diff options
author | Jan Dittberner <jandd@cacert.org> | 2017-08-26 21:17:21 +0200 |
---|---|---|
committer | Jan Dittberner <jandd@cacert.org> | 2017-08-26 21:17:21 +0200 |
commit | 094c6ff3231a9900c546cebdde146b5663c738e4 (patch) | |
tree | 98c588a641c6e896a3f03a280f92da9dd2162773 | |
parent | e21a64f5583998d1355d7586c4fabe1ca282e26a (diff) | |
download | cacert-puppet-094c6ff3231a9900c546cebdde146b5663c738e4.tar.gz cacert-puppet-094c6ff3231a9900c546cebdde146b5663c738e4.tar.xz cacert-puppet-094c6ff3231a9900c546cebdde146b5663c738e4.zip |
Define sniproxy configuration
-rw-r--r-- | hieradata/nodes/proxyin.yaml | 2 | ||||
-rw-r--r-- | sitemodules/profiles/files/sniproxy/etc_default_sniproxy | 13 | ||||
-rw-r--r-- | sitemodules/profiles/manifests/sniproxy.pp | 33 | ||||
-rw-r--r-- | sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp | 80 |
4 files changed, 126 insertions, 2 deletions
diff --git a/hieradata/nodes/proxyin.yaml b/hieradata/nodes/proxyin.yaml index e6131f2..96dd2a3 100644 --- a/hieradata/nodes/proxyin.yaml +++ b/hieradata/nodes/proxyin.yaml @@ -3,3 +3,5 @@ classes: - roles::proxyin profiles::base::admins: - jandd +profiles::sniproxy::https_forwards: + - "motion\.cacert\.org$ 10.0.0.117:8443" diff --git a/sitemodules/profiles/files/sniproxy/etc_default_sniproxy b/sitemodules/profiles/files/sniproxy/etc_default_sniproxy new file mode 100644 index 0000000..b37b083 --- /dev/null +++ b/sitemodules/profiles/files/sniproxy/etc_default_sniproxy @@ -0,0 +1,13 @@ +# Defaults for sniproxy initscript + +# This file has two functions: +# 1) to completely disable starting sniproxy, +# 2) to select an alternative config file +# by setting DAEMON_ARGS to -c <file> + +# Additional options that are passed to the Daemon. +#DAEMON_ARGS="-c /etc/sniproxy.conf" + +# Whether or not to run the sniproxy daemon; set to 0 to disable, 1 to enable. +ENABLED=0 + diff --git a/sitemodules/profiles/manifests/sniproxy.pp b/sitemodules/profiles/manifests/sniproxy.pp index a126739..7cba9b1 100644 --- a/sitemodules/profiles/manifests/sniproxy.pp +++ b/sitemodules/profiles/manifests/sniproxy.pp @@ -6,7 +6,7 @@ # Parameters # ---------- # -# - +# @param https_forwards a list of server names to target ips/ports # # Examples # -------- @@ -26,7 +26,9 @@ # # Copyright 2017 Jan Dittberner # -class profiles::sniproxy { +class profiles::sniproxy ( + Array[String] $https_forwards, +) { file { '/etc/apt/sources.list.d/debian-testing.list': ensure => file, owner => 'root', @@ -46,4 +48,31 @@ class profiles::sniproxy { package { 'sniproxy': ensure => present, } + + file { '/etc/default/sniproxy': + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + source => 'puppet:///modules/profiles/sniproxy/etc_default_sniproxy', + require => Package['sniproxy'], + } + + file { '/etc/sniproxy.conf': + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + content => epp( + 'profiles/sniproxy/sniproxy.conf.epp', + {'https_forwards' => $https_forwards} + ), + require => Package['sniproxy'], + } + + service { 'sniproxy': + ensure => running, + enable => true, + require => [Package['sniproxy'], File['/etc/default/sniproxy'], File['/etc/sniproxy.conf']], + } } diff --git a/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp b/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp new file mode 100644 index 0000000..f22c9e2 --- /dev/null +++ b/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp @@ -0,0 +1,80 @@ +<%- | Array[String] $https_forwards = [] | -%> +# sniproxy example configuration file +# lines that start with # are comments +# lines with only white space are ignored + +user daemon + +# PID file +pidfile /var/run/sniproxy.pid + +error_log { + # Log to the daemon syslog facility + syslog daemon + + # Alternatively we could log to file + #filename /var/log/sniproxy/sniproxy.log + + # Control the verbosity of the log + priority notice +} + +# blocks are delimited with {...} +#listen 80 { +# proto http +# table http_hosts +# # Fallback backend server to use if we can not parse the client request +# fallback localhost:8080 +# +# access_log { +# filename /var/log/sniproxy/http_access.log +# priority notice +# } +#} + +listen 443 { + proto tls + table https_hosts + + access_log { + filename /var/log/sniproxy/https_access.log + priority notice + } +} + +# named tables are defined with the table directive +#table http_hosts { +# example.com 192.0.2.10:8001 +# example.net 192.0.2.10:8002 +# example.org 192.0.2.10:8003 + +# pattern: +# valid Perl-compatible Regular Expression that matches the +# hostname +# +# target: +# - a DNS name +# - an IP address (with optional port) +# - '*' to use the hostname that the client requested +# +# pattern target +#.*\.itunes\.apple\.com$ *:443 +#.* 127.0.0.1:4443 +#} + +# named tables are defined with the table directive +table https_hosts { + # When proxying to local sockets you should use different tables since the + # local socket server most likely will not autodetect which protocol is + # being used +<%- $https_forwards.each |$forward| { %> + <%= $forward -%> +<% } %> + +# if no table specified the default 'default' table is defined +#table { + # if no port is specified default HTTP (80) and HTTPS (443) ports are + # assumed based on the protocol of the listen block using this table + #example.com 192.0.2.10 + #example.net 192.0.2.20 +#} |