summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hieradata/nodes/proxyin.yaml2
-rw-r--r--sitemodules/profiles/files/sniproxy/etc_default_sniproxy13
-rw-r--r--sitemodules/profiles/manifests/sniproxy.pp33
-rw-r--r--sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp80
4 files changed, 126 insertions, 2 deletions
diff --git a/hieradata/nodes/proxyin.yaml b/hieradata/nodes/proxyin.yaml
index e6131f2..96dd2a3 100644
--- a/hieradata/nodes/proxyin.yaml
+++ b/hieradata/nodes/proxyin.yaml
@@ -3,3 +3,5 @@ classes:
- roles::proxyin
profiles::base::admins:
- jandd
+profiles::sniproxy::https_forwards:
+ - "motion\.cacert\.org$ 10.0.0.117:8443"
diff --git a/sitemodules/profiles/files/sniproxy/etc_default_sniproxy b/sitemodules/profiles/files/sniproxy/etc_default_sniproxy
new file mode 100644
index 0000000..b37b083
--- /dev/null
+++ b/sitemodules/profiles/files/sniproxy/etc_default_sniproxy
@@ -0,0 +1,13 @@
+# Defaults for sniproxy initscript
+
+# This file has two functions:
+# 1) to completely disable starting sniproxy,
+# 2) to select an alternative config file
+# by setting DAEMON_ARGS to -c <file>
+
+# Additional options that are passed to the Daemon.
+#DAEMON_ARGS="-c /etc/sniproxy.conf"
+
+# Whether or not to run the sniproxy daemon; set to 0 to disable, 1 to enable.
+ENABLED=0
+
diff --git a/sitemodules/profiles/manifests/sniproxy.pp b/sitemodules/profiles/manifests/sniproxy.pp
index a126739..7cba9b1 100644
--- a/sitemodules/profiles/manifests/sniproxy.pp
+++ b/sitemodules/profiles/manifests/sniproxy.pp
@@ -6,7 +6,7 @@
# Parameters
# ----------
#
-# -
+# @param https_forwards a list of server names to target ips/ports
#
# Examples
# --------
@@ -26,7 +26,9 @@
#
# Copyright 2017 Jan Dittberner
#
-class profiles::sniproxy {
+class profiles::sniproxy (
+ Array[String] $https_forwards,
+) {
file { '/etc/apt/sources.list.d/debian-testing.list':
ensure => file,
owner => 'root',
@@ -46,4 +48,31 @@ class profiles::sniproxy {
package { 'sniproxy':
ensure => present,
}
+
+ file { '/etc/default/sniproxy':
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ source => 'puppet:///modules/profiles/sniproxy/etc_default_sniproxy',
+ require => Package['sniproxy'],
+ }
+
+ file { '/etc/sniproxy.conf':
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => epp(
+ 'profiles/sniproxy/sniproxy.conf.epp',
+ {'https_forwards' => $https_forwards}
+ ),
+ require => Package['sniproxy'],
+ }
+
+ service { 'sniproxy':
+ ensure => running,
+ enable => true,
+ require => [Package['sniproxy'], File['/etc/default/sniproxy'], File['/etc/sniproxy.conf']],
+ }
}
diff --git a/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp b/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp
new file mode 100644
index 0000000..f22c9e2
--- /dev/null
+++ b/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp
@@ -0,0 +1,80 @@
+<%- | Array[String] $https_forwards = [] | -%>
+# sniproxy example configuration file
+# lines that start with # are comments
+# lines with only white space are ignored
+
+user daemon
+
+# PID file
+pidfile /var/run/sniproxy.pid
+
+error_log {
+ # Log to the daemon syslog facility
+ syslog daemon
+
+ # Alternatively we could log to file
+ #filename /var/log/sniproxy/sniproxy.log
+
+ # Control the verbosity of the log
+ priority notice
+}
+
+# blocks are delimited with {...}
+#listen 80 {
+# proto http
+# table http_hosts
+# # Fallback backend server to use if we can not parse the client request
+# fallback localhost:8080
+#
+# access_log {
+# filename /var/log/sniproxy/http_access.log
+# priority notice
+# }
+#}
+
+listen 443 {
+ proto tls
+ table https_hosts
+
+ access_log {
+ filename /var/log/sniproxy/https_access.log
+ priority notice
+ }
+}
+
+# named tables are defined with the table directive
+#table http_hosts {
+# example.com 192.0.2.10:8001
+# example.net 192.0.2.10:8002
+# example.org 192.0.2.10:8003
+
+# pattern:
+# valid Perl-compatible Regular Expression that matches the
+# hostname
+#
+# target:
+# - a DNS name
+# - an IP address (with optional port)
+# - '*' to use the hostname that the client requested
+#
+# pattern target
+#.*\.itunes\.apple\.com$ *:443
+#.* 127.0.0.1:4443
+#}
+
+# named tables are defined with the table directive
+table https_hosts {
+ # When proxying to local sockets you should use different tables since the
+ # local socket server most likely will not autodetect which protocol is
+ # being used
+<%- $https_forwards.each |$forward| { %>
+ <%= $forward -%>
+<% } %>
+
+# if no table specified the default 'default' table is defined
+#table {
+ # if no port is specified default HTTP (80) and HTTPS (443) ports are
+ # assumed based on the protocol of the listen block using this table
+ #example.com 192.0.2.10
+ #example.net 192.0.2.20
+#}