[stunnel-users] Failover behavior with stunnel

Sun Nov 29 15:07:38 CET 2015

Hi Michal,

Thank you for the answer.

I found a solution for this using local port forwarding. What I do now is that I monitor my individual tunnels to check if they are alive. When one is dead I just have to change the port forward to the next stunnel entry.

I use netcat to check the connection availability as follow:

nc -z -x 127.0.0.1:$STUNNEL_PORT1 -X connect $DISTANT_SERVER $PORT

Under OS X, since 10.10 port forwarding is managed with the pfctl utility (on other linux distro we can use iptables):

echo "rdr pass inet proto tcp from 127.0.0.1 to 127.0.0.1 port $FAILOVER_PORT -> 127.0.0.1 port $STUNNEL_PORT1" | pfctl -ef - >/dev/null 2>&1

In case $STUNNEL_PORT1 is down or doesn't provide Internet access, I just switch to $STUNNEL_PORT2 and push the port forwarding rule with that port entry.

I wrote a daemon that monitors all my stunnel ports and check if they have Internet access, my PAC RETURN rules remain the same (they use my $FAILOVER_PORT), I just shifted stunnel ports to another location and use port forwarding to reach the stunnel entries that are alive.

It's working great so far.

Cheers,

Thireus (thireus at gmail.com <mailto:thireus at gmail.com>), 
IT Security Engineer Consultant.
http://blog.thireus.com <http://blog.thireus.com/>
> Le 15 nov. 2015 à 19:58, Michal Trojnara <Michal.Trojnara at mirt.net> a écrit :
> 
> Signé partie PGP
> On 15.11.2015 11:58, Thireus wrote:
> > 1. I would like to know if there is a way to use failover with two
> > servers with two different set of TLS cert/key.
> 
> No.  Both client and server certificates are currently set way before
> stunnel connects the target.
> 
> I guess what you really need is client certificate selection based on
> the list of acceptable issuers sent by the stunnel server, because
> each of your stunnel servers expects client certificates issued by a
> separate CA.  Am I right?
> 
> Client certificate autoselection currently works on Windows with the
> CAPI engine.  I have also added a new TODO item to implement client
> certificate autoselection for certificates/keys stored in PEM files:
> https://www.stunnel.org/sdf_todo.html
> 
> Alternatively, you may reconfigure your stunnel servers to accept
> client certificates issued by the same CA.
> 
> > 2. On the same topic, I would like to know if there is an option
> > that could open the local port (accept) only when the connection
> > (connect) is established?
> 
> No.
> 
> > The problem I'm facing is that I use a PAC profile with failover on
> > several stunnel entries: "return PROXY 127.0.0.1:4441; PROXY
> > 127.0.0.1:4442; PROXY 127.0.0.1:4443;".
> 
> Did you mean:
> return "PROXY 127.0.0.1:4441; PROXY 127.0.0.1:4442; PROXY 127.0.0.1:4443
> ";
> ?
> 
> You are trying establish end-to-end failover across two (in fact
> three, including connection between the stunnel server and the HTTP
> proxy) separate TCP connections.  It is not possible without a
> heartbeat service.
> 
> > 3. Is there another way to tweak stunnel behavior when a remote
> > server is down?
> 
> You could write a heartbeat service to periodically initiate short
> connections to the remote services, and then reconfigure stunnel
> accordingly.  Still, this is a crude workaround and not the proper
> solution.
> 
> Best regards,
> 	Mike
> 
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20151129/d25a3931/attachment.html>