I’ll toss in an unpopular opinion here. I have used stunnel since day one. I had over the years problems with it not answering or the parent process dying altogether and other issues. I finally decided to run it from inetd rather than as a service. It is logical that this is a little slower but with modern machines I don’t notice it. inetd always is running. Always. If it is not you pretty much cannot use the machine. It has been a service program forever and is dead reliable. What you get is total reliability for an unnoticeable loss of speed. I suppose a heavily loaded machine running at capacity might not like this – my answer is throw hardware at it. I need reliable more than anything else. I’d at least try it!
E
VICS, LLC
Eric S Eberhard
2933 W Middle Verde Rd
Camp Verde, AZ 86322
928-567-3727 (land line)
928-301-7537 (cell phone)
http://www.vicsmba.com/ http://www.vicsmba.com
https://www.facebook.com/groups/286143052248115 https://www.facebook.com/groups/286143052248115
From: Jorge Redondo Flames jorge.redondo@gmail.com Sent: Wednesday, April 14, 2021 11:49 AM To: Peter Pentchev roam@ringlet.net Cc: stunnel-users@stunnel.org Subject: [stunnel-users] Re: Fwd: Re: Local socket keeps listening
Got it. Thank you very much!
On Wed, 14 Apr 2021 at 20:41, Peter Pentchev <roam@ringlet.net mailto:roam@ringlet.net > wrote:
On Wed, Apr 14, 2021 at 08:24:51PM +0200, Jorge Redondo Flames wrote:
On Wed, 14 Apr 2021 at 20:19, Jochen Bern <Jochen.Bern@binect.de mailto:Jochen.Bern@binect.de > wrote:
On 14.04.21 19:58, Jorge Redondo Flames wrote:
Stunnel could listen on its local port *only* when the peer server is listening on its corresponding server socket. So if there is no serve on the other side, there should not be local listening socket. Does not that make sense?
No.
In the general situation (server *not* being on the same machine as stunnel), stunnel CANNOT know whether the server's listening short of trying to connect to it - which it will only do on behalf of an incoming client request, which would never happen if stunnel weren't listening.
Even if server and stunnel run on the same machine/OS, finding out about the server's state would require a bunch of special-purpose code.
Assuming that they *are* on a common Linux (or at least unixoid) system, however, it would be rather trivial to write a root cron job that checks the output of "ss"/"netstat" for the server's LISTEN and simply terminates stunnel if it isn't found.
Or even better, have the server *restarted* automatically whenever it croaks ...
Understood. Although it still seems to me that the code doing more or less what the cron job would do might worth.
So, three points here.
1. There are some services (some servers) that do not react very nicely to somebody connecting to them and disconnecting immediately. Some of them do some work at the moment of the connection (e.g. resolve the client's IP address, check it against firewall rules, or even do some actual, service-specific, work, e.g. allocate buffers, prepare some kind of data...). Some of them are configured in such ways as to avoid portscanners or denial of service attacks or spam or flood or... many other things. In general, unless you *know* that it is safe to connect and immediately disconnect from the remote service, it is very unwise to try to do that. In your particular case, you know that, but in general, it is not a good idea.
2. Even if stunnel would try to connect to the remote service, what happens if the connection fails? OK, you say stunnel should close its local listening socket, but what then - will it never open it again? And if here's the part when you say "it can try to connect to the remote server again and start listening again" - okay, how much time passes between these connection attempts? Even something like a second may be bad if a real client chooses exactly this second to try to connect to stunnel and... stunnel is not listening... even though the remote server has started listening immediately after stunnel's last unsuccessful attempt. So... whatever interval you pick, closing the local listening socket *will* result in real, live clients failing to connect.
3. A more general point: if you really want to check whether a service is operational, only checking whether it will accept a connection is not enough. I've seen *many* failure modes over the years: from an overloaded machine where the OS kernel will accept the connection, but none of the actual server processes will react, through an overloaded service process that accepts the connection but spends too much time processing other requests to pay any attention to it, to a firewall host gone crazy that will pass connection packets, but will then refuse to pass the actual payload (yes, I've seen that happen for at least three different reasons). So an actual service check would be to connect and then send some kind of simple request to the server that you know will not take it too much time and resources to process, but will give you some measure of confidence that the server is actually serving requests and data.
