[stunnel-users] Binding to non-local sockets

Janusz Dziemidowicz rraptorr at nails.eu.org
Mon Sep 10 00:15:52 CEST 2012


Hi,
attached is very simple patch that allows to set IP_FREEBIND under
Linux (IP_BINDANY/IPV6_BINDANY under FreeBSD) on an accept socket.

I've stumbled upon this need due to the following situation (which I
believe might be quite common):
- I've already had stunnel instance happily serving one website on
port 443, single domain
- a need occurred to set up another domain
- SNI cannot be used, because Windows XP doesn't support it (and it is
still a very large user base)
- no problem, I thought, I have a few public IPs available, just set
stunnel up on another IP
- and here comes the problem, I have two frontend servers with VRRP
configured to migrate public IP between them, only one server has the
public IP at a time
- under normal circumstances it is impossible to bind to an address
that does not exist on the server (in case of one domain I've simply
bound stunnel to 0.0.0.0)
- starting stunnel manually when the address migrates is not an option
(VRRP daemon probably can start it, but I was not happy with that
solution, I want all services working constantly on both servers so
there are no surprises in case of a failover)
- setting IP_FREEBIND on accept socket solves the problem, stunnel is
working on both machines and I can migrate the public IPs however I
want

As stunnel already exposes low level socket options, adding support
for IP_FREEBIND is very simple. I've also added similar FreeBSD
options (tested on FreeBSD 9.0).
Oh, and the patch is public domain;)

-- 
Janusz Dziemidowicz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freebind.diff
Type: application/octet-stream
Size: 880 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120910/86af6264/attachment.obj>


More information about the stunnel-users mailing list