diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2015-10-27 16:26:24 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-10-27 16:26:24 +0100 |
| commit | c2b9d04ecef5babc028728d4426aab9237b5ce86 (patch) | |
| tree | e0cf1cd15f8df515f3bc6140831e67d40a9b9c78 | |
| parent | 643d79c4853009806fa45a9036ae7150b4e739fa (diff) | |
stunnel: disable compression.
7 files changed, 14 insertions, 0 deletions
diff --git a/roles/IMAP-proxy/files/etc/stunnel/roundcube.conf b/roles/IMAP-proxy/files/etc/stunnel/roundcube.conf index 307a5c2..284bcc0 100644 --- a/roles/IMAP-proxy/files/etc/stunnel/roundcube.conf +++ b/roles/IMAP-proxy/files/etc/stunnel/roundcube.conf @@ -18,40 +18,42 @@ debug = 4 ; Certificate/key is needed in server mode and optional in client mode ;cert = /etc/stunnel/mail.pem ;key = /etc/stunnel/mail.pem client = yes socket = a:SO_BINDTODEVICE=lo ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks verify = 4 ; Disable support for insecure protocols options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 +options = NO_COMPRESSION + ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; Select permitted SSL ciphers ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [imaps] accept = localhost:143 connect = imap.fripost.org:993 CAfile = /etc/stunnel/certs/imap.fripost.org.pem [ldaps] accept = localhost:389 connect = ldap.fripost.org:636 CAfile = /etc/stunnel/certs/ldap.fripost.org.pem diff --git a/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2 b/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2 index e678e47..4dbb1db 100644 --- a/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2 +++ b/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2 @@ -18,40 +18,42 @@ debug = 4 ; Certificate/key is needed in server mode and optional in client mode cert = /etc/stunnel/certs/{{ inventory_hostname_short }}-dir.pem key = /etc/stunnel/certs/{{ inventory_hostname_short }}-dir.key client = yes socket = a:SO_BINDTODEVICE=lo ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks verify = 4 ; Disable support for insecure protocols options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 +options = NO_COMPRESSION + ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; Select permitted SSL ciphers ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** {% if 'bacula-sd' not in group_names %} [{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd] accept = 127.0.{{ n }}.1:9113 connect = {{ groups['bacula-sd'][0] }}:9103 delay = yes CAfile = /etc/stunnel/certs/{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd.pem {% endif %} {% set n = 0 %} diff --git a/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2 b/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2 index e137536..767424a 100644 --- a/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2 +++ b/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2 @@ -16,38 +16,40 @@ debug = 4 ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; Certificate/key is needed in server mode and optional in client mode cert = /etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem key = /etc/stunnel/certs/{{ inventory_hostname_short }}-sd.key ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks verify = 4 ; Disable support for insecure protocols options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 +options = NO_COMPRESSION + ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; Select permitted SSL ciphers ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [{{ inventory_hostname_short }}-sd] client = no accept = 9103 connect = 127.0.0.1:9113 CAfile = /etc/stunnel/certs/bacula-dir+fds.pem ; vim:ft=dosini diff --git a/roles/common/templates/etc/stunnel/bacula-fd.conf.j2 b/roles/common/templates/etc/stunnel/bacula-fd.conf.j2 index d9fe04b..ed819c0 100644 --- a/roles/common/templates/etc/stunnel/bacula-fd.conf.j2 +++ b/roles/common/templates/etc/stunnel/bacula-fd.conf.j2 @@ -16,40 +16,42 @@ debug = 4 ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; Certificate/key is needed in server mode and optional in client mode cert = /etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem key = /etc/stunnel/certs/{{ inventory_hostname_short }}-fd.key ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks verify = 4 ; Disable support for insecure protocols options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 +options = NO_COMPRESSION + ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; Select permitted SSL ciphers ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [{{ inventory_hostname_short }}-fd] client = no accept = 9102 connect = 9112 CAfile = /etc/stunnel/certs/bacula-dirs.pem {% if 'bacula-sd' not in group_names %} [{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd] client = yes diff --git a/roles/common/templates/etc/stunnel/munin-node.conf.j2 b/roles/common/templates/etc/stunnel/munin-node.conf.j2 index e4188fc..83614b5 100644 --- a/roles/common/templates/etc/stunnel/munin-node.conf.j2 +++ b/roles/common/templates/etc/stunnel/munin-node.conf.j2 @@ -16,38 +16,40 @@ debug = 4 ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; Certificate/key is needed in server mode and optional in client mode cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks verify = 4 ; Disable support for insecure protocols options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 +options = NO_COMPRESSION + ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; Select permitted SSL ciphers ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [munin-node] client = no accept = 4949 connect = 127.0.0.1:4994 CAfile = /etc/stunnel/certs/munin-master.pem ; vim:ft=dosini diff --git a/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 b/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 index 51c5dca..bbe4114 100644 --- a/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 +++ b/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 @@ -18,40 +18,42 @@ debug = 4 ; Certificate/key is needed in server mode and optional in client mode cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key client = yes socket = a:SO_BINDTODEVICE=lo ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks verify = 4 ; Disable support for insecure protocols options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 +options = NO_COMPRESSION + ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; Select permitted SSL ciphers ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** {% set n = 0 %} {% for node in groups.all | sort %} {% set n = n + 1 %} {% if node != inventory_hostname %} [{{ hostvars[node].inventory_hostname_short }}] accept = 127.0.{{ n }}.1:4994 connect = {{ node }}:4949 delay = yes CAfile = /etc/stunnel/certs/munin-{{ hostvars[node].inventory_hostname_short }}.pem diff --git a/roles/webmail/templates/etc/stunnel/postfix.conf.j2 b/roles/webmail/templates/etc/stunnel/postfix.conf.j2 index 722497a..9003686 100644 --- a/roles/webmail/templates/etc/stunnel/postfix.conf.j2 +++ b/roles/webmail/templates/etc/stunnel/postfix.conf.j2 @@ -18,38 +18,40 @@ debug = 4 ; Certificate/key is needed in server mode and optional in client mode cert = /etc/postfix/ssl/{{ ansible_fqdn }}.pem key = /etc/postfix/ssl/{{ ansible_fqdn }}.key client = yes socket = a:SO_BINDTODEVICE=lo ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks verify = 4 ; Disable support for insecure protocols options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 +options = NO_COMPRESSION + ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; Select permitted SSL ciphers ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [smtp] accept = localhost:2525 connect = outgoing.fripost.org:{{ postfix_instance.out.port }} CAfile = /etc/stunnel/certs/postfix.pem protocol = smtp ; vim:ft=dosini |