[stunnel-users] STunnel performance Issues

Jones Scott - sjones Scott.Jones at acxiom.com
Mon Dec 11 16:20:36 CET 2006


I am having problems will apache and stunnel being able to handle load.
I am using stunnel to encrypt my ajp traffic from apache to jboss.  This
helps me bridge our internal firewall.
 
 
 
But during load testing the system starts breaking down.  It takes about
1/5 the load to break down apache and stunnel, than directly against my
jboss node.
 
 
 
Any performance tuning recommendations would be great.
 
I am using stunnel straight out of the box.  I will place the
configuration file below.
 
 
 
Thanks.
 
 
 
; Sample stunnel configuration file by Michal Trojnara 2002-2006
 
; Some options used here may not be adequate for your particular
configuration
 
; Please make sure you understand them (especially the effect of chroot
jail)
 
 
 
; Certificate/key is needed in server mode and optional in client mode
 
;cert = /usr/local/stunnel/etc/stunnel/mail.pem
 
;key = /usr/local/stunnel/etc/stunnel/mail.pem
 
 
 
; Protocol version (all, SSLv2, SSLv3, TLSv1)
 
sslVersion = SSLv3
 
 
 
; Some security enhancements for UNIX systems - comment them out on
Win32
 
chroot = /usr/local/stunnel/var/lib/stunnel/
 
setuid = nobody
 
setgid = nogroup
 
; PID is created inside chroot jail
 
pid = /stunnel.pid
 
 
 
; Some performance tunings
 
socket = l:TCP_NODELAY=1
 
socket = r:TCP_NODELAY=1
 
;compression = rle
 
 
 
; Workaround for Eudora bug
 
;options = DONT_INSERT_EMPTY_FRAGMENTS
 
 
 
; Authentication stuff
 
;verify = 2
 
; Don't forget to c_rehash CApath
 
; CApath is located inside chroot jail
 
CApath = certificates
 
; It's often easier to use CAfile
 
CAfile = /usr/local/stunnel/etc/stunnel/certs.pem
 
; Don't forget to c_rehash CRLpath
 
; CRLpath is located inside chroot jail
 
;CRLpath = /crls
 
; Alternatively you can use CRLfile
 
;CRLfile = /usr/local/stunnel/etc/stunnel/crls.pem
 
 
 
; Some debugging stuff useful for troubleshooting
 
;debug = 7
 
output = stunnel.log
 
 
 
; Use it for client mode
 
client = yes
 
 
 
; Service-level configuration
 
 
 
[ajp]
 
accept = 8009
 
connect = xxxx2:8009
 
 
 
[sql]
 
accept = 1433
 
connect = XXXX1:443
***************************************************************************
The information contained in this communication is confidential, is
intended only for the use of the recipient named above, and may be legally
privileged.

If the reader of this message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.

If you have received this communication in error, please resend this
communication to the sender and delete the original message or any copy
of it from your computer system.

Thank You.
****************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20061211/7bf8165d/attachment.html>


More information about the stunnel-users mailing list