diff options
7 files changed, 7 insertions, 7 deletions
diff --git a/roles/IMAP-proxy/files/etc/stunnel/roundcube.conf b/roles/IMAP-proxy/files/etc/stunnel/roundcube.conf index c14bac3..307a5c2 100644 --- a/roles/IMAP-proxy/files/etc/stunnel/roundcube.conf +++ b/roles/IMAP-proxy/files/etc/stunnel/roundcube.conf @@ -23,37 +23,37 @@ client = yes socket = a:SO_BINDTODEVICE=lo ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks verify = 4 ; Disable support for insecure protocols options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; Select permitted SSL ciphers -ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 +ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [imaps] accept = localhost:143 connect = imap.fripost.org:993 CAfile = /etc/stunnel/certs/imap.fripost.org.pem [ldaps] accept = localhost:389 connect = ldap.fripost.org:636 CAfile = /etc/stunnel/certs/ldap.fripost.org.pem ; vim:ft=dosini diff --git a/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2 b/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2 index aae49bc..e678e47 100644 --- a/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2 +++ b/roles/bacula-dir/templates/etc/stunnel/bacula-dir.conf.j2 @@ -23,41 +23,41 @@ client = yes socket = a:SO_BINDTODEVICE=lo ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks verify = 4 ; Disable support for insecure protocols options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; Select permitted SSL ciphers -ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 +ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** {% if 'bacula-sd' not in group_names %} [{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd] accept = 127.0.{{ n }}.1:9113 connect = {{ groups['bacula-sd'][0] }}:9103 delay = yes CAfile = /etc/stunnel/certs/{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd.pem {% endif %} {% set n = 0 %} {% for fd in groups.all | sort %} {% set n = n + 1 %} {% if fd != inventory_hostname %} [{{ hostvars[fd].inventory_hostname_short }}-fd] accept = 127.0.{{ n }}.1:9112 connect = {{ fd }}:9102 diff --git a/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2 b/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2 index b193826..e137536 100644 --- a/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2 +++ b/roles/bacula-sd/templates/etc/stunnel/bacula-sd.conf.j2 @@ -21,33 +21,33 @@ cert = /etc/stunnel/certs/{{ inventory_hostname_short }}-sd.pem key = /etc/stunnel/certs/{{ inventory_hostname_short }}-sd.key ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks verify = 4 ; Disable support for insecure protocols options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; Select permitted SSL ciphers -ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 +ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [{{ inventory_hostname_short }}-sd] client = no accept = 9103 connect = 127.0.0.1:9113 CAfile = /etc/stunnel/certs/bacula-dir+fds.pem ; vim:ft=dosini diff --git a/roles/common/templates/etc/stunnel/bacula-fd.conf.j2 b/roles/common/templates/etc/stunnel/bacula-fd.conf.j2 index 74364c9..d9fe04b 100644 --- a/roles/common/templates/etc/stunnel/bacula-fd.conf.j2 +++ b/roles/common/templates/etc/stunnel/bacula-fd.conf.j2 @@ -21,41 +21,41 @@ cert = /etc/stunnel/certs/{{ inventory_hostname_short }}-fd.pem key = /etc/stunnel/certs/{{ inventory_hostname_short }}-fd.key ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks verify = 4 ; Disable support for insecure protocols options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; Select permitted SSL ciphers -ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 +ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [{{ inventory_hostname_short }}-fd] client = no accept = 9102 connect = 9112 CAfile = /etc/stunnel/certs/bacula-dirs.pem {% if 'bacula-sd' not in group_names %} [{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd] client = yes accept = 127.0.0.1:9113 connect = {{ groups['bacula-sd'][0] }}:9103 delay = yes CAfile = /etc/stunnel/certs/{{ hostvars[ groups['bacula-sd'][0] ].inventory_hostname_short }}-sd.pem {% endif %} diff --git a/roles/common/templates/etc/stunnel/munin-node.conf.j2 b/roles/common/templates/etc/stunnel/munin-node.conf.j2 index de6c156..e4188fc 100644 --- a/roles/common/templates/etc/stunnel/munin-node.conf.j2 +++ b/roles/common/templates/etc/stunnel/munin-node.conf.j2 @@ -21,33 +21,33 @@ cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks verify = 4 ; Disable support for insecure protocols options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; Select permitted SSL ciphers -ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 +ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [munin-node] client = no accept = 4949 connect = 127.0.0.1:4994 CAfile = /etc/stunnel/certs/munin-master.pem ; vim:ft=dosini diff --git a/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 b/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 index c025183..51c5dca 100644 --- a/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 +++ b/roles/munin-master/templates/etc/stunnel/munin-master.conf.j2 @@ -23,40 +23,40 @@ client = yes socket = a:SO_BINDTODEVICE=lo ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks verify = 4 ; Disable support for insecure protocols options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; Select permitted SSL ciphers -ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 +ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** {% set n = 0 %} {% for node in groups.all | sort %} {% set n = n + 1 %} {% if node != inventory_hostname %} [{{ hostvars[node].inventory_hostname_short }}] accept = 127.0.{{ n }}.1:4994 connect = {{ node }}:4949 delay = yes CAfile = /etc/stunnel/certs/munin-{{ hostvars[node].inventory_hostname_short }}.pem {% endif %} {% endfor %} ; vim:ft=dosini diff --git a/roles/webmail/templates/etc/stunnel/postfix.conf.j2 b/roles/webmail/templates/etc/stunnel/postfix.conf.j2 index 78922c8..722497a 100644 --- a/roles/webmail/templates/etc/stunnel/postfix.conf.j2 +++ b/roles/webmail/templates/etc/stunnel/postfix.conf.j2 @@ -23,33 +23,33 @@ client = yes socket = a:SO_BINDTODEVICE=lo ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Prevent MITM attacks verify = 4 ; Disable support for insecure protocols options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 ; These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE ; Select permitted SSL ciphers -ciphers = EECDH+AES:EDH+AES:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1 +ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [smtp] accept = localhost:2525 connect = outgoing.fripost.org:{{ postfix_instance.out.port }} CAfile = /etc/stunnel/certs/postfix.pem protocol = smtp ; vim:ft=dosini |