linux - 透明 stunnel 代理 setsockopt 不允许操作

Question

我正在尝试在服务器上为 websocket 服务运行一个透明的 stunnel4 代理。

WS 服务器基于 Ratchet 框架，因此不支持 WSS，因此需要代理。

当在 stunnel.conf 中将 transparent 设置为 none 时，websocket 流量可以顺利通过，并且除了 WS 服务器而言，所有流量都来自 127.0.0.1 之外，一切都运行良好。但是，一旦将透明设置为源，客户端就会得到
WebSocket connection to 'wss://<ADDR>:32770/' failed: Error during WebSocket handshake: net::ERR_CONNECTION_RESET

据我所知，问题始于setsockopt IP_TRANSPARENT: Operation not permitted (1)stunnel 日志。我已经设置了 stunnel 文档中所需的所有 iptables 设置，并确保一切都以 root 身份运行。我已经解决这个问题三天了，我的搜索词的所有变体都变成了紫色，但无济于事。我希望这里有一个服务器向导来帮助我解决问题。

stunnel 文档参考：https ://www.stunnel.org/static/stunnel.html#SERVICE-LEVEL-OPTIONS

设置：
服务器正在运行 Ubuntu 12.04.5 LTS (GNU/Linux 2.6.32-042stab093.4 x86_64)
使用 stunnel 4

open_server.php 文件：

use Ratchet\App;
use Websocket_Server\Server;

require dirname(__DIR__) . '/vendor/autoload.php';

$loop = React\EventLoop\Factory::create();
$webSock = new React\Socket\Server($loop);
$webSock->listen(8888, '0.0.0.0');

$webServer = new Ratchet\Server\IoServer(
        new Ratchet\Http\HttpServer(
            new Ratchet\WebSocket\WsServer(new Server($loop))
        ), $webSock
    );

$loop->run();

stunnel.conf：

key = <key file dir>
cert = <crt file dir>

debug = 7
output = /var/log/stunnel_log.log

setgid = 0

[websocket]
accept = 32770
connect = 8888
transparent = source

尝试使用 transparent = source 命中套接字时的整个调试输出：

2015.07.26 15:09:26 LOG7[14108:140701658388224]: local socket: FD=0 allocated (non-blocking mode)
2015.07.26 15:09:26 LOG7[14108:140701658388224]: Service websocket accepted FD=0 from <MY EXTERNAL IP>:54421
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Service websocket started
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Option TCP_NODELAY set on local socket
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Waiting for a libwrap process
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Acquired libwrap process #0
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Releasing libwrap process #0
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Released libwrap process #0
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Service websocket permitted by libwrap from <MY EXTERNAL IP>:54421
2015.07.26 15:09:26 LOG5[14108:140701658478336]: Service websocket accepted connection from <MY EXTERNAL IP>:54421
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): before/accept initialization
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 read client hello A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write server hello A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write certificate A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write key exchange A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write server done A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 flush data
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 read client key exchange A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 read finished A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write session ticket A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write change cipher spec A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 write finished A
2015.07.26 15:09:26 LOG7[14108:140701658478336]: SSL state (accept): SSLv3 flush data
2015.07.26 15:09:26 LOG7[14108:140701658478336]:    0 items in the session cache
2015.07.26 15:09:26 LOG7[14108:140701658478336]:    0 client connects (SSL_connect())
2015.07.26 15:09:26 LOG7[14108:140701658478336]:    0 client connects that finished
2015.07.26 15:09:26 LOG7[14108:140701658478336]:    0 client renegotiations requested
2015.07.26 15:09:26 LOG7[14108:140701658478336]:    1 server connects (SSL_accept())
2015.07.26 15:09:26 LOG7[14108:140701658478336]:    1 server connects that finished
2015.07.26 15:09:26 LOG7[14108:140701658478336]:    0 server renegotiations requested
2015.07.26 15:09:26 LOG7[14108:140701658478336]:    0 session cache hits
2015.07.26 15:09:26 LOG7[14108:140701658478336]:    0 external session cache hits
2015.07.26 15:09:26 LOG7[14108:140701658478336]:    0 session cache misses
2015.07.26 15:09:26 LOG7[14108:140701658478336]:    0 session cache timeouts
2015.07.26 15:09:26 LOG6[14108:140701658478336]: SSL accepted: new session negotiated
2015.07.26 15:09:26 LOG6[14108:140701658478336]: Negotiated ciphers: ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
2015.07.26 15:09:26 LOG7[14108:140701658478336]: remote socket: FD=1 allocated (non-blocking mode)
2015.07.26 15:09:26 LOG3[14108:140701658478336]: setsockopt IP_TRANSPARENT: Operation not permitted (1)
2015.07.26 15:09:26 LOG3[14108:140701658478336]: local_bind (original port): Cannot assign requested address (99)
2015.07.26 15:09:26 LOG5[14108:140701658478336]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2015.07.26 15:09:26 LOG7[14108:140701658478336]: Service websocket finished (0 left)
2015.07.26 15:09:26 LOG7[14108:140701658478336]: str_stats: 0 block(s), 0 byte(s)

检查权限时的 Bash 输出：

# ps aux | grep stunnel4
root     14103  0.0  0.1  29820  1032 pts/2    S    15:09   0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root     14104  0.0  0.1  29820   704 pts/2    S    15:09   0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root     14105  0.0  0.1  29820   704 pts/2    S    15:09   0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root     14106  0.0  0.1  29820   704 pts/2    S    15:09   0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root     14107  0.0  0.1  29820   704 pts/2    S    15:09   0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root     14108  0.0  0.4  95424  2252 ?        Ss   15:09   0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf
root     20477  0.0  0.1   6460   776 pts/5    S+   17:00   0:00 grep --color=auto stunnel4