Cadoles/eole-redis
11
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

Adding SSL support to eole-redis.

Browse Source 
Ubuntu don't build redis with SSL support so we
use Stunnel to fill the gap.

Here we add Stunnel full EOLE integration and Redis specifics.

Maybe later we will want to have a specific package for eole-stunnel.

ref #30338
This commit is contained in:
Philippe Caseiro
2020-06-17 16:12:58 +02:00
parent 84320f3366
commit 4365b7974a
8 changed files with 188 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
dicos/90_redis.xml
View File

@ -6,10 +6,12 @@
<file filelist='redis' name='/etc/redis/redis.conf' mkdir='True' rm='True'/>
<file filelist='redisSlave' name='/etc/redis/redis-slave.conf' mkdir='True' rm='True'/>
<file filelist='redisCl' name='/etc/redis/cluster.conf' source='redis-cluster.conf' mkdir='True' rm='True'/>
<file filelist='redisSSL' name='/etc/stunnel/redis-ssl.conf' mkdir='True' rm='True'/>
<service servicelist="svredis">redis-server</service>
<service servicelist="svredisSlave">redis2-server</service>
<service_access service='redis-server'>
<port service_accesslist='saRedis' protocol='tcp' port_type='SymLinkOption'>redisPort</port>
<port service_accesslist='saSSLRedis' protocol='tcp' port_type='SymLinkOption'>redisSSLPort</port>
<port service_accesslist='saRedis' protocol='tcp' port_type='SymLinkOption'>redisClPort</port>
<port service_accesslist='saRedisSlave' protocol='tcp' port_type='SymLinkOption'>redisPortSlave</port>
<port service_accesslist='saRedisSlave' protocol='tcp' port_type='SymLinkOption'>redisClPortSlave</port>
@ -29,6 +31,9 @@
<variable name='redisMode' type='string' description="Mode d'utilisation de Redis">
<value>Local</value>
</variable>
<variable name='redisSSL' type='oui/non' description="Activer le support SSL pour redis">
<value>non</value>
</variable>
<variable name='redisSlaveInstance' type='oui/non' description="Voulez-vous lancer une instance esclave Redis sur ce serveur ?">
<value>non</value>
</variable>
@ -38,6 +43,12 @@
<variable name='redisPort' type='number' description="Port d'écoute du service Redis">
<value>6379</value>
</variable>
<variable name='redisSSLPort' type='port' description="Port d'écoute SSL du service Redis">
<value>6380</value>
</variable>
<variable name='redisSSLVersion' type='string' description="Version du protocole SSL">
<value>TLSv1</value>
</variable>
<variable name='redisClPort' type='number' description="Port d'écoute du service Cluster Redis"/>
<variable name='redisMaxMemory' type='number' description="Quantité de mémoire utilisable par Redis en Mo">
<value>512</value>
@ -127,6 +138,12 @@
<target type='servicelist'>svredis</target>
</condition>
<condition name='disabled_if_in' source="redisSSL">
<param>non</param>
<target type='variable'>redisSSLPort</target>
<target type='service_accesslist'>saSSLRedis</target>
</condition>
<condition name='disabled_if_in' source='redisSlaveInstance'>
<param>non</param>
<target type='filelist'>redisSlave</target>

62
dicos/90_stunnel.xml Normal file
View File

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="utf-8"?>
<creole>
<files>
<!-- System configuration -->
<file filelist='stunnel' name='/etc/default/stunnel4' source='stunnel_default' mkdir='True' rm='True'/>
<file filelist='stunnel-custom' name='/etc/stunnel/eole-tunnel.conf' source='stunnel.conf' mkdir='True' rm='True'/>
<file filelist='stunnel-custom' name='/usr/share/eole/bastion/data/90-stunnel_dynamic_rules' mode='0755' rm='True'/>
<service servicelist="stunnel">stunnel4</service>
</files>
<variables>
<family name='Services'>
<variable name='activer_stunnel' type='oui/non' description="Activer Stunnel (serveur mandataire SSL) ?">
<value>oui</value>
</variable>
</family>
<family name="stunnel" mode='expert'>
<variable name='stunnel_opts' type='string' description="Options complémentaires pour Stunnel"/>
<variable name='stunnel_add_tunnels' type='oui/non' description="Ajouter de entrées stunnel personnalisée">
<value>non</value>
</variable>
<variable name="stunnel_name" type='string' description="Nom du tunnel SSL" multi="True"/>
<variable name="stunnel_accept_ip" type='ip' description="IP d'écoute du tunnel"/>
<variable name="stunnel_accept_port" type="port" description=" Port d'écoute du tunnel"/>
<variable name="stunnel_connect_ip" type="ip" description="IP du service à la sortie du tunnel"/>
<variable name="stunnel_connect_port" type="port" description="Port d'écoute du service à la sortie du tunnel"/>
<variable name="stunnel_ssl_version" type="string" description="Version SSL">
<value>TLSv1</value>
</variable>
</family>
</variables>
<constraints>
<condition name='disabled_if_in' source='activer_stunnel'>
<param>non</param>
<target type='filelist'>stunnel-custom</target>
<target type='filelist'>stunnel</target>
<target type='family'>stunnel</target>
<target type='servicelist'>stunnel</target>
<target type='service_accesslist'>saStunnel</target>
</condition>
<condition name='disabled_if_in' source='stunnel_add_tunnels'>
<param>non</param>
<target type='filelist'>stunnel-custom</target>
<target type='variable'>stunnel_name</target>
<target type='variable'>stunnel_accept_ip</target>
<target type='variable'>stunnel_accept_port</target>
<target type='variable'>stunnel_connect_ip</target>
<target type='variable'>stunnel_connect_port</target>
<target type='variable'>stunnel_ssl_version</target>
</condition>
<group master='stunnel_name'>
<slave>stunnel_accept_ip</slave>
<slave>stunnel_accept_port</slave>
<slave>stunnel_connect_ip</slave>
<slave>stunnel_connect_port</slave>
<slave>stunnel_ssl_version</slave>
</group>
</constraints>
<help>
<variable name='activer_stunnel'>Activer le service mandataire SSL (stunnel)</variable>
</help>
</creole>