[stunnel-users] Having problems with an special configuration

Michael Spiegle mike at www.nauticaltech.com
Tue Apr 4 04:50:06 CEST 2006

Hi all,
I've got a strange thing (at least I think so) that i'm trying to do with 
stunnel and it doesn't work.  Here's the layout...  Feel free to skip the 
next 3 paragraphs to get to the root of the problem:

I'm using stunnel to provide SSL for a set of webservers behind a pair of 
LVS loadbalancers using keepalived.

lets say I have a public IP of  I have an iptables rule which 
marks all 443 traffic to this IP with a fwmark, then keepalived dumps the 
traffic to the stunnel after seeing this fwmark.  I have configured LVS to 
use direct-routing so that the stunnel server can see the original public IP 
which was requested (so it can serve up the right cert).

Now, here is where things break.  Internally, lets say stun is setup with an 
IP, and the LVS server has an interface on this VLAN with the 
IP  In my keepalived configuration for the correct fwmark, I 
dump the traffic to stun on

When I test this by creating a connection to the public IP address 
(, LVS dumps the traffic to stunnel as planned and stunnel sees 
something like the following in TCPDUMP:

Websurfer's_IP:123131 ---->

Stunnel refuses to do anything with the traffic.  I assumed this was becuase 
the IP wasn't configured anywhere on the stunnel box itself.  I 
assigned this IP to the loopback interface as an alias, and it still doesn't 
work.  I've straced/debug-logged stunnel and it doesn't do anything - almost 
like it doesn't think it should service the traffic.  If I run netstat -
plan, stunnel is listening to  So, why doesn't stunnel want to 
do anything with this traffic?

uname -a:
Linux ssl-server.domain.com 2.4.29-1.2smp #1 SMP Fri Mar 18 15:45:07 EST 
2005 i686 unknown

Running redhat 7.3.  Glibc:

openssl version:

cert = /nfs/ssl/pem/default
chroot = /nfs
certdir = /ssl/pem
hashdir = yes
pid = /run/stunnel.pid
setuid = nobody
setgid = nogroup
output = /var/log/stunnel.log
accept  = 443
connect = *:80
httpprotocol = yes
TIMEOUTclose = 1

IP on loopback:
bash-2.05a# ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet brd scope host lo
    inet brd scope global lo:0

Michael Spiegle
mike at nauticaltech.com

More information about the stunnel-users mailing list