Nginx充当广告服务器的反向代理,每分钟接收20k个请求。从广告服务器到nginx的响应时间在100ms内。
运行在虚拟机上,配置为 128GB RAM 4 vCPU 100GB HDD
考虑以上因素,Nginx和sysctl.conf的良好设置是什么?
Nginx充当广告服务器的反向代理,每分钟接收20k个请求。从广告服务器到nginx的响应时间在100ms内。
运行在虚拟机上,配置为 128GB RAM 4 vCPU 100GB HDD
考虑以上因素,Nginx和sysctl.conf的良好设置是什么?
20.000 * 2 * 1.5 = 60.000.
我认为将其设置为65K是一个安全的值。
您可以通过以下方式检查文件描述符的数量:
cat /proc/sys/fs/file-max
fs.file-max = 65000
对于Nginx,您还需要在以下文件中添加以下内容:/etc/systemd/system/nginx.service.d/override.conf
[Service]
LimitNOFILE=65000
worker_rlimit_nofile 65000;
添加后,您需要应用更改:
sudo sysctl -p
sudo systemctl daemon-reload
sudo systemctl restart nginx
vm.swappiness = 0 # The kernel will swap only to avoid an out of memory condition
vm.min_free_kbytes = 327680 # The kernel will start swapping when memory is below this limit (300MB)
vm.vfs_cache_pressure = 125 # reclaim memory which is used for caching of VFS caches quickly
vm.dirty_ratio = 15 # Write pages to disk when 15% of memory is dirty
vm.dirty_background_ratio = 10 # System can start writing pages to disk when 15% of memory is dirty
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
由于您正在代理请求,我建议您将以下内容添加到sysctl.conf文件中,以确保不会耗尽端口。这是可选的,但如果遇到问题,则需要考虑此事:
net.ipv4.ip_local_port_range=1024 65000
由于我通常会评估默认设置并相应地进行调整,因此我没有提供IPv4和ipv4.tcp_选项。下面是一个示例,但请不要复制和粘贴,您需要在开始调整这些变量之前进行一些阅读。
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1