mirror of https://git.envs.net/envs/ops.git
97 lines
4.0 KiB
Plaintext
97 lines
4.0 KiB
Plaintext
# allow that much active connections
|
|
net.unix.max_dgram_qlen = 1024
|
|
|
|
net.netfilter.nf_conntrack_max=262144
|
|
net.netfilter.nf_conntrack_buckets=65536
|
|
|
|
## IPv6
|
|
net.ipv6.conf.all.forwarding=1
|
|
|
|
net.ipv6.conf.default.disable_ipv6=0
|
|
net.ipv6.conf.all.disable_ipv6=0
|
|
|
|
net.ipv6.conf.enp2s0.disable_ipv6=0
|
|
|
|
|
|
## IPv4
|
|
net.ipv4.ip_forward=1
|
|
|
|
# Turn on Source Address Verification in all interfaces to
|
|
# prevent some spoofing attacks.
|
|
net.ipv4.conf.default.rp_filter=1
|
|
net.ipv4.conf.all.rp_filter=1
|
|
|
|
# Turn on SYN-flood protections. Starting with 2.6.26, there is no loss
|
|
# of TCP functionality/features under normal conditions. When flood
|
|
# protections kick in under high unanswered-SYN load, the system
|
|
# should remain more stable, with a trade off of some loss of TCP
|
|
# functionality/features (e.g. TCP Window scaling).
|
|
net.ipv4.tcp_syncookies=1
|
|
|
|
# Flush TIME_WAIT connections faster
|
|
net.ipv4.tcp_fin_timeout = 10
|
|
# same for nf_conntrac moule
|
|
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 15
|
|
|
|
# Increase ephermeral IP ports
|
|
net.ipv4.ip_local_port_range = 10240 61000
|
|
|
|
# https://www.serveradminblog.com/2011/02/neighbour-table-overflow-sysctl-conf-tunning/
|
|
net.ipv4.neigh.default.gc_thresh1 = 1024
|
|
net.ipv4.neigh.default.gc_thresh2 = 2048
|
|
net.ipv4.neigh.default.gc_thresh3 = 4096
|
|
|
|
# http://www.opennet.ru/opennews/art.shtml?num=44945
|
|
net.ipv4.tcp_challenge_ack_limit = 9999
|
|
|
|
# Don't slow network - save congestion window after idle
|
|
# https://github.com/ton31337/tools/wiki/tcp_slow_start_after_idle---tcp_no_metrics_save-performance
|
|
net.ipv4.tcp_slow_start_after_idle = 0
|
|
net.ipv4.tcp_no_metrics_save=0
|
|
|
|
# Optimize connection queues
|
|
# https://www.linode.com/docs/web-servers/nginx/configure-nginx-for-optimized-performance
|
|
# Increase the number of packets that can be queued
|
|
net.core.netdev_max_backlog = 3240000
|
|
# Max number of "backlogged sockets" (connection requests that can be queued for any given listening socket)
|
|
net.core.somaxconn = 256000
|
|
# Increase max number of sockets allowed in TIME_WAIT
|
|
net.ipv4.tcp_max_tw_buckets = 1440000
|
|
# Number of packets to keep in the backlog before the kernel starts dropping them
|
|
# A sane value is net.ipv4.tcp_max_syn_backlog = 3240000
|
|
net.ipv4.tcp_max_syn_backlog = 3240000
|
|
|
|
# TCP memory tuning
|
|
# View memory TCP actually uses with: cat /proc/net/sockstat
|
|
# *** These values are auto-created based on your server specs ***
|
|
# *** Edit these parameters with caution because they will use more RAM ***
|
|
# Changes suggested by IBM on https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Welcome%20to%20High%20Performance%20Computing%20%28HPC%29%20Central/page/Linux%20System%20Tuning%20Recommendations
|
|
# Increase the default socket buffer read size (rmem_default) and write size (wmem_default)
|
|
# *** Maybe recommended only for high-RAM servers? ***
|
|
#net.core.rmem_default=16777216
|
|
#net.core.wmem_default=16777216
|
|
# Increase the max socket buffer size (optmem_max), max socket buffer read size (rmem_max), max socket buffer write size (wmem_max)
|
|
# 16MB per socket - which sounds like a lot, but will virtually never consume that much
|
|
# rmem_max over-rides tcp_rmem param, wmem_max over-rides tcp_wmem param and optmem_max over-rides tcp_mem param
|
|
#net.core.optmem_max=16777216
|
|
#net.core.rmem_max=16777216
|
|
#net.core.wmem_max=16777216
|
|
# Configure the Min, Pressure, Max values (units are in page size)
|
|
# Useful mostly for very high-traffic websites that have a lot of RAM
|
|
# Consider that we already set the *_max values to 16777216
|
|
# So you may eventually comment these three lines
|
|
#net.ipv4.tcp_mem=16777216 16777216 16777216
|
|
#net.ipv4.tcp_wmem=4096 87380 16777216
|
|
#net.ipv4.tcp_rmem=4096 87380 16777216
|
|
|
|
# Disable TCP SACK (TCP Selective Acknowledgement), DSACK (duplicate TCP SACK), and FACK (Forward Acknowledgement)
|
|
# SACK requires enabling tcp_timestamps and adds some packet overhead
|
|
# Only advised in cases of packet loss on the network
|
|
#net.ipv4.tcp_sack = 0
|
|
#net.ipv4.tcp_dsack = 0
|
|
#net.ipv4.tcp_fack = 0
|
|
|
|
# Disable TCP timestamps
|
|
# Can have a performance overhead and is only advised in cases where sack is needed (see tcp_sack)
|
|
#net.ipv4.tcp_timestamps=0
|