Hello folks, I have seen a couple of other posts concerning this question but I am still unclear and wanted to see if there are any new options for 2024. What would the recommended setup for Stunnel look like for HA (high-availability)? All I need is basically to have two servers, one active and another one stand by and be able to fail over to the standby server when the active one becomes unavailable due to hardware failure, bad vmotion etc. Extra point if this setup offers automatic failover to DR as well, meaning failover to a third server that's also on standby in case of catastrophic failures on the first two. This almost looks like a load-balancing solution but not really. I say this because I tried to leverage F5 to accomplish this HA scenario and wasn't successful at it because of the way that the F5 performs active checks so often and how noisy that can be for network perimeter security setups. My main request is the local HA though, I can come up with a solution for DR later on. Any recommendation is appreciated. Thank you in advance!
On 01.03.24 05:39, caspernetherlands@gmail.com wrote:
What would the recommended setup for Stunnel look like for HA (high-availability)? All I need is basically to have two servers, one active and another one stand by and be able to fail over to the standby server when the active one becomes unavailable due to hardware failure, bad vmotion etc.
You're leaving a whole lot of details (like: what OS are you working on?) to guess, other than asking this on the *stunnel* mailinglist ... If this is about HAing *the stunnel service itself*, as a Linux admin, my gut reaction would be to -- have both servers run stunnel simultaneously (should IMHO be possible in most, if not all, use cases) and -- add (just) VRRP and a floating IP to that with keepalived https://www.keepalived.org/ If you want the *remote end* of the stunnels to go HA, I'd still have a look at keepalived, but you'd need to re-evaluate whether the actual service can simply run on *both* servers, or needs to be started/stopped by keepalived as well as it does a failover. (If the latter, then look into the question whether the time it needs to *start up* in a failover situation is in fact an acceptable outage duration, or you'll have to get inventive about *that*.) What stunnel AFAIK does *not* do is check the backends for liveliness and do failovers *for them*. You'd need something external to keep tabs on the backends "remotely" (which keepalived doesn't do), and restart stunnel into different configs if necessary. Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
Thanks Jochen! Yeah sorry I assumed Linux because who would use windows for things outside of AD/DNS anyway, jk! Okay, this is exactly what I was looking for… Seems like redhat has a nice write up on this, crazy that I haven’t run into this service before but will need to start do some homework. It doesn’t seem terribly different from VRRP which I am familiar with since it seems like keepalived is based on the same RFC’s anyway. I only don’t understand one of your comments: What stunnel AFAIK does *not* do is check the backends for liveliness and do failovers *for them*. You'd need something external to keep tabs on the backends "remotely" (which keepalived doesn't do), and restart What do you mean by this? Are you referring to service failures due to a bad config / expired cert? I guess I can leverage systemd to accomplish this or suggest something crazier like multiple services running different sessions?
On 04.03.24 20:00, caspernetherlands@gmail.com wrote:
It doesn’t seem terribly different from VRRP which I am familiar with since it seems like keepalived is based on the same RFC’s anyway.
Yes, keepalived is indeed doing VRRP for the "switch over per floating IP" part of its functionality.
I only don’t understand one of your comments:
What stunnel AFAIK does *not* do is check the backends for liveliness and do failovers *for them*. You'd need something external to keep tabs on the backends "remotely" (which keepalived doesn't do), and restart
What do you mean by this?
You did not specify *which* service (stunnel or its backends) you want to HA, nor *which* set of machines is supposed to *do* the failover. If you want the stunnel machines to failover stunnel, VRRP can do that. Same if you want the backends to failover the backend service. The third possibility is that you want the frontends (to run stunnel and) switch from one backend to the other (assuming that they're separate machines, of course), like a load balancer would. Then your HA solution needs to remotely sense which backends are currently operational, and instruct the stunnels to switch away from a TILT one to one of the OK ones. keepalived is not particularly suited to do *that*, and restarting the stunnels would leave you with an additional (if very short) outage still. Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
On Tue, Mar 05, 2024 at 05:42:04PM +0100, Jochen Bern wrote: [snip]
The third possibility is that you want the frontends (to run stunnel and) switch from one backend to the other (assuming that they're separate machines, of course), like a load balancer would. Then your HA solution needs to remotely sense which backends are currently operational, and instruct the stunnels to switch away from a TILT one to one of the OK ones. keepalived is not particularly suited to do *that*, and restarting the stunnels would leave you with an additional (if very short) outage still.
...and that's why you can instruct a running stunnel instance to reload its configuration file without a service outage, either using the `-reload` option for Windows, or by sending it a HUP signal under Unix-like OSs. G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@debian.org pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
<blockquote><strong>A conclusive Manual for Web Nursing Classes</strong></blockquote> <blockquote>Show (150 words): In the rapidly creating circumstance of preparing, electronic learning has changed into an establishment for overwhelmingly most certain clinical directors searching for flexibility and responsiveness. This wide aide, "Rx for Progress: An unequivocal <span data-sheets-root="1" data-sheets-value="{"1":2,"2":"4050 assessment 2"}" data-sheets-userformat="{"2":1053567,"3":{"1":0},"4":{"1":2,"2":16777215},"5":{"1":[{"1":2,"2":0,"5":{"1":2,"2":0}},{"1":0,"2":0,"3":3},{"1":1,"2":0,"4":1}]},"6":{"1":[{"1":2,"2":0,"5":{"1":2,"2":0}},{"1":0,"2":0,"3":3},{"1":1,"2":0,"4":1}]},"7":{"1":[{"1":2,"2":0,"5":{"1":2,"2":0}},{"1":0,"2":0,"3":3},{"1":1,"2":0,"4":1}]},"8":{"1":[{"1":2,"2":0,"5":{"1":2,"2":0}},{"1":0,"2":0,"3":3},{"1":1,"2":0,"4":1}]},"9":0,"11":3,"12":0,"15":"Roboto, RobotoDraft, Helvetica, Arial, sans-serif","23":1}" data-sheets-hyperlink="https://tutorsacademy.co/nurs-fpx-4050-assessment-2-ethical-and-policy-factors-in-care-coordination/"><a class="in-cell-link" href="https://tutorsacademy.co/nurs-fpx-4050-assessment-2-ethical-and-policy-facto..." target="_blank">4050 assessment 2</a></span> Manual for Electronic Nursing Classes," bounces into the universe of web nursing bearing, offering boundless encounters and strong signs to explore this imperative learning environment. From picking the right program to winning in virtual study corridors, this guide means to empower specific specialists with the data and resources expected to prosper in the online nursing preparing space.</blockquote>
participants (4)
-
caspernetherlands@gmail.com -
Jochen Bern -
Peter Pentchev -
silir10174@mcuma.com