I'm trying to hook up stunnel and haproxy to forward https connections through to some backend servers.
I've got haproxy setup right, and I seem to have stunnel set up right. Trouble is that when I hit the setup with a load test after a while I start to see these log entries (I've included the last few entries from proper connections before I started to get the connection rejected error):
2010.05.05 11:23:29 LOG7[3498:3086792368]: https accepted FD=510 from 10.195.158.225:42722
2010.05.05 11:23:29 LOG7[3498:3035233168]: https started
2010.05.05 11:23:29 LOG7[3498:3035233168]: FD 510 in non-blocking mode
2010.05.05 11:23:29 LOG7[3498:3035233168]: TCP_NODELAY option set on local socket
2010.05.05 11:23:29 LOG7[3498:3035233168]: Waiting for a libwrap process
2010.05.05 11:23:29 LOG7[3498:3086792368]: https accepted FD=511 from 10.195.158.225:42723
2010.05.05 11:23:29 LOG7[3498:3035167632]: https started
2010.05.05 11:23:29 LOG7[3498:3035167632]: FD 511 in non-blocking mode
2010.05.05 11:23:29 LOG7[3498:3035167632]: TCP_NODELAY option set on local socket
2010.05.05 11:23:29 LOG7[3498:3035167632]: Waiting for a libwrap process
2010.05.05 11:23:30 LOG7[3498:3086792368]: https accepted FD=512 from 10.195.158.225:42724
2010.05.05 11:23:30 LOG4[3498:3086792368]: Connection rejected: too many clients (>=500)
2010.05.05 11:23:30 LOG7[3498:3086792368]: https accepted FD=512 from 10.195.158.225:42725
2010.05.05 11:23:30 LOG4[3498:3086792368]: Connection rejected: too many clients (>=500)
I guess I've hit a limit somewhere but I wasn't sure how to fix it, there doesn't seem to be a config file option for stunnel to change this.
Does anyone know how to configure stunnel for a potentially large number of connections?
From what I recall, stunnel simply relies on the ulimit setting to find its limit in file descriptors. So you just have to do "ulimit -n 65536" and you'll get a client limit around 32000.
Be careful though, as each SSL context can use a lot of memory. Also, if your stunnel works in thread mode, you won't necessarily want to reach thread numbers that high.
Check your limits here:
cat /proc/$(pidof stunnel4)/limits
Then edit the file
/etc/default/stunnel4
: Set RLIMITS:RLIMITS="-n 65536"
Restart stunnel:
sudo /etc/init.d/stunnel4 restart
Confirm your limits with
cat /proc/$(pidof stunnel4)/limits
again.