[stunnel-users] Failover behavior with stunnel

• Previous message (by thread): [stunnel-users] Compilation issues - AIX 6.1 XLC and GXLC
• Next message (by thread): [stunnel-users] Failover behavior with stunnel
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I have a couple of questions regarding failover with stunnel:

1. I would like to know if there is a way to use failover with two servers with two different set of TLS cert/key.

The following rule doesn't work, because the cert and key parameters are overwritten, but it shows what I would like to achieve:

[failover]
accept = 127.0.0.1:4441 <http://127.0.0.1:4441/>
cert = cert_1.cert
key = key_1.pem
connect = server-1:1234
cert = cert_2.cert
key = key_2.pem
connect = server-2:1234

2. On the same topic, I would like to know if there is an option that could open the local port (accept) only when the connection (connect) is established?

The problem I'm facing is that I use a PAC profile with failover on several stunnel entries: "return PROXY 127.0.0.1:4441 <http://127.0.0.1:4441/>; PROXY 127.0.0.1:4442 <http://127.0.0.1:4442/>; PROXY 127.0.0.1:4443 <http://127.0.0.1:4443/>;". However, when one of the remote server is down (i.e. server-1), it is not easily detected by web-browsers (Chrome does not seem to detect it well), and so instead of switching to the next PROXY, it simply dies on the first one. If the port 4441 relative to server-1 (which is unavailable) was closed, then the webrowser could easily detect it and switch to the second server with port 4442.

3. Is there another way to tweak stunnel behavior when a remote server is down?

I'm thinking about a couple of things, like being able to switch to a different rule set:

[failover1]
accept = 127.0.0.1:4441 <http://127.0.0.1:4441/>
cert = cert_1.cert
key = key_1.pem
connect = server-1:1234
connect = 127.0.0.1:4442 <http://127.0.0.1:4442/> ; This is failover2

[failover2]
accept = 127.0.0.1:4442 <http://127.0.0.1:4442/>
cert = cert_2.cert
key = key_2.pem
connect = server-2:1234

Or maybe there are some options that I'm not aware of to timeout connections more efficiently: so that Chrome (or other clients using HTTP proxies) will immediately know that stunnel cannot connect to the remote server and so that the proxy is down.

Thank you for your help.

Cheers,

Thireus.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20151115/f07f1235/attachment.html>

• Previous message (by thread): [stunnel-users] Compilation issues - AIX 6.1 XLC and GXLC
• Next message (by thread): [stunnel-users] Failover behavior with stunnel
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]