Adding SSL support to eole-redis.

Ubuntu don't build redis with SSL support so we use Stunnel to fill the gap. Here we add Stunnel full EOLE integration and Redis specifics. Maybe later we will want to have a specific package for eole-stunnel. ref #30338
2020-06-17 16:12:58 +02:00
parent 84320f3366
commit 4365b7974a
8 changed files with 188 additions and 0 deletions
--- a/tmpl/90-stunnel_dynamic_rules
+++ b/tmpl/90-stunnel_dynamic_rules
@ -0,0 +1,7 @@
+#!/bin/sh
+
+%for %%tunnel in %%stunnel_name
+   %for %%int_idx in %%range(0, %%int(%%nombre_interfaces))
+/sbin/iptables -A eth%%{int_idx}-root -s 0.0.0.0/0.0.0.0  -p tcp -m tcp --dport %%tunnel.stunnel_accept_port --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
+   %end for
+%end for
--- a/tmpl/redis-ssl.conf
+++ b/tmpl/redis-ssl.conf
@ -0,0 +1,12 @@
+pid = /var/run/redis-stunnel.pid
+
+%if %%redisMode == "Local"
+[redis-local]
+cert = %%server_cert
+key = %%server_key
+CApath  = %%os.path.dirname(%%server_cert)
+verify = 2
+SSLversion=%%redisSSLVersion
+accept = %%redisSSLPort
+connect = %%redisPort
+%end if
--- a/tmpl/stunnel.conf
+++ b/tmpl/stunnel.conf
@ -0,0 +1,19 @@
+pid = /var/run/stunnel.pid
+%for %%tunnel in %%stunnel_name
+[%%tunnel]
+cert = %%server_cert
+key = %%server_key
+CApath  = %%os.path.dirname(%%server_cert)
+verify = 2
+SSLversion=%%tunnel.stunnel_ssl_version
+    %if %%is_empty(%%tunnel.stunnel_accept_ip)
+accept = %%tunnel.stunnel_accept_port
+    %else
+accept = %%{tunnel.stunnel_accept_ip}:%%{tunnel.stunnel_accept_port}
+    %end if
+    %if %%is_empty(%%tunnel.stunnel_connect_ip)
+connect = %%tunnel.stunnel_connect_port
+    %else
+connect = %%{tunnel.stunnel_connect_ip}:%%{tunnel.stunnel_connect_port}
+    %end if
+%end for
--- a/tmpl/stunnel_default
+++ b/tmpl/stunnel_default
@ -0,0 +1,18 @@
+# /etc/default/stunnel
+# Julien LEMOINE <speedblue@debian.org>
+# September 2003
+
+# Change to one to enable stunnel automatic startup
+ENABLED=1
+FILES="/etc/stunnel/*.conf"
+OPTIONS="%%stunnel_opts"
+
+# Change to one to enable ppp restart scripts
+PPP_RESTART=0
+
+# Change to enable the setting of limits on the stunnel instances
+# For example, to set a large limit on file descriptors (to enable
+# more simultaneous client connections), set RLIMITS="-n 4096"
+# More than one resource limit may be modified at the same time,
+# e.g. RLIMITS="-n 4096 -d unlimited"
+RLIMITS=""