Define sniproxy configuration
authorJan Dittberner <jandd@cacert.org>
Sat, 26 Aug 2017 19:17:21 +0000 (21:17 +0200)
committerJan Dittberner <jandd@cacert.org>
Sat, 26 Aug 2017 19:17:21 +0000 (21:17 +0200)
hieradata/nodes/proxyin.yaml
sitemodules/profiles/files/sniproxy/etc_default_sniproxy [new file with mode: 0644]
sitemodules/profiles/manifests/sniproxy.pp
sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp [new file with mode: 0644]

index e6131f2..96dd2a3 100644 (file)
@@ -3,3 +3,5 @@ classes:
   - roles::proxyin
 profiles::base::admins:
   - jandd
+profiles::sniproxy::https_forwards:
+  - "motion\.cacert\.org$ 10.0.0.117:8443"
diff --git a/sitemodules/profiles/files/sniproxy/etc_default_sniproxy b/sitemodules/profiles/files/sniproxy/etc_default_sniproxy
new file mode 100644 (file)
index 0000000..b37b083
--- /dev/null
@@ -0,0 +1,13 @@
+# Defaults for sniproxy initscript
+
+# This file has two functions:
+# 1) to completely disable starting sniproxy,
+# 2) to select an alternative config file
+#    by setting DAEMON_ARGS to -c <file>
+
+# Additional options that are passed to the Daemon.
+#DAEMON_ARGS="-c /etc/sniproxy.conf"
+
+# Whether or not to run the sniproxy daemon; set to 0 to disable, 1 to enable.
+ENABLED=0
+
index a126739..7cba9b1 100644 (file)
@@ -6,7 +6,7 @@
 # Parameters
 # ----------
 #
-# -
+# @param https_forwards a list of server names to target ips/ports
 #
 # Examples
 # --------
@@ -26,7 +26,9 @@
 #
 # Copyright 2017 Jan Dittberner
 #
-class profiles::sniproxy {
+class profiles::sniproxy (
+  Array[String] $https_forwards,
+) {
   file { '/etc/apt/sources.list.d/debian-testing.list':
     ensure => file,
     owner  => 'root',
@@ -46,4 +48,31 @@ class profiles::sniproxy {
   package { 'sniproxy':
     ensure => present,
   }
+
+  file { '/etc/default/sniproxy':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    source  => 'puppet:///modules/profiles/sniproxy/etc_default_sniproxy',
+    require => Package['sniproxy'],
+  }
+
+  file { '/etc/sniproxy.conf':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => epp(
+      'profiles/sniproxy/sniproxy.conf.epp',
+      {'https_forwards' => $https_forwards}
+    ),
+    require => Package['sniproxy'],
+  }
+
+  service { 'sniproxy':
+    ensure  => running,
+    enable  => true,
+    require => [Package['sniproxy'], File['/etc/default/sniproxy'], File['/etc/sniproxy.conf']],
+  }
 }
diff --git a/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp b/sitemodules/profiles/templates/sniproxy/sniproxy.conf.epp
new file mode 100644 (file)
index 0000000..f22c9e2
--- /dev/null
@@ -0,0 +1,80 @@
+<%- | Array[String] $https_forwards = [] | -%>
+# sniproxy example configuration file
+# lines that start with # are comments
+# lines with only white space are ignored
+
+user daemon
+
+# PID file
+pidfile /var/run/sniproxy.pid
+
+error_log {
+    # Log to the daemon syslog facility
+    syslog daemon
+
+    # Alternatively we could log to file
+    #filename /var/log/sniproxy/sniproxy.log
+
+    # Control the verbosity of the log
+    priority notice
+}
+
+# blocks are delimited with {...}
+#listen 80 {
+#    proto http
+#    table http_hosts
+#    # Fallback backend server to use if we can not parse the client request
+#    fallback localhost:8080
+#
+#    access_log {
+#        filename /var/log/sniproxy/http_access.log
+#        priority notice
+#    }
+#}
+
+listen 443 {
+    proto tls
+    table https_hosts
+
+    access_log {
+        filename /var/log/sniproxy/https_access.log
+        priority notice
+    }
+}
+
+# named tables are defined with the table directive
+#table http_hosts {
+#    example.com 192.0.2.10:8001
+#    example.net 192.0.2.10:8002
+#    example.org 192.0.2.10:8003
+
+# pattern:
+#      valid Perl-compatible Regular Expression that matches the
+#      hostname
+#
+# target:
+#      - a DNS name
+#      - an IP address (with optional port)
+#      - '*' to use the hostname that the client requested
+#
+# pattern      target
+#.*\.itunes\.apple\.com$       *:443
+#.*    127.0.0.1:4443
+#}
+
+# named tables are defined with the table directive
+table https_hosts {
+    # When proxying to local sockets you should use different tables since the
+    # local socket server most likely will not autodetect which protocol is
+    # being used
+<%- $https_forwards.each |$forward| { %>
+    <%= $forward -%>
+<% } %>
+
+# if no table specified the default 'default' table is defined
+#table {
+    # if no port is specified default HTTP (80) and HTTPS (443) ports are
+    # assumed based on the protocol of the listen block using this table
+    #example.com 192.0.2.10
+    #example.net 192.0.2.20
+#}