From 25c31d0901f9274328c305de98a86c344cdbb907 Mon Sep 17 00:00:00 2001 From: Alex Garel Date: Wed, 14 Aug 2019 01:31:27 +0200 Subject: [PATCH 1/3] add psk auth --- defaults/main.yml | 2 ++ tasks/main.yml | 18 ++++++++++++++++-- tasks/psk.yml | 15 +++++++++++++++ templates/psk.txt.j2 | 5 +++++ templates/stunnel.conf.j2 | 12 ++++++++++-- 5 files changed, 48 insertions(+), 4 deletions(-) create mode 100644 tasks/psk.yml create mode 100644 templates/psk.txt.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 6255f91..6317190 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,6 @@ --- +stunnel_use_certificate: true +stunnel_use_psk: false stunnel_certificate_generation: False stunnel_certificate_duration: 365 stunnel_certificate_domain: www.domain.com diff --git a/tasks/main.yml b/tasks/main.yml index e6bd1d5..009f74a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,11 @@ --- # tasks file for stunnel-role + +- name: sanity check that we use at least one of certificate or psk + fail: + msg: You should activate at least one of stunnel_use_certificate and stunnel_use_psk + when: not (stunnel_use_certificate or stunnel_use_psk) + - name: Install SSL backend package: name: openssl @@ -12,7 +18,11 @@ force: yes register: install_stunnel_4 -- include: certificate.yml +- include: certificate.yml + when: stunnel_use_certificate + +- include: psk.yml + when: stunnel_use_psk - name: Stunnel configuration template: @@ -33,4 +43,8 @@ name: stunnel4 state: restarted enabled: true - when: install_stunnel_4 is changed or enable_stunnel is changed or stunnel_configuration is changed + when: > + install_stunnel_4.changed or + enable_stunnel.changed or + stunnel_configuration.changed or + (stunnel_psk_file.changed|default(false)) diff --git a/tasks/psk.yml b/tasks/psk.yml new file mode 100644 index 0000000..c4faf44 --- /dev/null +++ b/tasks/psk.yml @@ -0,0 +1,15 @@ +--- +# tasks to use psk +- name: sanity check for psk existence + fail: + msg: If you have stunnel_use_psk you should provide at least one key + when: not (stunnel_psks|default(false)) + +- name: Generate psk file + template: + src: psk.txt.j2 + owner: root + group: root + mode: u=rw,g=,o= + dest: /etc/stunnel/psk.txt + register: stunnel_psk_file diff --git a/templates/psk.txt.j2 b/templates/psk.txt.j2 new file mode 100644 index 0000000..4eb9ab0 --- /dev/null +++ b/templates/psk.txt.j2 @@ -0,0 +1,5 @@ +{% for psk in stunnel_psks %} +{{ psk.name }}:{{ psk.key }} +{% endfor %} + + diff --git a/templates/stunnel.conf.j2 b/templates/stunnel.conf.j2 index 62db1e3..1b210bb 100644 --- a/templates/stunnel.conf.j2 +++ b/templates/stunnel.conf.j2 @@ -1,9 +1,17 @@ pid=/var/run/stunnel.pid +output = /var/log/stunnel.log + +{% if stunnel_use_certificate %} cert=/etc/stunnel/stunnel.pem -output=/var/log/stunnel.log +{% endif %} {% for service in stunnel_services %} [{{service.name}}] accept = {{service.accept}} - connect= {{service.connect}} + connect = {{service.connect}} +{% if stunnel_use_psk %} + ciphers = PSK + PSKsecrets = /etc/stunnel/psk.txt +{% endif %} + {% endfor %} From ea0298898e7aa7075160aeda54b45e02b0e01911 Mon Sep 17 00:00:00 2001 From: Alex Garel Date: Wed, 14 Aug 2019 17:48:40 +0100 Subject: [PATCH 2/3] added documentation for psk auth --- README.md | 40 +++++++++++++++++++++++++++++++++++----- 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 50d9ad0..0ffea0f 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ Stunnel ========= [![Galaxy](http://img.shields.io/badge/ansible--galaxy-stunnel-blue.svg)](https://galaxy.ansible.com/list#/roles/3502) -[![License](http://img.shields.io/:license-mit-blue.svg)](http://doge.mit-license.org) +[![License](http://img.shields.io/:license-mit-blue.svg)](http://doge.mit-license.org) Ansible role to install stunnel in order to achieve SSL Termination on Linux