12.0 < 5.0.0)
- simp/tcpwrappers (>= 6.0.0 < 7.0.0)
pupmod-simp-stunnel - A Puppet Module for managing Stunnel -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.