[stunnel-users] "Chained" stunnel instances

Michal Trojnara Michal.Trojnara at mirt.net
Fri Jul 31 23:04:03 CEST 2015

Hash: SHA1

Hi Michael,

One solution might be to run a tiny watchdog script on each of the
server machines that would periodically test whether S1/S2/S3 is alive
and start/stop the corresponding st1/st2/st3 service.

What do you think?

I can think of some other solutions, but none of them is remotely as
simple and flexible as the one described above.

Best regards,

On 31.07.2015 20:12, Michael Gebis wrote:
> Hello.
> I have a question about a strange stunnel configuration;
> specifically, I'm like to use 'chained' stunnel instances, and I'm
> running into an issue.
> We have a conceptually simple setup: a client that connects to a 
> server.  We use stunnel both for encryption and for the failover 
> mechanism.  Here's a diagram of our simplest setup:
> /----S1 / C--st0-----S2 \ \----S3
> We have a client that connects to stunnel.  Our stunnel
> configuration lists three connections with "prio" failover mode. So
> usually, connections go from C thru st and onto Server 1.  If S1 is
> down, st0 fails to connect to S1 and instead tries S2, and all is
> good.
> However, sometimes we may place an optional second instance of
> stunnel in front of the servers.
> /----st1--S1 / C--st0-----st2--S2 \ \----st3--S3
> The failover mode of stunnel does not work so well in this 
> configuration.  If S1 is down, st0's failover algorithm does not
> kick in.  Instead, st0 happily connects to st1, which is still
> alive and running. st1 then detects S1 is down and immediately
> closes the connection, but st0 does not care.  Since the initial
> connection was successful, it does not initiate the failover
> algorithm.
> You may ask "why not change to round-robin mode?"  The answer is
> that S1 is a dedicated machine, and S2/S3 are underpowered backups
> that have other primary responsibilities.  We really want to direct
> all connections to S1 and only use S2/S3 in emergencies.
> You may also ask, "Why the second layer of
> stunnel?"--unfortunately, there are several hairy
> implementation-specific details that make this hard to change.
> My question is: is there any stunnel configuration option that can 
> help us out?  We would like the failover to work with and without
> the second layer of stunnel.  From looking at the source code, I
> think I'm out of luck, but I figured it couldn't hurt to ask.
> Thanks!
> Michael _______________________________________________ 
> stunnel-users mailing list stunnel-users at stunnel.org 
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the stunnel-users mailing list