But in short, it is impossible for stunnel to know whether a remote server is listening for a connection without trying to connect, it may not be "polite" for it to try to connect too often, and trying to connect not-too-often *will* result in real clients being unable to connect in the intermediate intervals.
G'luck, Peter
On Thu, Apr 15, 2021 at 09:42:41AM -0700, Eberhard wrote:
I’ll toss in an unpopular opinion here. I have used stunnel since day one. I had over the years problems with it not answering or the parent process dying altogether and other issues. I finally decided to run it from inetd rather than as a service. It is logical that this is a little slower but with modern machines I don’t notice it. inetd always is running. Always. If it is not you pretty much cannot use the machine. It has been a service program forever and is dead reliable. What you get is total reliability for an unnoticeable loss of speed. I suppose a heavily loaded machine running at capacity might not like this – my answer is throw hardware at it. I need reliable more than anything else. I’d at least try it!
Um. Did you read the original message in this thread? How exactly could inetd possibly help with the monitoring problem?
G'luck, Peter
It would make monitory not required. I have never been on a system where inetd failed ... so why monitor? E
VICS, LLC Eric S Eberhard 2933 W Middle Verde Rd Camp Verde, AZ 86322
928-567-3727 (land line) 928-301-7537 (cell phone)
http://www.vicsmba.com https://www.facebook.com/groups/286143052248115
-----Original Message----- From: Peter Pentchev roam@ringlet.net Sent: Thursday, April 15, 2021 1:06 PM To: Eberhard flash@vicsmba.com Cc: 'Jorge Redondo Flames' jorge.redondo@gmail.com; stunnel-users@stunnel.org Subject: Re: [stunnel-users] Re: Fwd: Re: Local socket keeps listening
On Thu, Apr 15, 2021 at 09:42:41AM -0700, Eberhard wrote:
I’ll toss in an unpopular opinion here. I have used stunnel since day one. I had over the years problems with it not answering or the parent process dying altogether and other issues. I finally decided to run it from inetd rather than as a service. It is logical that this is a little slower but with modern machines I don’t notice it. inetd always is running. Always. If it is not you pretty much cannot use the machine. It has been a service program forever and is dead reliable. What you get is total reliability for an unnoticeable loss of speed. I suppose a heavily loaded machine running at capacity might not like this – my answer is throw hardware at it. I need reliable more than anything else. I’d at least try it!
Um. Did you read the original message in this thread? How exactly could inetd possibly help with the monitoring problem?
G'luck, Peter
-- Peter Pentchev roam@ringlet.net roam@debian.org pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13
On Fri, Apr 16, 2021 at 12:37:38AM -0700, Eberhard wrote:
It would make monitory not required. I have never been on a system where inetd failed ... so why monitor? E
Please, please go back and read the original message. The goal is to monitor...... please read the original message.
-----Original Message----- From: Peter Pentchev roam@ringlet.net Sent: Thursday, April 15, 2021 1:06 PM To: Eberhard flash@vicsmba.com Cc: 'Jorge Redondo Flames' jorge.redondo@gmail.com; stunnel-users@stunnel.org Subject: Re: [stunnel-users] Re: Fwd: Re: Local socket keeps listening
On Thu, Apr 15, 2021 at 09:42:41AM -0700, Eberhard wrote:
I’ll toss in an unpopular opinion here. I have used stunnel since day one. I had over the years problems with it not answering or the parent process dying altogether and other issues. I finally decided to run it from inetd rather than as a service. It is logical that this is a little slower but with modern machines I don’t notice it. inetd always is running. Always. If it is not you pretty much cannot use the machine. It has been a service program forever and is dead reliable. What you get is total reliability for an unnoticeable loss of speed. I suppose a heavily loaded machine running at capacity might not like this – my answer is throw hardware at it. I need reliable more than anything else. I’d at least try it!
Um. Did you read the original message in this thread? How exactly could inetd possibly help with the monitoring problem?