Reading material
Last active
February 14, 2017 20:49
-
-
Save w0rldart/bfb2a7d28059123f27f5547c6077af7c to your computer and use it in GitHub Desktop.
Tuning and improving security for HAProxy
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| net.core.somaxconn = 32768 | |
| net.ipv4.conf.all.send_redirects = 1 | |
| net.ipv4.ip_nonlocal_bind = 1 | |
| net.ipv4.tcp_abort_on_overflow = 0 | |
| net.ipv4.tcp_fin_timeout = 10 | |
| net.ipv4.tcp_keepalive_time = 300 | |
| net.ipv4.tcp_max_orphans = 262144 | |
| net.ipv4.tcp_max_tw_buckets = 262144 | |
| net.ipv4.tcp_mem = 200000 280000 300000 | |
| net.ipv4.tcp_reordering = 3 | |
| net.ipv4.tcp_rmem = 4096 87380 4120928 | |
| net.ipv4.tcp_synack_retries = 3 | |
| # Enable SYN Cookies and use a backlog queue size of 2048 connections | |
| # Also set the amount of time to keep half-open connections in the queue (3 equates to roughly 45 seconds). | |
| net.ipv4.tcp_syncookies = 1 | |
| net.ipv4.tcp_syn_retries = 5 | |
| net.ipv4.tcp_max_syn_backlog = 16384 | |
| #net.ipv4.tcp_timestamps = 0 | |
| # Do not use tcp_tw_recycle as it will cause balancing problems | |
| # as it won’t handle connections from two different computers behind the same NAT device | |
| net.ipv4.tcp_tw_reuse = 1 | |
| net.ipv4.tcp_wmem = 4096 16384 4120928 | |
| net.ipv4.netfilter.ip_conntrack_max = 10485760 | |
| net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 30 | |
| net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 15 | |
| net.netfilter.nf_conntrack_max = 10485760 | |
| net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30 | |
| net.netfilter.nf_conntrack_tcp_timeout_time_wait = 15 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment