No bind address also listens on v6
[mirror/dsa-puppet.git] / modules / stunnel4 / manifests / server.pp
1 define stunnel4::server($accept, $connect, $local = '127.0.0.1') {
2 # define an stunnel listener, listening for SSL connections on $accept,
3 # connecting to plaintext service $connect using local source address $local
4 #
5 # unfortunately stunnel is really bad about verifying its peer,
6 # all we can be certain of is that they are signed by our CA,
7 # not who they are.  So do not use in places where the identity of
8 # the caller is important.  Use dsa-portforwarder for that.
9
10         include stunnel4
11
12         stunnel4::generic { $name:
13                 client  => false,
14                 verify  => 2,
15                 cafile  => '/etc/exim4/ssl/ca.crt',
16                 crlfile => '/etc/exim4/ssl/crl.crt',
17                 accept  => $accept,
18                 connect => $connect
19         }
20
21         @ferm::rule {
22                 "stunnel-${name}":
23                         description => "stunnel ${name}",
24                         rule        => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V4)"
25         }
26         @ferm::rule { "stunnel-${name}-v6":
27                         domain      => 'ip6',
28                         description => "stunnel ${name}",
29                         rule        => "&SERVICE_RANGE(tcp, ${accept}, \$HOST_DEBIAN_V6)"
30         }
31
32 }