This is a refreshed Fork of migibert/stunnel-role - Thank you very much for your prework!
Ansible role to install stunnel in order to achieve SSL Termination on Linux machines.
Install it with ansible-galaxy install cadirol.stunnel
-
stunnel_install_ssl_backend
(optional, default False) : determines if we want to install openssl by this role -
stunnel_use_certificate
(default True) : determines if we use certificates -
stunnel_use_psk
(default False) : determines if we use psk -
stunnel_certificate_generation
(default False) : determines if this role has to generate a self signed certificate -
stunnel_certificate_duration
(optional, ifstunnel_certificate_generation
is True, default 365) : self signed certificate validity duration -
stunnel_certificate_domain
(optional, ifstunnel_certificate_generation
is True, default www.domain.com) : self signed certificate domain field -
stunnel_certificate_country
(optional, ifstunnel_certificate_generation
is True, default CH) : self signed certificate country field -
stunnel_certificate_organization
(optional, ifstunnel_certificate_generation
is True, default organization) : self signed certificate organization field -
stunnel_certificate_state_name
(optional, ifstunnel_certificate_generation
is True, default country) : self signed certificate state field -
stunnel_certificate_locality
(optional, ifstunnel_certificate_generation
is True, default state) : self signed certificate locality field -
stunnel_certificate_file
certificate file to generate or use, depends onstunnel_certificate_generation
value. Default is /tmp/certificate.pem -
stunnel_key_file
key file to generate or use, depends onstunnel_certificate_generation
value. Default is /tmp/key.pem -
stunnel_psks
a list of psk. This look like this: -
stunnel_certificate_pem_file
certificate pem file- name: client1 psk: AEO/WE+pBCn3+WBy3FJoyJF/HEBZqMym
-
stunnel_services
: list of services. They look like this:- name: https accept: 443 connect: 80
Each service accepts parameters:
accept
(required) : determines address:port to listenconnect
(required) : determines address:port to connectclient
(optional, defaultFalse
) : determines client-modeuse_psk
(optional, defaults to globalstunnel_use_psk
) : determines PSK usage for this specific servicePSKidentity
(optional, depends onuse_psk
) : determines PSK identity for this specific service. This identity should be configured inPSKsecrets
This role has no dependencies.
- hosts: all
roles:
- role: stunnel-role
stunnel_certificate_generation: True
stunnel_certificate_duration: 365
stunnel_certificate_domain: www.domain.com
stunnel_certificate_country: CH
stunnel_certificate_organization: organization
stunnel_certificate_state_name: country
stunnel_certificate_locality: state
stunnel_certificate_file: /tmp/stunnel.pem
stunnel_key_file: /tmp/key.pem
stunnel_services:
- name: https
accept: 443
connect: 80
you may also use PSK (Pre Shared Keys) which allow faster communication at the cost of knowing clients in advance.
- hosts: all
roles:
- role: stunnel-role
stunnel_use_certificate: false
stunnel_use_psk: true
stunnel_psks:
- name: client1
key: ATJX7VOAMIF2nhaknNVmSqSQGrCvMyPt
- name: client2
key: enNezGQMkZmSyjTDjpndjrBEXhJ9ki3v
stunnel_services:
- name: postfix
accept: 12221
connect: 21
- name: mysql
accept: 3307
connect: 3306
use_psk: yes
client: yes
PSKidentity: client2
MIT - thankfull forked from Mikaël Gibert, Developer / Devops
Adrian Kägi, Net-Ops