Having problems with an special configuration - stunnel-users

4 Apr 2006


      Hi all,
I've got a strange thing (at least I think so) that i'm trying to do with 
stunnel and it doesn't work.  Here's the layout...  Feel free to skip the 
next 3 paragraphs to get to the root of the problem:
I'm using stunnel to provide SSL for a set of webservers behind a pair of 
LVS loadbalancers using keepalived.
lets say I have a public IP of 10.0.0.1.  I have an iptables rule which 
marks all 443 traffic to this IP with a fwmark, then keepalived dumps the 
traffic to the stunnel after seeing this fwmark.  I have configured LVS to 
use direct-routing so that the stunnel server can see the original public IP 
which was requested (so it can serve up the right cert).
Now, here is where things break.  Internally, lets say stun is setup with an 
IP 192.168.0.10, and the LVS server has an interface on this VLAN with the 
IP 192.168.0.5.  In my keepalived configuration for the correct fwmark, I 
dump the traffic to stun on 192.168.0.10.
When I test this by creating a connection to the public IP address 
(10.0.0.1), LVS dumps the traffic to stunnel as planned and stunnel sees 
something like the following in TCPDUMP:
Websurfer's_IP:123131 ----> 10.0.0.1:443
Stunnel refuses to do anything with the traffic.  I assumed this was becuase 
the IP 10.0.0.1 wasn't configured anywhere on the stunnel box itself.  I 
assigned this IP to the loopback interface as an alias, and it still doesn't 
work.  I've straced/debug-logged stunnel and it doesn't do anything - almost 
like it doesn't think it should service the traffic.  If I run netstat -
plan, stunnel is listening to 0.0.0.0:443.  So, why doesn't stunnel want to 
do anything with this traffic?
uname -a:
Linux ssl-server.domain.com 2.4.29-1.2smp #1 SMP Fri Mar 18 15:45:07 EST 
2005 i686 unknown
Running redhat 7.3.  Glibc:
glibc-2.2.5-44
glibc-common-2.2.5-44
openssl version:
0.9.6b
configuration:
cert = /nfs/ssl/pem/default
chroot = /nfs
certdir = /ssl/pem
hashdir = yes
pid = /run/stunnel.pid
setuid = nobody
setgid = nogroup
output = /var/log/stunnel.log
[https]
accept  = 443
connect = *:80
httpprotocol = yes
TIMEOUTclose = 1
IP on loopback:
bash-2.05a# ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet 10.0.0.1/32 brd 10.0.0.255 scope global lo:0
...
...
...
Michael Spiegle
mike@nauticaltech.com
310.686.4570