[stunnel-users] performance configuration for rehl3 & JBoss

Jones Scott - sjones Scott.Jones at acxiom.com
Fri Dec 1 23:02:26 CET 2006


I am having problems will apache and stunnel being able to handle load.
I am using stunnel to encrypt my ajp traffic from apache to jboss.  This
helps me bridge our internal firewall.

 

But during load testing the system starts breaking down.  It takes about
1/5 the load to break down apache and stunnel, than directly against my
jboss node.

 

Any performance tuning recommendations would be great.

I am using stunnel straight out of the box.  I will place the
configuration file below.

 

Thanks.

 

; Sample stunnel configuration file by Michal Trojnara 2002-2006

; Some options used here may not be adequate for your particular
configuration

; Please make sure you understand them (especially the effect of chroot
jail)

 

; Certificate/key is needed in server mode and optional in client mode

;cert = /usr/local/stunnel/etc/stunnel/mail.pem

;key = /usr/local/stunnel/etc/stunnel/mail.pem

 

; Protocol version (all, SSLv2, SSLv3, TLSv1)

sslVersion = SSLv3

 

; Some security enhancements for UNIX systems - comment them out on
Win32

chroot = /usr/local/stunnel/var/lib/stunnel/

setuid = nobody

setgid = nogroup

; PID is created inside chroot jail

pid = /stunnel.pid

 

; Some performance tunings

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1

;compression = rle

 

; Workaround for Eudora bug

;options = DONT_INSERT_EMPTY_FRAGMENTS

 

; Authentication stuff

;verify = 2

; Don't forget to c_rehash CApath

; CApath is located inside chroot jail

CApath = certificates

; It's often easier to use CAfile

CAfile = /usr/local/stunnel/etc/stunnel/certs.pem

; Don't forget to c_rehash CRLpath

; CRLpath is located inside chroot jail

;CRLpath = /crls

; Alternatively you can use CRLfile

;CRLfile = /usr/local/stunnel/etc/stunnel/crls.pem

 

; Some debugging stuff useful for troubleshooting

;debug = 7

output = stunnel.log

 

; Use it for client mode

client = yes

 

; Service-level configuration

 

[ajp]

accept = 8009

connect = xxxx2:8009

 

[sql]

accept = 1433

connect = XXXX1:443

*************************************************************************
The information contained in this communication is confidential, is
intended only for the use of the recipient named above, and may be
legally privileged.

If the reader of this message is not the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.

If you have received this communication in error, please resend this
communication to the sender and delete the original message or any copy
of it from your computer system.

Thank you.
*************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20061201/214eaeab/attachment.html>


More information about the stunnel-users mailing list