[stunnel-users] stunnel and heartbeat

eni-urgence eni-urgence at scan-eco.com
Fri Jun 25 13:29:59 CEST 2010 

Hello all.

I want to use stunnel as ssl terminatation for https and pass httpd 
request to haproxy. I have compiled stunnel (source 
http://www.stunnel.org/download/stunnel/src/stunnel-4.32.tar.gz ) and 
apply this patch 
http://haproxy.1wt.eu/download/patches/stunnel-4.32-xforwarded-for.diff. 
I have placed the binary in /usr/local/bin .   I want to use the 
heartbeat capabilities and start stunnel only if VIP is on the node. In 
order to make that, the init script of stunnel must be LSB compatible 
like said http://www.linux-ha.org/LSBResourceAgent.  When i made a 
/etc/init.d/stunnel stop then a /etc/init.d/stunnel start, the service 
wont start .

in order to reproduce
make a //etc/init.d/stunnel start/

/ps -ef/ said
stunnel  30301     1  0 13:21 pts/2    00:00:00 /usr/local/bin/stunnel 
/etc/stunnel/stunnel.conf
stunnel  30302     1  0 13:21 pts/2    00:00:00 /usr/local/bin/stunnel 
/etc/stunnel/stunnel.conf
stunnel  30303     1  0 13:21 pts/2    00:00:00 /usr/local/bin/stunnel 
/etc/stunnel/stunnel.conf
stunnel  30304     1  0 13:21 pts/2    00:00:00 /usr/local/bin/stunnel 
/etc/stunnel/stunnel.conf
stunnel  30305     1  0 13:21 pts/2    00:00:00 /usr/local/bin/stunnel 
/etc/stunnel/stunnel.conf
stunnel  30306     1  0 13:21 ?        00:00:00 /usr/local/bin/stunnel 
/etc/stunnel/stunnel.conf

Is it normal there is many process of stunnel ? And only the last pid 
process with ? in place of pts/2 is on the pid file.

//etc/init.d/stunnel stop/

/ps -ef /said
/stunnel  30306     1  0 13:21 ?        00:00:00 /usr/local/bin/stunnel 
/etc/stunnel/stunnel.conf/

/and / //etc/init.d/stunnel start/

/
Démarrage de stunnel :Reading configuration from file 
/etc/stunnel/stunnel.conf
FIPS mode disabled
RAND_status claims sufficient entropy for the PRNG
PRNG seeded successfully
Certificate: /path_to_mycrt
Certificate loaded
Key file: /path_to_my_key
Private key loaded
SSL context initialized for servicemy_domaine_name
Configuration successful
No limit detected for the number of clients
FD=9 in non-blocking mode
FD=10 in non-blocking mode
FD=11 in non-blocking mode
Option SO_REUSEADDR set on accept socket
Error binding secure.scan-prod.com to 192.168.100.156:443
bind: Address already in use (98)/

return code 1

after stop there is a remaining stunnel process. It appears that this 
process is the one which the pid had been added to pidfile

a /file /usr/local/bin/stunnel /said
//usr/local/bin/stunnel: ELF 64-bit LSB executable, AMD x86-64, version 
1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), 
for GNU/Linux 2.6.9, stripped/

/usr/local/bin/stunnel -version said
/stunnel 4.32 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 
01 Jul 2008/
/Threading:PTHREAD SSL:ENGINE,FIPS Sockets:POLL,IPv6 Auth:LIBWRAP/

/Global options/
/debug           = daemon.notice/
/pid             = /usr/local/var/run/stunnel/stunnel.pid/
/RNDbytes        = 64/
/RNDfile         = /dev/urandom/
/RNDoverwrite    = yes/

/Service-level options/
/cert            = /usr/local/etc/stunnel/stunnel.pem/
/ciphers         = FIPS/
/session         = 300 seconds/
/stack           = 65536 bytes/
/sslVersion      = TLSv1/
/TIMEOUTbusy     = 300 seconds/
/TIMEOUTclose    = 60 seconds/
/TIMEOUTconnect  = 10 seconds/
/TIMEOUTidle     = 43200 seconds/
/verify          = none/



my stunnel.conf is like that

/; Protocol version (all, SSLv2, SSLv3, TLSv1)/
/sslVersion = all/
/setuid = stunnel/
/setgid = stunnel/
/chroot = /var/chroot/stunnel/
/pid = /var/run/stunnel.pid/
/output = /var/log/stunnel.log/
/debug = 5/
/fips = no/
/socket=l:TCP_NODELAY=1/
/socket=r:TCP_NODELAY=1/


/[my_domain]/
/key =  /path_to_my_key/
/cert = /path_to_mycrt/
/accept = 192.168.100.156:443/
/connect = 192.168.100.156:10443/
/xforwardedfor = yes/
/TIMEOUTclose = 0

Thanks for your help
/

More information about the stunnel-users mailing list