Apparently only the newer versions can do this, 4.15+, but the concept is simple:
setuid = stunnel setgid = stunnel debug = 5 output = /var/log/stunnel/stunnel.log pid = /var/run/stunnel/stunnel.pid socket = l:TCP_NODELAY=1 ciphers = ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL options = NO_SSLv2 [https-site1] accept = 10.0.0.1:443 cert = /etc/pki/tls/certs/site1.pem connect = 10.0.0.101:80 TIMEOUTclose = 0 [https-site2] accept = 10.0.0.2:443 cert = /etc/pki/tls/certs/site2.pem connect = 10.0.0.102:80 TIMEOUTclose = 0
This is much better than running multiple instances of stunnel.
For what it’s worth, if you enable a log file, it’ll turn off sys logging, which is critical for extreme performance. Keep the debug level low. For https, disable v2 and set the cipher list the right way.
Hamza: you need multiple IP adddress. One IP = one hostname or certificate. Or, you have to run on odd ports, like https://secure.domain1.tld:444/.
If you don’t have lots of IP addresses, you could consider SAN based certs. This lets you put lots of domains on a single certificate. Customers usually don’t like these, because it devalues the SSL certificate.
Another way to run multiple domains over HTTPS with a single IP is with SNI, Server Name Indication. This is only supported by recent/modern browsers. The browser sends the hostname during the SSL handshake. This allows the server to select the correct certificate to use.