[stunnel-users] Binding to non-local sockets

Janusz Dziemidowicz rraptorr at nails.eu.org
Wed Sep 19 14:10:42 CEST 2012


2012/9/12 Willy Tarreau <w at 1wt.eu>:
> Janusz,
>
> I just saw your mail on stunnel-users. You don't need to use IP_FREEBIND
> to bind to a non-existent address under Linux. You can simply enable
> sys.net.ipv4.ip_nonlocal_bind to do this. This is how most users deal
> with VRRP setups. It does not allow the backup server to receive the
> traffic aimed at the missing address, but it allows the process to bind
> even when the address is missing so that it becomes operational upon a
> switchover.

I am aware of this sysctl. However, this will allows any process on
the system to bind to any address. In my case I prefer to enable this
on per process basis to avoid any possible configuration errors in any
other service running on my machines. Since stunnel already had low
level socket options exposed I've simply added IP_FREEBIND to the
list;)

-- 
Janusz Dziemidowicz



More information about the stunnel-users mailing list