[stunnel-users] stunnel and heartbeat
eni-urgence
eni-urgence at scan-eco.com
Fri Jun 25 13:29:59 CEST 2010
Hello all.
I want to use stunnel as ssl terminatation for https and pass httpd
request to haproxy. I have compiled stunnel (source
http://www.stunnel.org/download/stunnel/src/stunnel-4.32.tar.gz ) and
apply this patch
http://haproxy.1wt.eu/download/patches/stunnel-4.32-xforwarded-for.diff.
I have placed the binary in /usr/local/bin . I want to use the
heartbeat capabilities and start stunnel only if VIP is on the node. In
order to make that, the init script of stunnel must be LSB compatible
like said http://www.linux-ha.org/LSBResourceAgent. When i made a
/etc/init.d/stunnel stop then a /etc/init.d/stunnel start, the service
wont start .
in order to reproduce
make a //etc/init.d/stunnel start/
/ps -ef/ said
stunnel 30301 1 0 13:21 pts/2 00:00:00 /usr/local/bin/stunnel
/etc/stunnel/stunnel.conf
stunnel 30302 1 0 13:21 pts/2 00:00:00 /usr/local/bin/stunnel
/etc/stunnel/stunnel.conf
stunnel 30303 1 0 13:21 pts/2 00:00:00 /usr/local/bin/stunnel
/etc/stunnel/stunnel.conf
stunnel 30304 1 0 13:21 pts/2 00:00:00 /usr/local/bin/stunnel
/etc/stunnel/stunnel.conf
stunnel 30305 1 0 13:21 pts/2 00:00:00 /usr/local/bin/stunnel
/etc/stunnel/stunnel.conf
stunnel 30306 1 0 13:21 ? 00:00:00 /usr/local/bin/stunnel
/etc/stunnel/stunnel.conf
Is it normal there is many process of stunnel ? And only the last pid
process with ? in place of pts/2 is on the pid file.
//etc/init.d/stunnel stop/
/ps -ef /said
/stunnel 30306 1 0 13:21 ? 00:00:00 /usr/local/bin/stunnel
/etc/stunnel/stunnel.conf/
/and / //etc/init.d/stunnel start/
/
Démarrage de stunnel :Reading configuration from file
/etc/stunnel/stunnel.conf
FIPS mode disabled
RAND_status claims sufficient entropy for the PRNG
PRNG seeded successfully
Certificate: /path_to_mycrt
Certificate loaded
Key file: /path_to_my_key
Private key loaded
SSL context initialized for servicemy_domaine_name
Configuration successful
No limit detected for the number of clients
FD=9 in non-blocking mode
FD=10 in non-blocking mode
FD=11 in non-blocking mode
Option SO_REUSEADDR set on accept socket
Error binding secure.scan-prod.com to 192.168.100.156:443
bind: Address already in use (98)/
return code 1
after stop there is a remaining stunnel process. It appears that this
process is the one which the pid had been added to pidfile
a /file /usr/local/bin/stunnel /said
//usr/local/bin/stunnel: ELF 64-bit LSB executable, AMD x86-64, version
1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs),
for GNU/Linux 2.6.9, stripped/
/usr/local/bin/stunnel -version said
/stunnel 4.32 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8e-fips-rhel5
01 Jul 2008/
/Threading:PTHREAD SSL:ENGINE,FIPS Sockets:POLL,IPv6 Auth:LIBWRAP/
/Global options/
/debug = daemon.notice/
/pid = /usr/local/var/run/stunnel/stunnel.pid/
/RNDbytes = 64/
/RNDfile = /dev/urandom/
/RNDoverwrite = yes/
/Service-level options/
/cert = /usr/local/etc/stunnel/stunnel.pem/
/ciphers = FIPS/
/session = 300 seconds/
/stack = 65536 bytes/
/sslVersion = TLSv1/
/TIMEOUTbusy = 300 seconds/
/TIMEOUTclose = 60 seconds/
/TIMEOUTconnect = 10 seconds/
/TIMEOUTidle = 43200 seconds/
/verify = none/
my stunnel.conf is like that
/; Protocol version (all, SSLv2, SSLv3, TLSv1)/
/sslVersion = all/
/setuid = stunnel/
/setgid = stunnel/
/chroot = /var/chroot/stunnel/
/pid = /var/run/stunnel.pid/
/output = /var/log/stunnel.log/
/debug = 5/
/fips = no/
/socket=l:TCP_NODELAY=1/
/socket=r:TCP_NODELAY=1/
/[my_domain]/
/key = /path_to_my_key/
/cert = /path_to_mycrt/
/accept = 192.168.100.156:443/
/connect = 192.168.100.156:10443/
/xforwardedfor = yes/
/TIMEOUTclose = 0
Thanks for your help
/
More information about the stunnel-users
mailing list