Add stunnel functionality for plaintext service TLS encapsulation

[UFOSmuggler]

This change lets users of the image define two new envars:

STUNNEL - Start the stunnel service on container start, via supervisord.
true: start the service
false: don't start the service

This requires the next envar to define a file path to a stunnel config file. Supervisord calls the stunnel binary with STUNNEL_CONFIG as an argument.

STUNNEL_CONFIG - File path to a stunnel config file.
It is up to the user to create this to define whatever they want to do.
/custom/files/stunnel/stunnel.conf as an example value

If the file doesn't exist or is malformed, supervisord tries a few times and gives up.

Why would you want this?
Some TLS stuff is difficult in MISP, and MISP can't speak to some services via TLS (ie. redis).

This allows you to create a listener on localhost that transparently proxies to a TLS listener somewhere else. For instance, I could create a stunnel config file that says "listen for plaintext connections on localhost:6379, connect to redis://blah.com:6380 using TLS with this CA certificate, and join the two together". Then I can point MISP's REDIS_HOST to localhost and REDIS_PORT to 6379, and now all redis traffic exiting the network is TLS encapsulated to blah.com:6380 where redis lives.

Alternatively, you could also use this to talk to a remote TLS requiring MySQL, but the one in the previous PR is more appropriate for that specific purpose in my opinion.

Or any other arbitrary service that needs it.

I have successfully used this against a TLS speaking valkey/valkey:7.2 image, and AWS Elasticache speaking valkey:7.2.

[UFOSmuggler]

If you want to test this, here's some files to help. just set REDIS_HOST to localhost so it uses the stunnel exposed port, and put the stunnel file path in $STUNNEL_CONFIG.

stunnel.conf - use TLS but don't bother verifying, you can see how to set the appropriate things:

foreground = yes
pid = /var/run/stunnel.pid
[elasticache]
client = yes
accept = localhost:6379
connect = redis:6380

#cert = /custom/files/stunnel/client-cert.pem
#key = /custom/files/stunnel/client-key.pem
#CAfile = /custom/files/stunnel/ca.pem 
verify = 0

docker-compose.override.yml - make redis container use TLS:

services:
  misp-core:
    volumes:
      - "misp_custom_shit/:/custom/:Z"
  redis:
    command: |
      sh -c '
        if [ "$${ENABLE_REDIS_EMPTY_PASSWORD:-false}" = "true" ]; then
          exec valkey-server --port 0 --tls-port 6380 --tls-cert-file /data/tls/server-cert.pem --tls-key-file /data/tls/server-key.pem --tls-ca-cert-file /data/tls/ca.pem --tls-auth-clients no
        else
          exec valkey-server --port 0 --tls-port 6380 --tls-cert-file /data/tls/server-cert.pem --tls-key-file /data/tls/server-key.pem --tls-ca-cert-file /data/tls/ca.pem --tls-auth-clients no --requirepass "$${REDIS_PASSWORD:-redispassword}"
        fi
      '
    healthcheck:
      test: |
        sh -c '
          if [ "$${ENABLE_REDIS_EMPTY_PASSWORD:-false}" = "true" ]; then
            valkey-cli --tls --cert /data/tls/server-cert.pem --key /data/tls/server-key.pem --cacert /data/tls/ca.pem -p $${REDIS_PORT:-6380} ping | grep -q PONG || exit 1
          else
            valkey-cli --tls --cert /data/tls/server-cert.pem --key /data/tls/server-key.pem --cacert /data/tls/ca.pem -a "$${REDIS_PASSWORD:-redispassword}" -p $${REDIS_PORT:-6380} ping | grep -q PONG || exit 1
          fi
        '

[ostefano]

Can you add a section to the documentation including the examples you mentioned in the PR?

[UFOSmuggler]

Can you add a section to the documentation including the examples you mentioned in the PR?

sure, i can do that. probably tomorrow.