Skip to content

Latest commit

 

History

History
510 lines (331 loc) · 13.8 KB

REFERENCE.md

File metadata and controls

510 lines (331 loc) · 13.8 KB

Reference

Table of Contents

Classes

  • stunnel: Basic Stunnel config. Installs the packages and creates essential directories.

Defined types

Classes

stunnel

Basic Stunnel config. Installs the packages and creates essential directories.

  • Since 0.0.0

Examples

Basic usage
include stunnel

Parameters

The following parameters are available in the stunnel class:

bin_name

Data type: Optional[String]

Name of the stunnel executable.

Default value: undef

bin_path

Data type: Optional[Stdlib::Absolutepath]

Path to the directory containing the stunnel executable.

Default value: undef

cert_dir

Data type: Optional[Stdlib::Absolutepath]

Path to the directory containing the certificates.

Default value: undef

config_dir

Data type: Optional[Stdlib::Absolutepath]

Path to the directory containing the configuration files.

Default value: undef

log_dir

Data type: Optional[Stdlib::Absolutepath]

Path to the directory containing the output files.

Default value: undef

packages

Data type: Optional[Array]

List of packages to install.

Default value: undef

packages_ensure

Data type:

Optional[Enum[
      'present',
      'latest'
  ]]

If packages should be updated or not.

Default value: undef

packages_provider

Data type: Optional[String]

Provider to use to install the packages. Mandatory on Windows.

Default value: undef

pid_dir

Data type: Optional[Stdlib::Absolutepath]

Path to the directory containing the pid file. Linux only.

Default value: undef

user

Data type: Optional[String]

User that will own the files and run the service.

Default value: undef

group

Data type: Optional[String]

Group that will own the files and run the service.

Default value: undef

Defined types

stunnel::connection

Establishes a new stunnel connection.

Examples

Basic usage
include stunnel

stunnel::connection {'my_tunnel':
  active        => true,
  enable        => true,
  client        => true,
  accept        => 32000,
  protocol      => connect,
  protocol_host => 'remote_url:564',
  connect       => 'my_proxy:8080',
  debug_level   => 5,
  log_file      => "${stunnel::log_dir}/my_tunnel.log",
}

Parameters

The following parameters are available in the stunnel::connection defined type:

stunnel_name

Data type: String

Name of the stunnel connection.

Default value: $name

ensure

Data type: Enum['present','absent']

Wheather the connection should be created or deleted.

Default value: 'present'

manage_service

Data type: Boolean

Wheather or not a service should be created for this connection.

Default value: true

active

Data type: Optional[Boolean]

Weather the service should be running or not. Needs manage_service to be true.

Default value: undef

enable

Data type:

Optional[Variant[
      Boolean,
      Enum['mask']
  ]]

Weather the service should be set to run at boot. Needs manage_service to be true.

Default value: undef

client

Data type: Optional[Enum['yes','no']]

Client mode (remote service uses TLS).

Default value: undef

accept

Data type:

Optional[Variant[
      String,
      Integer[0]
  ]]

Accept connections on specified address. If no host specified, defaults to all IPv4 addresses for the local host. To listen on all IPv6 addresses use: :::PORT

Default value: undef

protocol

Data type: Optional[String]

Application protocol to negotiate TLS. This option enables initial, protocol-specific negotiation of the TLS encryption. The protocol option should not be used with TLS encryption on a separate port. See official stunnel documentation for supported protocol.

Default value: undef

protocol_host

Data type: Optional[String]

Host address for the protocol negotiations. For the 'connect' protocol negotiations, protocolHost specifies HOST:PORT of the final TLS server to be connected to by the proxy. The proxy server directly connected by stunnel must be specified with the connect option. For the 'smtp' protocol negotiations, protocolHost controls the client SMTP HELO/EHLO value.

Default value: undef

connect

Data type:

Optional[Variant[
      String,
      Array[String]
  ]]

Connect to a remote address. If no host is specified, the host defaults to localhost. Multiple connect options are allowed in a single service section. If host resolves to multiple addresses and/or if multiple connect options are specified, then the remote address is chosen using a round-robin algorithm.

