[stunnel-users] "Chained" stunnel instances
Michal Trojnara
Michal.Trojnara at mirt.net
Fri Jul 31 23:04:03 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Michael,
One solution might be to run a tiny watchdog script on each of the
server machines that would periodically test whether S1/S2/S3 is alive
and start/stop the corresponding st1/st2/st3 service.
What do you think?
I can think of some other solutions, but none of them is remotely as
simple and flexible as the one described above.
Best regards,
Mike
On 31.07.2015 20:12, Michael Gebis wrote:
> Hello.
>
> I have a question about a strange stunnel configuration;
> specifically, I'm like to use 'chained' stunnel instances, and I'm
> running into an issue.
>
> We have a conceptually simple setup: a client that connects to a
> server. We use stunnel both for encryption and for the failover
> mechanism. Here's a diagram of our simplest setup:
>
> /----S1 / C--st0-----S2 \ \----S3
>
> We have a client that connects to stunnel. Our stunnel
> configuration lists three connections with "prio" failover mode. So
> usually, connections go from C thru st and onto Server 1. If S1 is
> down, st0 fails to connect to S1 and instead tries S2, and all is
> good.
>
> However, sometimes we may place an optional second instance of
> stunnel in front of the servers.
>
> /----st1--S1 / C--st0-----st2--S2 \ \----st3--S3
>
>
> The failover mode of stunnel does not work so well in this
> configuration. If S1 is down, st0's failover algorithm does not
> kick in. Instead, st0 happily connects to st1, which is still
> alive and running. st1 then detects S1 is down and immediately
> closes the connection, but st0 does not care. Since the initial
> connection was successful, it does not initiate the failover
> algorithm.
>
> You may ask "why not change to round-robin mode?" The answer is
> that S1 is a dedicated machine, and S2/S3 are underpowered backups
> that have other primary responsibilities. We really want to direct
> all connections to S1 and only use S2/S3 in emergencies.
>
> You may also ask, "Why the second layer of
> stunnel?"--unfortunately, there are several hairy
> implementation-specific details that make this hard to change.
>
> My question is: is there any stunnel configuration option that can
> help us out? We would like the failover to work with and without
> the second layer of stunnel. From looking at the source code, I
> think I'm out of luck, but I figured it couldn't hurt to ask.
> Thanks!
>
> Michael _______________________________________________
> stunnel-users mailing list stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJVu+LDAAoJEC78f/DUFuAUCqkQAL957JFjxSF4lDIL7NagurFT
hoenCP/kJsFroZkli9pWImdTyF4Qjard40uavAycx25VBBf4h3/sHdqs861Tmv7i
jsjrUvMWYQP8VqH7fgmHaFjQN17RxkeUUf6ZFUTkYqf+yoHfPRFGjHqIbr4foXsI
Z+FVEQ08bp30OYkoLWNibZtlkGSLwMeeZ2jv4vGPpwfNefniYzsIJd4FQvVln4te
fRKIdfY0v1C7hksnWCMb+OSOMvdgbDd4EG5oeGCpEzNcwwpeh8iUFawhzsLQTpav
wcZ6L+eQznQjy5wSdgUfVBxMhL0gZSHmFzr8+c0ES8JlEAZl4G6vviSADLUhhu1m
ck9dPE+hxBLDfJGHYnXzbcKSp3Eae2Cuz9tvzs7ppnzOBGLQVtfcA+CvKfeWTNcD
L+zpI/CcEMIFbwxu3YA9O6/tVs1qZrWiB2bfSh2T3nJrGDO2rIn/AxQAzLzMdBym
FINeM6yJkelUTcy1BbvF6m8fHpd9UVdNneQtZp2bFaiO4xcd7AicP56VD19SfqBf
/h7ykHJyU8Fsfx6juLVALV/nsVinPiNQ0t3TSujzFkWvTZdClyQ748uvQ0RvHfV1
7MShfesMh3tINmijVyW8A20qVHpQ7FVS/1dzXiRi/4BS21JALZVdRVFnCI5GKvns
m9HnpMzbVj5vVbGdNFjK
=jkOV
-----END PGP SIGNATURE-----
More information about the stunnel-users
mailing list