Stunnel can run multiple ips and certs in one instance

Apparently only the newer versions can do this, 4.15+, but the concept is simple:

setuid          = stunnel
setgid          = stunnel
debug           = 5
output          = /var/log/stunnel/stunnel.log
pid             = /var/run/stunnel/stunnel.pid
socket          = l:TCP_NODELAY=1
ciphers         = ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL
options         = NO_SSLv2

[https-site1]
accept          = 10.0.0.1:443
cert            = /etc/pki/tls/certs/site1.pem
connect         = 10.0.0.101:80
TIMEOUTclose    = 0

[https-site2]
accept          = 10.0.0.2:443
cert            = /etc/pki/tls/certs/site2.pem
connect         = 10.0.0.102:80
TIMEOUTclose    = 0

This is much better than running multiple instances of stunnel.

For what it’s worth, if you enable a log file, it’ll turn off sys logging, which is critical for extreme performance. Keep the debug level low. For https, disable v2 and set the cipher list the right way.

208 thoughts on “Stunnel can run multiple ips and certs in one instance”

  1. Hamza: you need multiple IP adddress. One IP = one hostname or certificate. Or, you have to run on odd ports, like https://secure.domain1.tld:444/.

    If you don’t have lots of IP addresses, you could consider SAN based certs. This lets you put lots of domains on a single certificate. Customers usually don’t like these, because it devalues the SSL certificate.

    Another way to run multiple domains over HTTPS with a single IP is with SNI, Server Name Indication. This is only supported by recent/modern browsers. The browser sends the hostname during the SSL handshake. This allows the server to select the correct certificate to use.

Comments are closed.