[stunnel-users] Failover behavior with stunnel

Michal Trojnara Michal.Trojnara at mirt.net
Mon Nov 30 10:35:04 CET 2015

Hash: SHA256

Hi Thireus,

I'm glad you got it working.

Did you consider sharing your monitoring daemon with the community?

Best regards,

On 29.11.2015 15:07, Thireus wrote:
> Hi Michal,
> Thank you for the answer.
> I found a solution for this using local port forwarding. What I do
> now is that I monitor my individual tunnels to check if they are
> alive. When one is dead I just have to change the port forward to
> the next stunnel entry.
> I use netcat to check the connection availability as follow:
> Under OS X, since 10.10 port forwarding is managed with the pfctl 
> utility (on other linux distro we can use iptables):
> echo "rdr pass inet proto tcp from to port
> $FAILOVER_PORT -> port $STUNNEL_PORT1" | pfctl -ef -
>> /dev/null 2>&1
> In case $STUNNEL_PORT1 is down or doesn't provide Internet access,
> I just switch to $STUNNEL_PORT2 and push the port forwarding rule
> with that port entry.
> I wrote a daemon that monitors all my stunnel ports and check if
> they have Internet access, my PAC RETURN rules remain the same
> (they use my $FAILOVER_PORT), I just shifted stunnel ports to
> another location and use port forwarding to reach the stunnel
> entries that are alive.
> It's working great so far.
> Cheers,
> Thireus (thireus at gmail.com <mailto:thireus at gmail.com>), IT Security
> Engineer Consultant. http://blog.thireus.com
> <http://blog.thireus.com/>
>> Le 15 nov. 2015 à 19:58, Michal Trojnara
>> <Michal.Trojnara at mirt.net <mailto:Michal.Trojnara at mirt.net>> a
>> écrit :
>> Signé partie PGP On 15.11.2015 11:58, Thireus wrote:
>>> 1. I would like to know if there is a way to use failover with
>>> two servers with two different set of TLS cert/key.
>> No.  Both client and server certificates are currently set way
>> before stunnel connects the target.
>> I guess what you really need is client certificate selection
>> based on the list of acceptable issuers sent by the stunnel
>> server, because each of your stunnel servers expects client
>> certificates issued by a separate CA.  Am I right?
>> Client certificate autoselection currently works on Windows with
>> the CAPI engine.  I have also added a new TODO item to implement
>> client certificate autoselection for certificates/keys stored in
>> PEM files: https://www.stunnel.org/sdf_todo.html
>> Alternatively, you may reconfigure your stunnel servers to
>> accept client certificates issued by the same CA.
>>> 2. On the same topic, I would like to know if there is an
>>> option that could open the local port (accept) only when the
>>> connection (connect) is established?
>> No.
>>> The problem I'm facing is that I use a PAC profile with
>>> failover on several stunnel entries: "return PROXY
>>>; PROXY; PROXY;".
>> Did you mean: return "PROXY; PROXY;
>> PROXY "; ?
>> You are trying establish end-to-end failover across two (in fact 
>> three, including connection between the stunnel server and the
>> HTTP proxy) separate TCP connections.  It is not possible without
>> a heartbeat service.
>>> 3. Is there another way to tweak stunnel behavior when a
>>> remote server is down?
>> You could write a heartbeat service to periodically initiate
>> short connections to the remote services, and then reconfigure
>> stunnel accordingly.  Still, this is a crude workaround and not
>> the proper solution.
>> Best regards, Mike
>> _______________________________________________ stunnel-users
>> mailing list stunnel-users at stunnel.org
>> <mailto:stunnel-users at stunnel.org> 
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Version: GnuPG v2


More information about the stunnel-users mailing list