We have a load-balancer setup, in which an HTTPS Request flows through the following steps:-
Client -> DNS -> stunnel on Load-Balancer -> HAProxy on LB -> Web-Server
This setup works perfectly when stunnel is listening to the local IP of the Load-Balancer.
However in our setup we have 2 load-balancers and we want to be able to listen to a virtual IP, which only ever exists on one LB at a time (keepalived flips the IP to the second LB if the first one falls over).
HAProxy has no problem in doing this (and I can ping the assigned virtual IP on the load-balancer I'm testing), but it seems stunnel hates the concept.
Has anyone achieved this before (below is my stunnel config - as you can see I'm actually listening for ALL traffic on 443):-
cert= /etc/ssl/certs/mycert.crt
key = /etc/ssl/certs/mykey.key
;setuid = nobody
;setgid = nogroup
pid = /etc/stunnel/stunnel.pid
debug = 3
output = /etc/stunnel/stunnel.log
socket=l:TCP_NODELAY=1
socket=r:TCP_NODELAY=1
[https]
accept=443
connect=127.0.0.1:8443
TIMEOUTclose=0
xforwardedfor=yes
Sorry for the long-winded question!
The key is to allow non-existent interfaces to be bound to by programs (like stunnel, HA-proxy). So that when keepalived flips the virtual IP onto that box, the programs are already listening and waiting for traffic on that interface.
This can be done by modifying your
/etc/sysctl.confby including the key/value pair of:More here: http://nbevans.wordpress.com/2011/03/01/safely-pairing-haproxy-with-virtual-network-interface-providers-like-keepalived-or-heartbeat/
You'd then do best modifying your stunnel and HA-proxy configs to hard-code the bind to the specific virtual interface IP. Rather than leaving it "open".