Adding SSL support to eole-redis.
Ubuntu don't build redis with SSL support so we use Stunnel to fill the gap. Here we add Stunnel full EOLE integration and Redis specifics. Maybe later we will want to have a specific package for eole-stunnel. ref #30338
This commit is contained in:
parent
84320f3366
commit
4365b7974a
30
diagnose/70_redis
Normal file
30
diagnose/70_redis
Normal file
@ -0,0 +1,30 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ $(CreoleGet activer_redis) = "oui" ];then
|
||||
. /usr/lib/eole/diagnose.sh
|
||||
|
||||
EchoGras "*** Service Redis"
|
||||
nbIface=$(CreoleGet nombre_interfaces)
|
||||
ssl=$(CreoleGet redisSSL non)
|
||||
if [ ${nbIface} -eq 1 ]
|
||||
then
|
||||
TestService "Redis master iface 0" $(CreoleGet "adresse_ip_eth0"):$(CreoleGet "redisPort")
|
||||
if [ ${ssl} = "oui" ]
|
||||
then
|
||||
TestService "Redis master SSL iface 0" $(CreoleGet "adresse_ip_eth0"):$(CreoleGet "redisSSLPort")
|
||||
fi
|
||||
echo
|
||||
else
|
||||
for iface in $(seq 0 ${nbIface})
|
||||
do
|
||||
TestService "Redis master iface ${iface}" $(CreoleGet "adresse_ip_eth${iface}"):$(CreoleGet "redisPort")
|
||||
if [ ${ssl} = "oui" ]
|
||||
then
|
||||
TestService "Redis master SSL iface ${iface}" $(CreoleGet "adresse_ip_eth0"):$(CreoleGet "redisSSLPort")
|
||||
fi
|
||||
echo
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
||||
exit 0
|
23
diagnose/70_stunnel
Normal file
23
diagnose/70_stunnel
Normal file
@ -0,0 +1,23 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ $(CreoleGet activer_stunnel) = "oui" ];then
|
||||
if [ $(CreoleGet stunnel_add_tunnels non ) = "oui" ];then
|
||||
. /usr/lib/eole/diagnose.sh
|
||||
|
||||
EchoGras "*** Service Stunnel"
|
||||
name=($(CreoleGet stunnel_name))
|
||||
acc_ip=($(CreoleGet stunnel_accept_ip))
|
||||
acc_port=($(CreoleGet stunnel_accept_port))
|
||||
conn_ip=($(CreoleGet stunnel_connect_ip))
|
||||
conn_port=($(CreoleGet stunnel_connect_port))
|
||||
|
||||
len=${#name[@]}
|
||||
for (( i=0; i<$len; i++ ))
|
||||
do
|
||||
TestService "Tunnel ${name[$i]}: ${acc_ip}:${acc_port} => ${conn_ip}:${conn_port}" ${acc_ip}:${acc_port}
|
||||
done
|
||||
echo
|
||||
fi
|
||||
fi
|
||||
|
||||
exit 0
|
@ -6,10 +6,12 @@
|
||||
<file filelist='redis' name='/etc/redis/redis.conf' mkdir='True' rm='True'/>
|
||||
<file filelist='redisSlave' name='/etc/redis/redis-slave.conf' mkdir='True' rm='True'/>
|
||||
<file filelist='redisCl' name='/etc/redis/cluster.conf' source='redis-cluster.conf' mkdir='True' rm='True'/>
|
||||
<file filelist='redisSSL' name='/etc/stunnel/redis-ssl.conf' mkdir='True' rm='True'/>
|
||||
<service servicelist="svredis">redis-server</service>
|
||||
<service servicelist="svredisSlave">redis2-server</service>
|
||||
<service_access service='redis-server'>
|
||||
<port service_accesslist='saRedis' protocol='tcp' port_type='SymLinkOption'>redisPort</port>
|
||||
<port service_accesslist='saSSLRedis' protocol='tcp' port_type='SymLinkOption'>redisSSLPort</port>
|
||||
<port service_accesslist='saRedis' protocol='tcp' port_type='SymLinkOption'>redisClPort</port>
|
||||
<port service_accesslist='saRedisSlave' protocol='tcp' port_type='SymLinkOption'>redisPortSlave</port>
|
||||
<port service_accesslist='saRedisSlave' protocol='tcp' port_type='SymLinkOption'>redisClPortSlave</port>
|
||||
@ -29,6 +31,9 @@
|
||||
<variable name='redisMode' type='string' description="Mode d'utilisation de Redis">
|
||||
<value>Local</value>
|
||||
</variable>
|
||||
<variable name='redisSSL' type='oui/non' description="Activer le support SSL pour redis">
