Hi,
I am having some issues with my server where connections are getting dropped once I hit a hard limit of around 350 connections. This may or may not be an issue with my stunnel configuration, but I ran across some old posts saying that stunnel by default has a hard limit of around 500 connections and, to get around this, to set FD_SETSIZE at compile time (I found this on the troubleshooting page - http://www.stunnel.org/faq/troubleshooting.html). However, one of the release notes recently also had a comment saying 'no more FD_SETSIZE limit!' - http://www.mail-archive.com/openssl-users@openssl.org/msg38373.html. So my questions are:
1) Does FD_SETSIZE still exist in Stunnel 4.34 and could it be a reason why I am seeing a limit on the number of people that can make a connection? I already tried running stunnel after setting ulimit -Hn and ulimit -Sn to 4096, and it did not seem to make a difference.
2) More noobish question - how do I set the FD_SETSIZE at compile time? I saw in the troubleshooting that it said to do "-DFD_SETSIZE=4096" at compile time. Is this something I should be adding in one of the Makefiles?
Some more info about my setup: - I am using stunnel as a layer in front of Node.js to secure websockets and HTTP connections. - I'm running stunnel 4.34 - I am running stunnel from a startup script in /etc/init.d - it runs as a daemon process - I run stunnel with no params, but with this config file - http://pastebin.com/3Yr80ma1 - uname -a output: Linux gomockingbird.com 2.6.18.8-linode22 #1 SMP Tue Nov 10 16:12:12 UTC 2009 i686 GNU/Linux
- gcc -v output: Using built-in specs. Target: i486-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Ubuntu 4.3.3-5ubuntu4' --with-bugurl=file:///usr/share/doc/gcc-4.3/README.Bugs --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --enable-shared --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --enable-nls --with-gxx-include-dir=/usr/include/c++/4.3 --program-suffix=-4.3 --enable-clocale=gnu --enable-libstdcxx-debug --enable-objc-gc --enable-mpfr --enable-targets=all --with-tune=generic --enable-checking=release --build=i486-linux-gnu --host=i486-linux-gnu --target=i486-linux-gnu Thread model: posix gcc version 4.3.3 (Ubuntu 4.3.3-5ubuntu4)
- openssl version output: OpenSSL 0.9.8g 19 Oct 2007
Thanks in advance for any help!
-- Saikat
Saikat Chakrabarti wrote:
- Does FD_SETSIZE still exist in Stunnel 4.34 and could it be a
reason why I am seeing a limit on the number of people that can make a connection?
FD_SETSIZE is only used with select() on Unix.
Execute "stunnel -version" and check the output for "Sockets:POLL" or "Sockets:SELECT".
I already tried running stunnel after setting ulimit -Hn and ulimit -Sn to 4096, and it did not seem to make a difference.
You reached a resource limit. You should rather check your logs for error message in order to identify the resource and increase the limit.
You could read: http://www.cs.uwaterloo.ca/~brecht/servers/openfiles.html
- More noobish question - how do I set the FD_SETSIZE at compile
time? I saw in the troubleshooting that it said to do "-DFD_SETSIZE=4096" at compile time. Is this something I should be adding in one of the Makefiles?
You don't need to do it. It's possible on some operating systems, but there's no portable way to do it. Stunnel uses poll() instead of select() since version 4.06 (released Dec 2004).
Linux gomockingbird.com 2.6.18.8-linode22 #1 SMP Tue Nov 10 16:12:12 UTC 2009 i686 GNU/Linux
stunnel.mirt.net is also a linode. 8-)
Best regards, Mike
Hey Mike,
Thanks so much for your help. As you suspected, the output of stunnel -version says Sockets:POLL. I'm digging through my stunnel logs now, and it mostly seems normal, though I have a lot of lines that look like this:
Nov 3 23:21:25 gomockingbird stunnel: LOG5[26463:3061513104]: connect_blocking: connected 74.207.251.242:80
My setup is that I have a Node.js service running on that IP address on port 80, and I have stunnel running on the same IP address on port 443 (this is my config: https://gist.github.com/661891 - sing.gomockingbird.com resolves to the IP above). I have very long-lasting connections as I'm routing websockets/long-polling connections via stunnel.
Am I right in thinking that this line suggests that my Node.js is dropping the connections?
Thanks again for the help!
On Wed, Nov 3, 2010 at 2:20 AM, Michal Trojnara Michal.Trojnara@mirt.net wrote:
Saikat Chakrabarti wrote:
- Does FD_SETSIZE still exist in Stunnel 4.34 and could it be a
reason why I am seeing a limit on the number of people that can make a connection?
FD_SETSIZE is only used with select() on Unix.
Execute "stunnel -version" and check the output for "Sockets:POLL" or "Sockets:SELECT".
I already tried running stunnel after setting ulimit -Hn and ulimit -Sn to 4096, and it did not seem to make a difference.
You reached a resource limit. You should rather check your logs for error message in order to identify the resource and increase the limit.
You could read: http://www.cs.uwaterloo.ca/~brecht/servers/openfiles.html
- More noobish question - how do I set the FD_SETSIZE at compile
time? I saw in the troubleshooting that it said to do "-DFD_SETSIZE=4096" at compile time. Is this something I should be adding in one of the Makefiles?
You don't need to do it. It's possible on some operating systems, but there's no portable way to do it. Stunnel uses poll() instead of select() since version 4.06 (released Dec 2004).
Linux gomockingbird.com 2.6.18.8-linode22 #1 SMP Tue Nov 10 16:12:12 UTC 2009 i686 GNU/Linux
stunnel.mirt.net is also a linode. 8-)
Best regards, Mike _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Saikat Chakrabarti wrote:
Nov 3 23:21:25 gomockingbird stunnel: LOG5[26463:3061513104]: connect_blocking: connected 74.207.251.242:80
These are not the droids you are looking for.
Look for error messages: sudo grep ' stunnel: LOG[0-3]' /var/log/syslog
Am I right in thinking that this line suggests that my Node.js is dropping the connections?
It's hard to tell. It is possible that your issue is caused by a different part of your environment.
I hope you have tested your configuration without stunnel before sending an email to this mailing list. 8-)
Best regards, Mike
-
Michal Trojnara -
Saikat Chakrabarti