Skip to content

Commit bc4c36b

Browse files
HollyGurzaHollyGurza
committed
T5735: Stunnel CLI and configuration
Add CLI commands Add config Add conf_mode Add systemd config Add stunnel smoketests Add log level config
1 parent da5d29a commit bc4c36b

24 files changed

+1409
-1
lines changed

data/config-mode-dependencies/vyos-1x.json

+2-1
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,8 @@
3232
"reverse_proxy": ["load-balancing_reverse-proxy"],
3333
"rpki": ["protocols_rpki"],
3434
"sstp": ["vpn_sstp"],
35-
"sstpc": ["interfaces_sstpc"]
35+
"sstpc": ["interfaces_sstpc"],
36+
"stunnel": ["service_stunnel"]
3637
},
3738
"vpn_ipsec": {
3839
"nhrp": ["protocols_nhrp"]

data/configd-include.json

+1
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,7 @@
8080
"service_salt-minion.py",
8181
"service_sla.py",
8282
"service_ssh.py",
83+
"service_stunnel.py",
8384
"service_tftp-server.py",
8485
"service_webproxy.py",
8586
"system_acceleration.py",

data/templates/stunnel/stunnel_config.j2

+118
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,118 @@
1+
; Autogenerated by service_stunnel.py
2+
3+
; Example https://www.stunnel.org/config_unix.html#
4+
; **************************************************************************
5+
; * Global options *
6+
; **************************************************************************
7+
8+
; PID file is created inside the chroot jail (if enabled)
9+
pid = {{ config_file | replace('.conf', '.pid') }}
10+
11+
; Debugging stuff (may be useful for troubleshooting)
12+
;foreground = yes
13+
14+
{% if log is vyos_defined %}
15+
debug = {{ log.level }}
16+
{% endif %}
17+
18+
;output = /usr/local/var/log/stunnel.log
19+
20+
21+
; **************************************************************************
22+
; * Service definitions *
23+
; **************************************************************************
24+
25+
; ***************************************** Client mode services ***********
26+
27+
{% if client is vyos_defined %}
28+
{% for name, config in client.items() %}
29+
[{{ name }}]
30+
client = yes
31+
{% if config.listen.address is vyos_defined %}
32+
accept = {{ config.listen.address }}:{{ config.listen.port }}
33+
{% else %}
34+
accept = {{ config.listen.port }}
35+
{% endif %}
36+
{% if config.connect is vyos_defined %}
37+
{% if config.connect.address is vyos_defined %}
38+
connect = {{ config.connect.address }}:{{ config.connect.port }}
39+
{% else %}
40+
connect = {{ config.connect.port }}
41+
{% endif %}
42+
{% endif %}
43+
{% if config.protocol is vyos_defined %}
44+
protocol = {{ config.protocol }}
45+
{% endif %}
46+
{% if config.options is vyos_defined %}
47+
{% if config.options.authentication is vyos_defined %}
48+
protocolAuthentication = {{ config.options.authentication }}
49+
{% endif %}
50+
{% if config.options.domain is vyos_defined %}
51+
protocolDomain = {{ config.options.domain }}
52+
{% endif %}
53+
{% if config.options.host is vyos_defined %}
54+
protocolHost = {{ config.options.host.address }}:{{ config.options.host.port }}
55+
{% endif %}
56+
{% if config.options.password is vyos_defined %}
57+
protocolPassword = {{ config.options.password }}
58+
{% endif %}
59+
{% if config.options.username is vyos_defined %}
60+
protocolUsername = {{ config.options.username }}
61+
{% endif %}
62+
{% endif %}
63+
{% if config.ssl.ca_path is vyos_defined %}
64+
CApath = {{ config.ssl.ca_path }}
65+
{% endif %}
66+
{% if config.ssl.ca_file is vyos_defined %}
67+
CAfile = {{ config.ssl.ca_file }}
68+
{% endif %}
69+
{% if config.ssl.cert is vyos_defined %}
70+
cert = {{ config.ssl.cert }}
71+
{% endif %}
72+
{% if config.ssl.cert_key is vyos_defined %}
73+
key = {{ config.ssl.cert_key }}
74+
{% endif %}
75+
{% if config.psk.file is vyos_defined %}
76+
PSKsecrets = {{ config.psk.file }}
77+
{% endif %}
78+
{% endfor %}
79+
{% endif %}
80+
81+
82+
; ***************************************** Server mode services ***********
83+
84+
{% if server is vyos_defined %}
85+
{% for name, config in server.items() %}
86+
[{{ name }}]
87+
{% if config.listen.address is vyos_defined %}
88+
accept = {{ config.listen.address }}:{{ config.listen.port }}
89+
{% else %}
90+
accept = {{ config.listen.port }}
91+
{% endif %}
92+
{% if config.connect is vyos_defined %}
93+
{% if config.connect.address is vyos_defined %}
94+
connect = {{ config.connect.address }}:{{ config.connect.port }}
95+
{% else %}
96+
connect = {{ config.connect.port }}
97+
{% endif %}
98+
{% endif %}
99+
{% if config.protocol is vyos_defined %}
100+
protocol = {{ config.protocol }}
101+
{% endif %}
102+
{% if config.ssl.ca_path is vyos_defined %}
103+
CApath = {{ config.ssl.ca_path }}
104+
{% endif %}
105+
{% if config.ssl.ca_file is vyos_defined %}
106+
CAfile = {{ config.ssl.ca_file }}
107+
{% endif %}
108+
{% if config.ssl.cert is vyos_defined %}
109+
cert = {{ config.ssl.cert }}
110+
{% endif %}
111+
{% if config.ssl.cert_key is vyos_defined %}
112+
key = {{ config.ssl.cert_key }}
113+
{% endif %}
114+
{% if config.psk.file is vyos_defined %}
115+
PSKsecrets = {{ config.psk.file }}
116+
{% endif %}
117+
{% endfor %}
118+
{% endif %}

