blob: 83614b52d07feaa26620a6c1fe0975caa6096dfd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
; **************************************************************************
; * Global options *
; **************************************************************************
; setuid()/setgid() to the specified user/group in daemon mode
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /var/run/stunnel4/munin-node.pid
; Only log messages at severity warning (4) and higher
debug = 4
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.pem
key = /etc/stunnel/certs/munin-{{ inventory_hostname_short }}.key
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Prevent MITM attacks
verify = 4
; Disable support for insecure protocols
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
options = NO_COMPRESSION
; These options provide additional security at some performance degradation
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE
; Select permitted SSL ciphers
ciphers = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
; **************************************************************************
; * Service definitions (remove all services for inetd mode) *
; **************************************************************************
[munin-node]
client = no
accept = 4949
connect = 127.0.0.1:4994
CAfile = /etc/stunnel/certs/munin-master.pem
; vim:ft=dosini
|