Default value: undef

failover

Data type: Optional[Enum['rr','prio']]

Failover strategy for multiple "connect" targets. rr round robin - fair load distribution prio priority - use the order specified in config file default: prio

Default value: undef

ca_file_path

Data type: Optional[Stdlib::Absolutepath]

Load trusted CA certificates from a file. The loaded CA certificates will be used with the verifyChain and verifyPeer options.

Default value: undef

ca_file_content

Data type: Optional[String]

If specified, will populate the CA file @ca_file_path. If this path is not specified, it will populate a default CA file in cert_dir/stunnel_name_CA.pem

Default value: undef

ca_dir_path

Data type: Optional[Stdlib::Absolutepath]

Load trusted CA certificates from a directory. The loaded CA certificates will be used with the verifyChain and verifyPeer options. Note that the certificates in this directory should be named XXXXXXXX.0 where XXXXXXXX is the hash value of the DER encoded subject of the cert. The hash algorithm has been changed in OpenSSL 1.0.0. It is required to c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x or later. CApath path is relative to the chroot directory if specified.

Default value: undef

cert_file_path

Data type: Optional[Stdlib::Absolutepath]

Certificate chain file name. The parameter specifies the file containing certificates used by stunnel to authenticate itself against the remote client or server. The file should contain the whole certificate chain starting from the actual server/client certificate, and ending with the self-signed root CA certificate. The file must be either in PEM or P12 format. A certificate chain is required in server mode, and optional in client mode. This parameter is also used as the certificate identifier when a hardware engine is enabled.

Default value: undef

cert_file_content

Data type: Optional[String]

If specified, will populate the cert file @cert_file_path. If this path is not specified, it will populate a default cert file in cert_dir/stunnel_name_cert.pem

Default value: undef

key_file_path

Data type: Optional[Stdlib::Absolutepath]

Private key for the certificate specified with cert option. A private key is needed to authenticate the certificate owner. Since this file should be kept secret it should only be readable by its owner. On Unix systems you can use the following command: chmod 600 keyfile This parameter is also used as the private key identifier when a hardware engine is enabled. default: the value of the cert option

Default value: undef

key_file_content

Data type: Optional[String]

If specified, will populate the key file @key_file_path. If this path is not specified, it will populate a default key file in cert_dir/stunnel_name.key

Default value: undef

timeoutidle

Data type: Optional[Integer[0]]

Time to keep an idle connection.

Default value: undef

openssl_options

Data type: Optional[Array[String]]

OpenSSL library options. The parameter is the OpenSSL option name as described in the SSL_CTX_set_options(3ssl) manual, but without SSL_OP_ prefix. stunnel -options lists the options found to be allowed in the current combination of stunnel and the OpenSSL library used to build it. Several option lines can be used to specify multiple options. An option name can be prepended with a dash ("-") to disable the option. Use sslVersionMax or sslVersionMin option instead of disabling specific TLS protocol versions when compiled with OpenSSL 1.1.0 or later.

Default value: undef

socket_options

Data type: Optional[Array[String]]

Set an option on the accept/local/remote socket. The values for the linger option are l_onof:l_linger. The values for the time are tv_sec:tv_usec.

Default value: undef

service_options

Data type:

Optional[Hash[
      String,
      Data
  ]]

Any supported service option currently not available in this define.

Default value: undef

debug_level

Data type: Optional[Integer[0,7]]

Debugging level. Level is a one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. The default is notice (5). While the debug = debug or debug = 7 level generates the most verbose output, it is only intended to be used by stunnel developers. Please only use this value if you are a developer, or you intend to send your logs to our technical support. Otherwise, the generated logs will be confusing.

Default value: undef

log_file

Data type: Optional[Stdlib::Absolutepath]

Append log messages to a file. /dev/stdout device can be used to send log messages to the standard output (for example to log them with daemontools splogger).

Default value: undef

global_options

Data type:

Optional[Hash[
      String,
      Data
  ]]

Any supported global option currently not available in this define.

Default value: undef