Hi all, I've got a strange thing (at least I think so) that i'm trying to do with stunnel and it doesn't work. Here's the layout... Feel free to skip the next 3 paragraphs to get to the root of the problem:
I'm using stunnel to provide SSL for a set of webservers behind a pair of LVS loadbalancers using keepalived.
lets say I have a public IP of 10.0.0.1. I have an iptables rule which marks all 443 traffic to this IP with a fwmark, then keepalived dumps the traffic to the stunnel after seeing this fwmark. I have configured LVS to use direct-routing so that the stunnel server can see the original public IP which was requested (so it can serve up the right cert).
Now, here is where things break. Internally, lets say stun is setup with an IP 192.168.0.10, and the LVS server has an interface on this VLAN with the IP 192.168.0.5. In my keepalived configuration for the correct fwmark, I dump the traffic to stun on 192.168.0.10.
When I test this by creating a connection to the public IP address (10.0.0.1), LVS dumps the traffic to stunnel as planned and stunnel sees something like the following in TCPDUMP:
Websurfer's_IP:123131 ----> 10.0.0.1:443
Stunnel refuses to do anything with the traffic. I assumed this was becuase the IP 10.0.0.1 wasn't configured anywhere on the stunnel box itself. I assigned this IP to the loopback interface as an alias, and it still doesn't work. I've straced/debug-logged stunnel and it doesn't do anything - almost like it doesn't think it should service the traffic. If I run netstat - plan, stunnel is listening to 0.0.0.0:443. So, why doesn't stunnel want to do anything with this traffic?
uname -a: Linux ssl-server.domain.com 2.4.29-1.2smp #1 SMP Fri Mar 18 15:45:07 EST 2005 i686 unknown
Running redhat 7.3. Glibc: glibc-2.2.5-44 glibc-common-2.2.5-44
openssl version: 0.9.6b
configuration: cert = /nfs/ssl/pem/default chroot = /nfs certdir = /ssl/pem hashdir = yes pid = /run/stunnel.pid setuid = nobody setgid = nogroup output = /var/log/stunnel.log [https] accept = 443 connect = *:80 httpprotocol = yes TIMEOUTclose = 1
IP on loopback: bash-2.05a# ip addr list 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo inet 10.0.0.1/32 brd 10.0.0.255 scope global lo:0 ... ... ...
Michael Spiegle mike@nauticaltech.com 310.686.4570