Hi There -
I'd like to use stunnel as the SSL termination point for a bunch of persistent TCP connections.
I'm running it on an EC2 instance and it's only allowing me about 1000 concurrent connections. It doesn't matter if the connections come from one client IP or two.
How can I raise this limit?
I've already raised the OS tcp connection limit with ulimit and it doesn't improve things.
Thanks,
T
I remember asking Michael Trojnara a similar question -- what version are you running and how much memory is in your EC2 instance? I think he said you would need about 4g to properly allow for 1000 connections, and I could have sworn that in a version of 4.4 the connection limit went up to 64k
Date: Thu, 28 Jun 2012 17:50:09 -0400 From: tashburn@gmail.com To: stunnel-users@stunnel.org Subject: [stunnel-users] more than 1000 concurrent connections?
Hi There -
I'd like to use stunnel as the SSL termination point for a bunch of persistent TCP connections.
I'm running it on an EC2 instance and it's only allowing me about 1000 concurrent connections. It doesn't matter if the connections come from one client IP or two.
How can I raise this limit?
I've already raised the OS tcp connection limit with ulimit and it doesn't improve things.
Thanks,
T
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
On Thu, Jun 28, 2012 at 5:50 PM, Trenton Ashburn tashburn@gmail.com wrote:
Hi There -
I'd like to use stunnel as the SSL termination point for a bunch of persistent TCP connections.
I'm running it on an EC2 instance and it's only allowing me about 1000 concurrent connections. It doesn't matter if the connections come from one client IP or two.
What error do you get when it starts failing?
-----Scott.
Hi Scott -
Stunnel does not give an error message (unless it writes logs that I'm not aware of).
My client that's connecting to my server behind stunnel just gets it's connection attempts refused.
Is stunnel supposed to be able to handle more? Have other people gotten it to work with 50,000+ connections on EC2?
- Trent
On Sat, Jun 30, 2012 at 11:05 PM, Scott Gifford sgifford@suspectclass.comwrote:
On Thu, Jun 28, 2012 at 5:50 PM, Trenton Ashburn tashburn@gmail.comwrote:
Hi There -
I'd like to use stunnel as the SSL termination point for a bunch of persistent TCP connections.
I'm running it on an EC2 instance and it's only allowing me about 1000 concurrent connections. It doesn't matter if the connections come from one client IP or two.
What error do you get when it starts failing?
-----Scott.
On 07/02/2012 05:21 AM, Trenton Ashburn wrote:
My client that's connecting to my server behind stunnel just gets it's connection attempts refused.
You're sure it's refused, not a timeout? Is the stunnel process running into the max limit of open file descriptors (default is likely to be 1024)? See 'ulimit -n', 'lsof -n -p <pid_of_stunnel>', /etc/security/limits.conf, etc.
Sven
Sven -
The error I'm getting is "java.io.IOException: Connection reset by peer" on the 1017th connection.
"ulimit -n" shows:
999999
"lsof -n -p 6595" shows:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME stunnel 6595 ec2-user cwd DIR 202,1 4096 2 / stunnel 6595 ec2-user rtd DIR 202,1 4096 2 / stunnel 6595 ec2-user txt REG 202,1 2510282 8807 /usr/local/bin/stunnel stunnel 6595 ec2-user mem REG 202,1 1903208 7619 /lib64/ libc-2.12.so stunnel 6595 ec2-user mem REG 202,1 138328 7643 /lib64/ libpthread-2.12.so stunnel 6595 ec2-user mem REG 202,1 113432 7629 /lib64/ libnsl-2.12.so stunnel 6595 ec2-user mem REG 202,1 14584 7651 /lib64/ libutil-2.12.so stunnel 6595 ec2-user mem REG 202,1 19536 7625 /lib64/ libdl-2.12.so stunnel 6595 ec2-user mem REG 202,1 154464 17671 /lib64/ ld-2.12.so stunnel 6595 ec2-user 0u CHR 1,3 0t0 19 /dev/null stunnel 6595 ec2-user 1u CHR 1,3 0t0 19 /dev/null stunnel 6595 ec2-user 2u CHR 1,3 0t0 19 /dev/null stunnel 6595 ec2-user 4r FIFO 0,8 0t0 534916 pipe stunnel 6595 ec2-user 5w FIFO 0,8 0t0 534916 pipe stunnel 6595 ec2-user 6u unix 0xffff880001d26900 0t0 534919 socket stunnel 6595 ec2-user 7u IPv4 534920 0t0 TCP *:commplex-link (LISTEN)
"cat /etc/security/limits.conf" shows:
# /etc/security/limits.conf # #Each line describes a limit for a user in the form: # #<domain> <type> <item> <value> # #Where: #<domain> can be: # - an user name # - a group name, with @group syntax # - the wildcard *, for default entry # - the wildcard %, can be also used with %group syntax, # for maxlogin limit # #<type> can have the two values: # - "soft" for enforcing the soft limits # - "hard" for enforcing hard limits # #<item> can be one of the following: # - core - limits the core file size (KB) # - data - max data size (KB) # - fsize - maximum filesize (KB) # - memlock - max locked-in-memory address space (KB) # - nofile - max number of open files # - rss - max resident set size (KB) # - stack - max stack size (KB) # - cpu - max CPU time (MIN) # - nproc - max number of processes # - as - address space limit (KB) # - maxlogins - max number of logins for this user # - maxsyslogins - max number of logins on the system # - priority - the priority to run user process with # - locks - max number of file locks the user can hold # - sigpending - max number of pending signals # - msgqueue - max memory used by POSIX message queues (bytes) # - nice - max nice priority allowed to raise to values: [-20, 19] # - rtprio - max realtime priority # #<domain> <type> <item> <value> #
#* soft core 0 #* hard rss 10000 #@student hard nproc 20 #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 #@student - maxlogins 4 * - nofile 999999
# End of file
I believe that these settings should all allow way more than 1016 connections.
Any other clues for me?
Cheers,
- Trent
On Mon, Jul 2, 2012 at 6:06 AM, Sven Ulland sveniu@opera.com wrote:
On 07/02/2012 05:21 AM, Trenton Ashburn wrote:
My client that's connecting to my server behind stunnel just gets it's connection attempts refused.
You're sure it's refused, not a timeout? Is the stunnel process running into the max limit of open file descriptors (default is likely to be 1024)? See 'ulimit -n', 'lsof -n -p <pid_of_stunnel>', /etc/security/limits.conf, etc.
Sven ______________________________**_________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/**mailman/listinfo/stunnel-usershttp://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
Michael Curran -
Scott Gifford -
Sven Ulland -
Trenton Ashburn