[stunnel-users] "Chained" stunnel instances
Michal.Trojnara at mirt.net
Fri Jul 31 23:04:03 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
One solution might be to run a tiny watchdog script on each of the
server machines that would periodically test whether S1/S2/S3 is alive
and start/stop the corresponding st1/st2/st3 service.
What do you think?
I can think of some other solutions, but none of them is remotely as
simple and flexible as the one described above.
On 31.07.2015 20:12, Michael Gebis wrote:
> I have a question about a strange stunnel configuration;
> specifically, I'm like to use 'chained' stunnel instances, and I'm
> running into an issue.
> We have a conceptually simple setup: a client that connects to a
> server. We use stunnel both for encryption and for the failover
> mechanism. Here's a diagram of our simplest setup:
> /----S1 / C--st0-----S2 \ \----S3
> We have a client that connects to stunnel. Our stunnel
> configuration lists three connections with "prio" failover mode. So
> usually, connections go from C thru st and onto Server 1. If S1 is
> down, st0 fails to connect to S1 and instead tries S2, and all is
> However, sometimes we may place an optional second instance of
> stunnel in front of the servers.
> /----st1--S1 / C--st0-----st2--S2 \ \----st3--S3
> The failover mode of stunnel does not work so well in this
> configuration. If S1 is down, st0's failover algorithm does not
> kick in. Instead, st0 happily connects to st1, which is still
> alive and running. st1 then detects S1 is down and immediately
> closes the connection, but st0 does not care. Since the initial
> connection was successful, it does not initiate the failover
> You may ask "why not change to round-robin mode?" The answer is
> that S1 is a dedicated machine, and S2/S3 are underpowered backups
> that have other primary responsibilities. We really want to direct
> all connections to S1 and only use S2/S3 in emergencies.
> You may also ask, "Why the second layer of
> stunnel?"--unfortunately, there are several hairy
> implementation-specific details that make this hard to change.
> My question is: is there any stunnel configuration option that can
> help us out? We would like the failover to work with and without
> the second layer of stunnel. From looking at the source code, I
> think I'm out of luck, but I figured it couldn't hurt to ask.
> Michael _______________________________________________
> stunnel-users mailing list stunnel-users at stunnel.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the stunnel-users