a5561f0a1d
This allows us to force a TLS version for stunnel, which we set to TLSv1.2. This ensures that we're compliant with FedRamp, which requires a minimum version of TLSv1.1. Unfortunately, using the "option" key didn't work in the configuration as was tried in a previous commit. This option would have only only disabled the versions we set, instead of only allowing one, like "sslVersions" does. This seems to be the only alternative we have at the moment. Related-Bug: #1754368 Change-Id: I353f893ee5dcc265269704e23f65aa0460724078
67 lines
1.8 KiB
Puppet
67 lines
1.8 KiB
Puppet
# Copyright 2017 Red Hat, Inc.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
# == Class: tripleo::stunnel::service_proxy
|
|
#
|
|
# Configures a TLS proxy for a service.
|
|
#
|
|
# === Parameters
|
|
#
|
|
# [*accept_host*]
|
|
# Host or IP where the tunnel will be accepting connections.
|
|
#
|
|
# [*accept_port*]
|
|
# Port where the tunnel will be accepting connections.
|
|
#
|
|
# [*connect_port*]
|
|
# Port where the tunnel will be proxying to.
|
|
#
|
|
# [*certificate*]
|
|
# Cert that the TLS proxy will be using for the TLS connection.
|
|
#
|
|
# [*key*]
|
|
# Key that the TLS proxy will be using for the TLS connection.
|
|
#
|
|
# [*client*]
|
|
# Whether this proxy is meant for client connections.
|
|
# Defaults to 'no'
|
|
#
|
|
# [*connect_host*]
|
|
# Host where the tunnel will be proxying to.
|
|
# Defaults to 'localhost'
|
|
#
|
|
# [*ssl_version*]
|
|
# (Optional) select the TLS protocol version
|
|
# Defaults to 'TLSv1.2'
|
|
#
|
|
define tripleo::stunnel::service_proxy (
|
|
$accept_host,
|
|
$accept_port,
|
|
$connect_port,
|
|
$certificate,
|
|
$key,
|
|
$client = 'no',
|
|
$connect_host = 'localhost',
|
|
$ssl_version = 'TLSv1.2'
|
|
) {
|
|
concat::fragment { "stunnel-service-${name}":
|
|
target => '/etc/stunnel/stunnel.conf',
|
|
order => "20-${name}",
|
|
content => template('tripleo/stunnel/service.erb'),
|
|
}
|
|
|
|
Concat::Fragment["stunnel-service-${name}"] ~> Service<| title == 'stunnel' |>
|
|
}
|