|
||||
<value>non</value>
|
||||
</variable>
|
||||
<variable name='redisSlaveInstance' type='oui/non' description="Voulez-vous lancer une instance esclave Redis sur ce serveur ?">
|
||||
<value>non</value>
|
||||
</variable>
|
||||
@ -38,6 +43,12 @@
|
||||
<variable name='redisPort' type='number' description="Port d'écoute du service Redis">
|
||||
<value>6379</value>
|
||||
</variable>
|
||||
<variable name='redisSSLPort' type='port' description="Port d'écoute SSL du service Redis">
|
||||
<value>6380</value>
|
||||
</variable>
|
||||
<variable name='redisSSLVersion' type='string' description="Version du protocole SSL">
|
||||
<value>TLSv1</value>
|
||||
</variable>
|
||||
<variable name='redisClPort' type='number' description="Port d'écoute du service Cluster Redis"/>
|
||||
<variable name='redisMaxMemory' type='number' description="Quantité de mémoire utilisable par Redis en Mo">
|
||||
<value>512</value>
|
||||
@ -127,6 +138,12 @@
|
||||
<target type='servicelist'>svredis</target>
|
||||
</condition>
|
||||
|
||||
<condition name='disabled_if_in' source="redisSSL">
|
||||
<param>non</param>
|
||||
<target type='variable'>redisSSLPort</target>
|
||||
<target type='service_accesslist'>saSSLRedis</target>
|
||||
</condition>
|
||||
|
||||
<condition name='disabled_if_in' source='redisSlaveInstance'>
|
||||
<param>non</param>
|
||||
<target type='filelist'>redisSlave</target>
|
||||
|
62
dicos/90_stunnel.xml
Normal file
62
dicos/90_stunnel.xml
Normal file
@ -0,0 +1,62 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<creole>
|
||||
<files>
|
||||
<!-- System configuration -->
|
||||
<file filelist='stunnel' name='/etc/default/stunnel4' source='stunnel_default' mkdir='True' rm='True'/>
|
||||
<file filelist='stunnel-custom' name='/etc/stunnel/eole-tunnel.conf' source='stunnel.conf' mkdir='True' rm='True'/>
|
||||
<file filelist='stunnel-custom' name='/usr/share/eole/bastion/data/90-stunnel_dynamic_rules' mode='0755' rm='True'/>
|
||||
<service servicelist="stunnel">stunnel4</service>
|
||||
</files>
|
||||
<variables>
|
||||
<family name='Services'>
|
||||
<variable name='activer_stunnel' type='oui/non' description="Activer Stunnel (serveur mandataire SSL) ?">
|
||||
<value>oui</value>
|
||||
</variable>
|
||||
</family>
|
||||
<family name="stunnel" mode='expert'>
|
||||
<variable name='stunnel_opts' type='string' description="Options complémentaires pour Stunnel"/>
|
||||
<variable name='stunnel_add_tunnels' type='oui/non' description="Ajouter de entrées stunnel personnalisée">
|
||||
<value>non</value>
|
||||
</variable>
|
||||
<variable name="stunnel_name" type='string' description="Nom du tunnel SSL" multi="True"/>
|
||||
<variable name="stunnel_accept_ip" type='ip' description="IP d'écoute du tunnel"/>
|
||||
<variable name="stunnel_accept_port" type="port" description=" Port d'écoute du tunnel"/>
|
||||
<variable name="stunnel_connect_ip" type="ip" description="IP du service à la sortie du tunnel"/>
|
||||
<variable name="stunnel_connect_port" type="port" description="Port d'écoute du service à la sortie du tunnel"/>
|
||||
<variable name="stunnel_ssl_version" type="string" description="Version SSL">
|
||||
<value>TLSv1</value>
|
||||
</variable>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<condition name='disabled_if_in' source='activer_stunnel'>
|
||||
<param>non</param>
|
||||
<target type='filelist'>stunnel-custom</target>
|
||||
<target type='filelist'>stunnel</target>
|
||||
<target type='family'>stunnel</target>
