-
-
Save jayjanssen/4039319 to your computer and use it in GitHub Desktop.
| net.core.somaxconn = 32768 | |
| net.ipv4.conf.all.send_redirects = 1 | |
| net.ipv4.ip_nonlocal_bind = 1 | |
| net.ipv4.tcp_abort_on_overflow = 0 | |
| net.ipv4.tcp_fin_timeout = 10 | |
| net.ipv4.tcp_keepalive_time = 300 | |
| net.ipv4.tcp_max_orphans = 262144 | |
| net.ipv4.tcp_max_syn_backlog = 16384 | |
| net.ipv4.tcp_max_tw_buckets = 262144 | |
| net.ipv4.tcp_mem = 200000 280000 300000 | |
| net.ipv4.tcp_reordering = 3 | |
| net.ipv4.tcp_rmem = 4096 87380 4120928 | |
| net.ipv4.tcp_synack_retries = 3 | |
| net.ipv4.tcp_syncookies = 1 | |
| net.ipv4.tcp_syn_retries = 5 | |
| net.ipv4.tcp_timestamps = 0 | |
| net.ipv4.tcp_tw_recycle = 1 | |
| net.ipv4.tcp_tw_reuse = 1 | |
| net.ipv4.tcp_wmem = 4096 16384 4120928 | |
| net.ipv4.netfilter.ip_conntrack_max = 10485760 | |
| net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 30 | |
| net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 15 | |
| net.netfilter.nf_conntrack_max = 10485760 | |
| net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30 | |
| net.netfilter.nf_conntrack_tcp_timeout_time_wait = 15 |
Seriously; do not use net.ipv4.tcp_tw_recycle, it will easily break your setup. See http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html for details.
You probably don't want to disable net.ipv4.tcp_timestamps.
It's important to have that turned on in fast networks because it's used to detect sequence number wrapping (PAWS). It also makes the TCP congestion control algorithms work better. There are a lot of tuning guides out there that recommend turning it off, but they're often old or just cargo-culting outdated advice from a long time ago.
It's usually not necessary to set net.ipv4.tcp_mem. The kernel choses sane values for most use cases. Also, be advised it's specified in pages not bytes.
To echo the comment above, enabling net.ipv4.tcp_tw_recycle can cause problems -- especially on public-facing load balancers.
which of the above settings will have the biggest impact to my server?
ref: https://www.slideshare.net/haproxytech/haproxy-best-practice slide 13
net.ipv4.ip_local_port_range="1025 65534"
net.ipv4.tcp_max_syn_backlog = 100000
net.core.netdev_max_backlog = 100000
net.core.somaxconn = 65534
ipv4.tcp_rmem = "4096 16060 64060"
ipv4.tcp_wmem = "4096 16384 262144"
optional
tcp_slow_start_after_idle = 0
net.netfilter.nf_conntrack_max = 131072
from https://www.slideshare.net/haproxytech/haproxy-best-practice slide 13
Updated documentation
https://www.haproxy.com/documentation/hapee/latest/getting-started/system-tuning/
Hi Jay, this came up in Google, and is pretty interesting to me (currently researching a problem related to nf_conntrack_max). Could you tell me if you have used this configuration in production? and if it stood up to high load? Thanks