diff options
Diffstat (limited to 'roles/clients/files/nfs-nfs2.conf')
-rw-r--r-- | roles/clients/files/nfs-nfs2.conf | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/roles/clients/files/nfs-nfs2.conf b/roles/clients/files/nfs-nfs2.conf new file mode 100644 index 0000000..61c037d --- /dev/null +++ b/roles/clients/files/nfs-nfs2.conf @@ -0,0 +1,42 @@ +# +# Ansible managed. +# +#GLOBAL####################################################### + +sslVersion = TLSv1.3 +TIMEOUTidle = 600 +TIMEOUTconnect = 5 +renegotiation = no + FIPS = no + options = NO_SSLv2 + options = NO_SSLv3 + options = SINGLE_DH_USE + options = SINGLE_ECDH_USE + options = CIPHER_SERVER_PREFERENCE + syslog = yes + debug = 5 + setuid = nobody + setgid = nobody + chroot = /var/stunnel/chroot + + service = stunnel-nfs-nsb + ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc; + ; echo '3d-nfsd: ALL EXCEPT 127.0.0.1' >> hosts.deny; + ; chcon -t stunnel_etc_t hosts.deny + + curve = secp521r1 + ; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS + +#CREDENTIALS################################################## + + verify = 2 + CAfile = /etc/pki/tls/certs/mon-ca.crt + CRLfile = /etc/pki/tls/certs/crt-crl.pem + cert = /etc/pki/tls/certs/matthieu.3.crt + key = /etc/pki/tls/private/matthieu.3.key + +#ROLE######################################################### + + client = yes + connect = nfs2-freeway.casperlefantom.net:443 |