[stunnel-users] Failover behavior with stunnel

Sun, 15 Nov 2015 02:59:01 -0800 

Hi,

I have a couple of questions regarding failover with stunnel:

1. I would like to know if there is a way to use failover with two servers with 
two different set of TLS cert/key.

The following rule doesn't work, because the cert and key parameters are 
overwritten, but it shows what I would like to achieve:

[failover]
accept = 127.0.0.1:4441 <http://127.0.0.1:4441/>
cert = cert_1.cert
key = key_1.pem
connect = server-1:1234
cert = cert_2.cert
key = key_2.pem
connect = server-2:1234

2. On the same topic, I would like to know if there is an option that could 
open the local port (accept) only when the connection (connect) is established?

The problem I'm facing is that I use a PAC profile with failover on several 
stunnel entries: "return PROXY 127.0.0.1:4441 <http://127.0.0.1:4441/>; PROXY 
127.0.0.1:4442 <http://127.0.0.1:4442/>; PROXY 127.0.0.1:4443 
<http://127.0.0.1:4443/>;". However, when one of the remote server is down 
(i.e. server-1), it is not easily detected by web-browsers (Chrome does not 
seem to detect it well), and so instead of switching to the next PROXY, it 
simply dies on the first one. If the port 4441 relative to server-1 (which is 
unavailable) was closed, then the webrowser could easily detect it and switch 
to the second server with port 4442.

3. Is there another way to tweak stunnel behavior when a remote server is down?

I'm thinking about a couple of things, like being able to switch to a different 
rule set:

[failover1]
accept = 127.0.0.1:4441 <http://127.0.0.1:4441/>
cert = cert_1.cert
key = key_1.pem
connect = server-1:1234
connect = 127.0.0.1:4442 <http://127.0.0.1:4442/> ; This is failover2

[failover2]
accept = 127.0.0.1:4442 <http://127.0.0.1:4442/>
cert = cert_2.cert
key = key_2.pem
connect = server-2:1234

Or maybe there are some options that I'm not aware of to timeout connections 
more efficiently: so that Chrome (or other clients using HTTP proxies) will 
immediately know that stunnel cannot connect to the remote server and so that 
the proxy is down.

Thank you for your help.

Cheers,

Thireus.
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

Reply via email to