Hi,
I have a couple of questions regarding failover with stunnel:
1. I would like to know if there is a way to use failover with two servers with two different set of TLS cert/key.
The following rule doesn't work, because the cert and key parameters are overwritten, but it shows what I would like to achieve:
[failover] accept = 127.0.0.1:4441 http://127.0.0.1:4441/ cert = cert_1.cert key = key_1.pem connect = server-1:1234 cert = cert_2.cert key = key_2.pem connect = server-2:1234
2. On the same topic, I would like to know if there is an option that could open the local port (accept) only when the connection (connect) is established?
The problem I'm facing is that I use a PAC profile with failover on several stunnel entries: "return PROXY 127.0.0.1:4441 http://127.0.0.1:4441/; PROXY 127.0.0.1:4442 http://127.0.0.1:4442/; PROXY 127.0.0.1:4443 http://127.0.0.1:4443/;". However, when one of the remote server is down (i.e. server-1), it is not easily detected by web-browsers (Chrome does not seem to detect it well), and so instead of switching to the next PROXY, it simply dies on the first one. If the port 4441 relative to server-1 (which is unavailable) was closed, then the webrowser could easily detect it and switch to the second server with port 4442.
3. Is there another way to tweak stunnel behavior when a remote server is down?
I'm thinking about a couple of things, like being able to switch to a different rule set:
[failover1] accept = 127.0.0.1:4441 http://127.0.0.1:4441/ cert = cert_1.cert key = key_1.pem connect = server-1:1234 connect = 127.0.0.1:4442 http://127.0.0.1:4442/ ; This is failover2
[failover2] accept = 127.0.0.1:4442 http://127.0.0.1:4442/ cert = cert_2.cert key = key_2.pem connect = server-2:1234
Or maybe there are some options that I'm not aware of to timeout connections more efficiently: so that Chrome (or other clients using HTTP proxies) will immediately know that stunnel cannot connect to the remote server and so that the proxy is down.
Thank you for your help.
Cheers,
Thireus.