[stunnel-users] Having problems with an special configuration
Michael Spiegle
mike at www.nauticaltech.com
Tue Apr 4 04:50:06 CEST 2006
Hi all,
I've got a strange thing (at least I think so) that i'm trying to do with
stunnel and it doesn't work. Here's the layout... Feel free to skip the
next 3 paragraphs to get to the root of the problem:
I'm using stunnel to provide SSL for a set of webservers behind a pair of
LVS loadbalancers using keepalived.
lets say I have a public IP of 10.0.0.1. I have an iptables rule which
marks all 443 traffic to this IP with a fwmark, then keepalived dumps the
traffic to the stunnel after seeing this fwmark. I have configured LVS to
use direct-routing so that the stunnel server can see the original public IP
which was requested (so it can serve up the right cert).
Now, here is where things break. Internally, lets say stun is setup with an
IP 192.168.0.10, and the LVS server has an interface on this VLAN with the
IP 192.168.0.5. In my keepalived configuration for the correct fwmark, I
dump the traffic to stun on 192.168.0.10.
When I test this by creating a connection to the public IP address
(10.0.0.1), LVS dumps the traffic to stunnel as planned and stunnel sees
something like the following in TCPDUMP:
Websurfer's_IP:123131 ----> 10.0.0.1:443
Stunnel refuses to do anything with the traffic. I assumed this was becuase
the IP 10.0.0.1 wasn't configured anywhere on the stunnel box itself. I
assigned this IP to the loopback interface as an alias, and it still doesn't
work. I've straced/debug-logged stunnel and it doesn't do anything - almost
like it doesn't think it should service the traffic. If I run netstat -
plan, stunnel is listening to 0.0.0.0:443. So, why doesn't stunnel want to
do anything with this traffic?
uname -a:
Linux ssl-server.domain.com 2.4.29-1.2smp #1 SMP Fri Mar 18 15:45:07 EST
2005 i686 unknown
Running redhat 7.3. Glibc:
glibc-2.2.5-44
glibc-common-2.2.5-44
openssl version:
0.9.6b
configuration:
cert = /nfs/ssl/pem/default
chroot = /nfs
certdir = /ssl/pem
hashdir = yes
pid = /run/stunnel.pid
setuid = nobody
setgid = nogroup
output = /var/log/stunnel.log
[https]
accept = 443
connect = *:80
httpprotocol = yes
TIMEOUTclose = 1
IP on loopback:
bash-2.05a# ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet 10.0.0.1/32 brd 10.0.0.255 scope global lo:0
...
...
...
Michael Spiegle
mike at nauticaltech.com
310.686.4570
More information about the stunnel-users
mailing list