Linux Web Server Kernel Tuning

99-network-tuning.conf

# Configuration file for runtime kernel parameters.
# See sysctl.conf(5) for more information.

# See also http://www.nateware.com/linux-network-tuning-for-2013.html for
# an explanation about some of these parameters, and instructions for
# a few other tweaks outside this file.

# See evil packets in your logs.
net.ipv4.conf.all.log_martians = 1

# Discourage Linux from swapping idle server processes to disk (default = 60)
vm.swappiness = 10

# Tweak how the flow of kernel messages is throttled.
#kernel.printk_ratelimit_burst = 10
#kernel.printk_ratelimit = 5

# --------------------------------------------------------------------
# The following allow the server to handle lots of connection requests
# --------------------------------------------------------------------

# Increase number of incoming connections that can queue up
# before dropping
net.core.somaxconn = 50000

# Handle SYN floods and large numbers of valid HTTPS connections
net.ipv4.tcp_max_syn_backlog = 30000

# Increase the length of the network device input queue
net.core.netdev_max_backlog = 5000

# Increase system file descriptor limit so we will (probably)
# never run out under lots of concurrent requests.
# (Per-process limit is set in /etc/security/limits.conf)
fs.file-max = 999999

# Widen the port range used for outgoing connections
#net.ipv4.ip_local_port_range = 10000 65000
# I have daemon run on 120XX, so let range start from 13000
net.ipv4.ip_local_port_range = 13000 65535

# If your servers talk UDP, also up these limits
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192

# --------------------------------------------------------------------
# The following help the server efficiently pipe large amounts of data 
# --------------------------------------------------------------------

# Disable source routing and redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0

# Disable packet forwarding.
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

# Disable TCP slow start on idle connections
net.ipv4.tcp_slow_start_after_idle = 0

# Increase Linux autotuning TCP buffer limits
# Set max to 16MB for 1GE and 32M (33554432) or 54M (56623104) for 10GE
# Don't set tcp_mem itself! Let the kernel scale it based on RAM.
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.rmem_default = 16777216
net.core.wmem_default = 16777216
net.core.optmem_max = 40960
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216


# --------------------------------------------------------------------
# The following allow the server to handle lots of connection churn
# --------------------------------------------------------------------

# Disconnect dead TCP connections after 1 minute
net.ipv4.tcp_keepalive_time = 60

# Wait a maximum of 5 * 2 = 10 seconds in the TIME_WAIT state after a FIN, to handle
# any remaining packets in the network. 
## for kernel 2.6/ubuntu 10.04
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 1
## for kernel 3.0/ubuntu 14.04
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 1

# Allow a high number of timewait sockets
net.ipv4.tcp_max_tw_buckets = 2000000

# Timeout broken connections faster (amount of time to wait for FIN)
net.ipv4.tcp_fin_timeout = 10

# Let the networking stack reuse TIME_WAIT connections when it thinks it's safe to do so
net.ipv4.tcp_tw_reuse = 1

# This option may cause problem and dropped after v4.12. Just don't use it.
# net.ipv4.tcp_tw_recycle = 0

# Determines the wait time between isAlive interval probes (reduce from 75 sec to 15)
net.ipv4.tcp_keepalive_intvl = 15

# Determines the number of probes before timing out (reduce from 9 sec to 5 sec)
net.ipv4.tcp_keepalive_probes = 5

# --------------------------------------------------------------------
# Fix nf_contrack table full problem 
# You may encounter this problem if you use iptable based firewall.
# ref http://lists.firehol.org/pipermail/firehol-support/2007-December/002243.html
#     http://jaseywang.me/2012/08/16/%E8%A7%A3%E5%86%B3-nf_conntrack-table-full-dropping-packet-%E7%9A%84%E5%87%A0%E7%A7%8D%E6%80%9D%E8%B7%AF/
# --------------------------------------------------------------------

## for kernel 2.6/ubuntu 10.04
net.ipv4.netfilter.ip_conntrack_max = 655360
## for kernel 3.0/ubuntu 14.04
net.netfilter.nf_conntrack_max = 655360

# read-only, set  /sys/module/nf_conntrack/parameters/hashsize instead
## for kernel 2.6/ubuntu 10.04
#net.ipv4.netfilter.ip_conntrack_buckets = 327680
## for kernel 3.0/ubuntu 14.04
net.netfilter.nf_conntrack_buckets = 327680

## for kernel 2.6/ubuntu 10.04
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 600
## for kernel 3.0/ubuntu 14.04
net.netfilter.nf_conntrack_tcp_timeout_established = 600

# --------------------------------------------------------------------
# Prevent ipv6 problem 
# --------------------------------------------------------------------
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

# -------------------------------------------------------------

## syn-ack retry
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syn_retries = 3

limits.conf

*   soft    nofile  999999
*   hard    nofile  999999
root    soft    nofile  999999
root    hard    nofile  999999

rc.local

# net.ipv4.netfilter.* in sysctl config file may not take effect due to the boot sequence. 
# Fix it by trigger sysctl to load the config again here.
sysctl -p /etc/sysctl.d/99-network-tuning.conf

# Cannot set this via sysctl. Set it here instead.
echo 327680 > /sys/module/nf_conntrack/parameters/hashsize