machines. @@ -13,6 +13,8 @@ Role Variables -------------- ``` +stunnel_use_cert (default True) : determines if we use certificates +stunnel_use_psk (default False) : determines if we use psk stunnel_certificate_generation (default False) : determines if this role has to generate a self signed certificate stunnel_certificate_duration: (optional, if stunnel_certificate_generation is True, default 365) : self signed certificate validity duration stunnel_certificate_domain: (optional, if stunnel_certificate_generation is True, default www.domain.com) : self signed certificate domain field @@ -22,12 +24,16 @@ stunnel_certificate_state_name: (optional, if stunnel_certificate_generation is stunnel_certificate_locality: (optional, if stunnel_certificate_generation is True, default locality) : self signed certificate locality field stunnel_certificate_file: certificate file to generate or use, depends on stunnel_certificate_generation value. Default is /tmp/certificate.pem stunnel_key_file: key file to generate or use, depends on stunnel_certificate_generation value. Default is /tmp/key.pem +stunnel_psks: a list of psk. This look like this: +- name: client1 + psk: AEO/WE+pBCn3+WBy3FJoyJF/HEBZqMym + stunnel_services: list of services. They look like this: - service: - name: https - accept: 443 - connect: 80 - + name: https + accept: 443 + connect: 80 + ``` Dependencies @@ -59,6 +65,30 @@ Example Playbook connect: 80 ``` +you may also use [PSK (Pre Shared Keys)](https://www.stunnel.org/auth.html) +which allow faster communication +at the cost of knowing clients in advance. + +``` +- hosts: all + + roles: + - role: stunnel-role + stunnel_use_cert: false + stunnel_use_psk: true + stunnel_psk: + - name: client1 + psk: ATJX7VOAMIF2nhaknNVmSqSQGrCvMyPt + - name: client2 + psk: enNezGQMkZmSyjTDjpndjrBEXhJ9ki3v + stunnel_services: + - service: + name: postfix + accept: 12221 + connect: 21 +``` + + License ------- From 973245bae438fd787ce509741732c0bb6ca11665 Mon Sep 17 00:00:00 2001 From: Mikael Gibert Date: Tue, 27 Aug 2019 15:34:42 +0200 Subject: [PATCH 3/3] Fix documentation and avoid evaluating bare variables --- README.md | 8 ++++---- defaults/main.yml | 7 ++----- tasks/main.yml | 4 ++-- templates/psk.txt.j2 | 2 -- 4 files changed, 8 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 0ffea0f..50a55d8 100644 --- a/README.md +++ b/README.md @@ -74,13 +74,13 @@ at the cost of knowing clients in advance. roles: - role: stunnel-role - stunnel_use_cert: false + stunnel_use_certificate: false stunnel_use_psk: true - stunnel_psk: + stunnel_psks: - name: client1 - psk: ATJX7VOAMIF2nhaknNVmSqSQGrCvMyPt + key: ATJX7VOAMIF2nhaknNVmSqSQGrCvMyPt - name: client2 - psk: enNezGQMkZmSyjTDjpndjrBEXhJ9ki3v + key: enNezGQMkZmSyjTDjpndjrBEXhJ9ki3v stunnel_services: - service: name: postfix diff --git a/defaults/main.yml b/defaults/main.yml index 6317190..92e96af 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -10,8 +10,5 @@ stunnel_certificate_state_name: state stunnel_certificate_locality: locality stunnel_certificate_file: /tmp/certificate.pem stunnel_key_file: /tmp/key.pem -stunnel_services: - - service: - name: https - accept: 443 - connect: 80 +stunnel_services: [] +stunnel_psks: [] diff --git a/tasks/main.yml b/tasks/main.yml index 009f74a..53565ab 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -19,10 +19,10 @@ register: install_stunnel_4 - include: certificate.yml - when: stunnel_use_certificate + when: stunnel_use_certificate | bool - include: psk.yml - when: stunnel_use_psk + when: stunnel_use_psk | bool - name: Stunnel configuration template: diff --git a/templates/psk.txt.j2 b/templates/psk.txt.j2 index 4eb9ab0..1e4300c 100644 --- a/templates/psk.txt.j2 +++ b/templates/psk.txt.j2 @@ -1,5 +1,3 @@ {% for psk in stunnel_psks %} {{ psk.name }}:{{ psk.key }} {% endfor %} - -