|
||||
<target type='servicelist'>stunnel</target>
|
||||
<target type='service_accesslist'>saStunnel</target>
|
||||
</condition>
|
||||
<condition name='disabled_if_in' source='stunnel_add_tunnels'>
|
||||
<param>non</param>
|
||||
<target type='filelist'>stunnel-custom</target>
|
||||
<target type='variable'>stunnel_name</target>
|
||||
<target type='variable'>stunnel_accept_ip</target>
|
||||
<target type='variable'>stunnel_accept_port</target>
|
||||
<target type='variable'>stunnel_connect_ip</target>
|
||||
<target type='variable'>stunnel_connect_port</target>
|
||||
<target type='variable'>stunnel_ssl_version</target>
|
||||
</condition>
|
||||
<group master='stunnel_name'>
|
||||
<slave>stunnel_accept_ip</slave>
|
||||
<slave>stunnel_accept_port</slave>
|
||||
<slave>stunnel_connect_ip</slave>
|
||||
<slave>stunnel_connect_port</slave>
|
||||
<slave>stunnel_ssl_version</slave>
|
||||
</group>
|
||||
|
||||
</constraints>
|
||||
<help>
|
||||
<variable name='activer_stunnel'>Activer le service mandataire SSL (stunnel)</variable>
|
||||
</help>
|
||||
</creole>
|
7
tmpl/90-stunnel_dynamic_rules
Normal file
7
tmpl/90-stunnel_dynamic_rules
Normal file
@ -0,0 +1,7 @@
|
||||
#!/bin/sh
|
||||
|
||||
%for %%tunnel in %%stunnel_name
|
||||
%for %%int_idx in %%range(0, %%int(%%nombre_interfaces))
|
||||
/sbin/iptables -A eth%%{int_idx}-root -s 0.0.0.0/0.0.0.0 -p tcp -m tcp --dport %%tunnel.stunnel_accept_port --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
|
||||
%end for
|
||||
%end for
|
12
tmpl/redis-ssl.conf
Normal file
12
tmpl/redis-ssl.conf
Normal file
@ -0,0 +1,12 @@
|
||||
pid = /var/run/redis-stunnel.pid
|
||||
|
||||
%if %%redisMode == "Local"
|
||||
[redis-local]
|
||||
cert = %%server_cert
|
||||
key = %%server_key
|
||||
CApath = %%os.path.dirname(%%server_cert)
|
||||
verify = 2
|
||||
SSLversion=%%redisSSLVersion
|
||||
accept = %%redisSSLPort
|
||||
connect = %%redisPort
|
||||
%end if
|
19
tmpl/stunnel.conf
Normal file
19
tmpl/stunnel.conf
Normal file
@ -0,0 +1,19 @@
|
||||
pid = /var/run/stunnel.pid
|
||||
%for %%tunnel in %%stunnel_name
|
||||
[%%tunnel]
|
||||
cert = %%server_cert
|
||||
key = %%server_key
|
||||
CApath = %%os.path.dirname(%%server_cert)
|
||||
verify = 2
|
||||
SSLversion=%%tunnel.stunnel_ssl_version
|
||||
%if %%is_empty(%%tunnel.stunnel_accept_ip)
|
||||
accept = %%tunnel.stunnel_accept_port
|
||||
%else
|
||||
accept = %%{tunnel.stunnel_accept_ip}:%%{tunnel.stunnel_accept_port}
|
||||
%end if
|
||||
%if %%is_empty(%%tunnel.stunnel_connect_ip)
|
||||
connect = %%tunnel.stunnel_connect_port
|
||||
%else
|
||||
connect = %%{tunnel.stunnel_connect_ip}:%%{tunnel.stunnel_connect_port}
|
||||
%end if
|
||||
%end for
|
18
tmpl/stunnel_default
Normal file
18
tmpl/stunnel_default
Normal file
@ -0,0 +1,18 @@
|
||||
# /etc/default/stunnel
|
||||
# Julien LEMOINE <speedblue@debian.org>
|
||||
# September 2003
|
||||
|
||||
# Change to one to enable stunnel automatic startup
|
||||
ENABLED=1
|
||||
FILES="/etc/stunnel/*.conf"
|
||||
OPTIONS="%%stunnel_opts"
|
||||
|
||||
# Change to one to enable ppp restart scripts
|
||||
PPP_RESTART=0
|
||||
|
||||
# Change to enable the setting of limits on the stunnel instances
|
||||
# For example, to set a large limit on file descriptors (to enable
|
||||
# more simultaneous client connections), set RLIMITS="-n 4096"
|
||||
# More than one resource limit may be modified at the same time,
|
||||
# e.g. RLIMITS="-n 4096 -d unlimited"
|
||||
RLIMITS=""
|
Loading…
Reference in New Issue
Block a user