Using virtual IP with stunnel and haproxy

haproxyload balancingstunnel

We have a load-balancer setup, in which an HTTPS Request flows through the following steps:-

Client -> DNS -> stunnel on Load-Balancer -> HAProxy on LB -> Web-Server

This setup works perfectly when stunnel is listening to the local IP of the Load-Balancer.

However in our setup we have 2 load-balancers and we want to be able to listen to a virtual IP, which only ever exists on one LB at a time (keepalived flips the IP to the second LB if the first one falls over).

HAProxy has no problem in doing this (and I can ping the assigned virtual IP on the load-balancer I'm testing), but it seems stunnel hates the concept.

Has anyone achieved this before (below is my stunnel config – as you can see I'm actually listening for ALL traffic on 443):-

cert= /etc/ssl/certs/mycert.crt
key = /etc/ssl/certs/mykey.key
;setuid = nobody
;setgid = nogroup

pid = /etc/stunnel/
debug = 3
output = /etc/stunnel/stunnel.log



Sorry for the long-winded question!

Best Answer

The key is to allow non-existent interfaces to be bound to by programs (like stunnel, HA-proxy). So that when keepalived flips the virtual IP onto that box, the programs are already listening and waiting for traffic on that interface.

This can be done by modifying your /etc/sysctl.conf by including the key/value pair of:


More here:

You'd then do best modifying your stunnel and HA-proxy configs to hard-code the bind to the specific virtual interface IP. Rather than leaving it "open".