interface-definitions/include/stunnel/address.xml.i

+20
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
<!-- include start from stunnel/address.xml.i -->
2+
<leafNode name="address">
3+
<properties>
4+
<help>Hostname or IP address</help>
5+
<valueHelp>
6+
<format>ipv4</format>
7+
<description>IPv4 address</description>
8+
</valueHelp>
9+
<valueHelp>
10+
<format>hostname</format>
11+
<description>hostname</description>
12+
</valueHelp>
13+
<constraint>
14+
<validator name="ip-address"/>
15+
<validator name="fqdn"/>
16+
</constraint>
17+
<constraintErrorMessage>Invalid FQDN or IP address</constraintErrorMessage>
18+
</properties>
19+
</leafNode>
20+
<!-- include end -->

interface-definitions/include/stunnel/connect.xml.i

+11
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
<!-- include start from stunnel/connect.xml.i -->
2+
<node name="connect">
3+
<properties>
4+
<help>Connect to a remote address</help>
5+
</properties>
6+
<children>
7+
#include <include/stunnel/address.xml.i>
8+
#include <include/port-number.xml.i>
9+
</children>
10+
</node>
11+
<!-- include end -->

interface-definitions/include/stunnel/listen.xml.i

+11
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
<!-- include start from stunnel/listen.xml.i -->
2+
<node name="listen">
3+
<properties>
4+
<help>Accept connections on specified address</help>
5+
</properties>
6+
<children>
7+
#include <include/stunnel/address.xml.i>
8+
#include <include/port-number.xml.i>
9+
</children>
10+
</node>
11+
<!-- include end -->

interface-definitions/include/stunnel/protocol-options.xml.i

+75
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,75 @@
1+
<!-- include start from stunel/protocol-options.xml.i -->
2+
<node name="options">
3+
<properties>
4+
<help>Advanced protocol options</help>
5+
</properties>
6+
<children>
7+
<leafNode name="authentication">
8+
<properties>
9+
<help>Authentication type for the protocol negotiations</help>
10+
<completionHelp>
11+
<list>basic ntlm plain login</list>
12+
</completionHelp>
13+
<valueHelp>
14+
<format>basic</format>
15+
<description>The default 'connect' authentication type</description>
16+
</valueHelp>
17+
<valueHelp>
18+
<format>ntlm</format>
19+
<description>Supported authentication types for the 'connect' protocol</description>
20+
</valueHelp>
21+
<valueHelp>
22+
<format>plain</format>
23+
<description>The default 'smtp' authentication type</description>
24+
</valueHelp>
25+
<valueHelp>
26+
<format>login</format>
27+
<description>Supported authentication types for the 'smtp' protocol</description>
28+
</valueHelp>
29+
<constraint>
30+
<regex>(basic|ntlm|plain|login)</regex>
31+
</constraint>
32+
</properties>
33+
</leafNode>
34+
<leafNode name="domain">
35+
<properties>
36+
<help>Domain for the 'connect' protocol.</help>
37+
<valueHelp>
38+
<format>domain</format>
39+
<description>domain</description>
40+
</valueHelp>
41+
<constraint>
42+
<validator name="fqdn"/>
43+
</constraint>
44+
</properties>
45+
</leafNode>
46+
<node name="host">
47+
<properties>
48+
<help>Destination address for the 'connect' protocol</help>
49+
</properties>
50+
<children>
51+
#include <include/stunnel/address.xml.i>
52+
#include <include/port-number.xml.i>
53+
</children>
54+
</node>
55+
<leafNode name="password">
56+
<properties>
57+
<help>Password for the protocol negotiations</help>
58+
<valueHelp>
59+
<format>txt</format>
60+
<description>Authentication password</description>
61+
</valueHelp>
62+
</properties>
63+
</leafNode>
64+
<leafNode name="username">
65+
<properties>
66+
<help>Username for the protocol negotiations</help>
67+
<valueHelp>
68+
<format>txt</format>
69+
<description>Authentication username</description>
70+
</valueHelp>
71+
</properties>
72+
</leafNode>
73+
</children>
74+
</node>
75+
<!-- include end -->

