From ea0298898e7aa7075160aeda54b45e02b0e01911 Mon Sep 17 00:00:00 2001 From: Alex Garel Date: Wed, 14 Aug 2019 17:48:40 +0100 Subject: [PATCH] added documentation for psk auth --- README.md | 40 +++++++++++++++++++++++++++++++++++----- 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 50d9ad0..0ffea0f 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ Stunnel ========= [![Galaxy](http://img.shields.io/badge/ansible--galaxy-stunnel-blue.svg)](https://galaxy.ansible.com/list#/roles/3502) -[![License](http://img.shields.io/:license-mit-blue.svg)](http://doge.mit-license.org) +[![License](http://img.shields.io/:license-mit-blue.svg)](http://doge.mit-license.org) Ansible role to install stunnel in order to achieve SSL Termination on Linux machines. @@ -13,6 +13,8 @@ Role Variables -------------- ``` +stunnel_use_cert (default True) : determines if we use certificates +stunnel_use_psk (default False) : determines if we use psk stunnel_certificate_generation (default False) : determines if this role has to generate a self signed certificate stunnel_certificate_duration: (optional, if stunnel_certificate_generation is True, default 365) : self signed certificate validity duration stunnel_certificate_domain: (optional, if stunnel_certificate_generation is True, default www.domain.com) : self signed certificate domain field @@ -22,12 +24,16 @@ stunnel_certificate_state_name: (optional, if stunnel_certificate_generation is stunnel_certificate_locality: (optional, if stunnel_certificate_generation is True, default locality) : self signed certificate locality field stunnel_certificate_file: certificate file to generate or use, depends on stunnel_certificate_generation value. Default is /tmp/certificate.pem stunnel_key_file: key file to generate or use, depends on stunnel_certificate_generation value. Default is /tmp/key.pem +stunnel_psks: a list of psk. This look like this: +- name: client1 + psk: AEO/WE+pBCn3+WBy3FJoyJF/HEBZqMym + stunnel_services: list of services. They look like this: - service: - name: https - accept: 443 - connect: 80 - + name: https + accept: 443 + connect: 80 + ``` Dependencies @@ -59,6 +65,30 @@ Example Playbook connect: 80 ``` +you may also use [PSK (Pre Shared Keys)](https://www.stunnel.org/auth.html) +which allow faster communication +at the cost of knowing clients in advance. + +``` +- hosts: all + + roles: + - role: stunnel-role + stunnel_use_cert: false + stunnel_use_psk: true + stunnel_psk: + - name: client1 + psk: ATJX7VOAMIF2nhaknNVmSqSQGrCvMyPt + - name: client2 + psk: enNezGQMkZmSyjTDjpndjrBEXhJ9ki3v + stunnel_services: + - service: + name: postfix + accept: 12221 + connect: 21 +``` + + License -------