interface-definitions/include/stunnel/protocol-value-cifs.xml.i

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
<!-- include start from stunnel/protocol-value-cifs.xml.i -->
2+
<valueHelp>
3+
<format>cifs</format>
4+
<description>Proprietary (undocummented) extension of CIFS protocol</description>
5+
</valueHelp>
6+
<!-- include end -->

interface-definitions/include/stunnel/protocol-value-connect.xml.i

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
<!-- include start from stunnel/protocol-value-connect.xml.i -->
2+
<valueHelp>
3+
<format>connect</format>
4+
<description>Based on RFC 2817 - Upgrading to TLS Within HTTP/1.1, section 5.2 - Requesting a Tunnel with CONNECT</description>
5+
</valueHelp>
6+
<!-- include end -->

interface-definitions/include/stunnel/protocol-value-imap.xml.i

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
<!-- include start from stunnel/protocol-value-imap.xml.i -->
2+
<valueHelp>
3+
<format>imap</format>
4+
<description>Based on RFC 2595 - Using TLS with IMAP, POP3 and ACAP</description>
5+
</valueHelp>
6+
<!-- include end -->

interface-definitions/include/stunnel/protocol-value-nntp.xml.i

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
<!-- include start from stunnel/protocol-value-nntp.xml.i -->
2+
<valueHelp>
3+
<format>nntp</format>
4+
<description>Based on RFC 4642 - Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)</description>
5+
</valueHelp>
6+
<!-- include end -->

interface-definitions/include/stunnel/protocol-value-pgsql.xml.i

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
<!-- include start from stunnel/protocol-value-pgsql.xml.i -->
2+
<valueHelp>
3+
<format>pgsql</format>
4+
<description>Based on PostgreSQL frontend/backend protocol</description>
5+
</valueHelp>
6+
<!-- include end -->

interface-definitions/include/stunnel/protocol-value-pop3.xml.i

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
<!-- include start from stunnel/protocol-value-pop3.xml.i -->
2+
<valueHelp>
3+
<format>pop3</format>
4+
<description>Based on RFC 2449 - POP3 Extension Mechanism</description>
5+
</valueHelp>
6+
<!-- include end -->

interface-definitions/include/stunnel/protocol-value-proxy.xml.i

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
<!-- include start from stunnel/protocol-value-proxy.xml.i -->
2+
<valueHelp>
3+
<format>proxy</format>
4+
<description>Passing of the original client IP address with HAProxy PROXY protocol version 1</description>
5+
</valueHelp>
6+
<!-- include end -->

interface-definitions/include/stunnel/protocol-value-smtp.xml.i

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
<!-- include start from stunnel/protocol-value-smtp.xml.i -->
2+
<valueHelp>
3+
<format>smtp</format>
4+
<description>Based on RFC 2487 - SMTP Service Extension for Secure SMTP over TLS</description>
5+
</valueHelp>
6+
<!-- include end -->

interface-definitions/include/stunnel/protocol-value-socks.xml.i

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
<!-- include start from stunnel/protocol-value-socks.xml.i -->
2+
<valueHelp>
3+
<format>socks</format>
4+
<description>SOCKS versions 4, 4a, and 5 are supported</description>
5+
</valueHelp>
6+
<!-- include end -->

interface-definitions/include/stunnel/psk.xml.i

+30
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
<!-- include start from stunnel/psk.xml.i -->
2+
<tagNode name="psk">
3+
<properties>
4+
<help>Pre-shared key name</help>
5+
</properties>
6+
<children>
7+
<leafNode name="id">
8+
<properties>
9+
<help>ID for authentication</help>
10+
<valueHelp>
11+
<format>txt</format>
12+
<description>ID used for authentication</description>
13+
</valueHelp>
14+
</properties>
15+
</leafNode>
16+
<leafNode name="secret">
17+
<properties>
18+
<help>pre-shared secret key</help>
19+
<valueHelp>
20+
<format>txt</format>
21+
<description>pre-shared secret key are required to be at least 16 bytes long, which implies at least 32 characters for hexadecimal key</description>
22+
</valueHelp>
23+
<constraint>
24+
<validator name="psk-secret"/>
25+
</constraint>
26+
</properties>
27+
</leafNode>
28+
</children>
29+
</tagNode>
30+
<!-- include end -->

interface-definitions/include/stunnel/ssl.xml.i

+11
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
<!-- include start from stunnel/ssl.xml.i -->
2+
<node name="ssl">
3+
<properties>
4+
<help>SSL Certificate, SSL Key and CA</help>
5+
</properties>
6+
<children>
7+
#include <include/pki/ca-certificate-multi.xml.i>
8+
#include <include/pki/certificate.xml.i>
9+
</children>
10+
</node>
11+
<!-- include end -->

0 commit comments

Comments
 (0)