goeroeku/fastcgi-php.conf

## fastcgi-php.conf
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$;

# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;

# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

fastcgi_index index.php;
include fastcgi.conf;

## locations.conf
location = /favicon.ico {
    access_log off;
    log_not_found off;
    expires max;
}

location = /robots.txt {
    # Some WordPress plugin gererate robots.txt file
    # Refer #340 issue
    try_files $uri $uri/ /index.php?$args;
    access_log off;
    log_not_found off;
}

# Cache static files
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|ttc|font.css|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
    add_header "Access-Control-Allow-Origin" "*";
    access_log off;
    log_not_found off;
    expires max;
}

# Security settings for better privacy
# Deny hidden files
location ~ /\.well-known {
    allow all;
}

location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
}

# Deny backup extensions & log files
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
    deny all;
    access_log off;
    log_not_found off;
}

# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
    return 403;
}

## mime.types
types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/font-woff2           	    woff2;
    application/x-font-ttf          	    ttc ttf;
    application/x-font-otf           	    otf;

    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

## nginx.conf
user nginx;
worker_processes auto;

events {
    #worker_connections 768;
    # multi_accept on;
    worker_connections 1024;
    use epoll;
    multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    keepalive_requests 100000;
    types_hash_max_size 2048;
    types_hash_bucket_size 128;
    # server_tokens off;
    client_body_buffer_size      128k;
    client_max_body_size         10m;
    client_header_buffer_size    1k;
    large_client_header_buffers  4 4k;
    output_buffers               1 32k;
    postpone_output              1460;
    client_header_timeout  3m;
    client_body_timeout    3m;
    send_timeout           3m;
    open_file_cache max=1000 inactive=20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 5;
    open_file_cache_errors off;

    server_names_hash_bucket_size 64;
    #server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # Logging Settings
    ##

    #access_log logs/access.log;
    #error_log logs/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "MSIE [1-6]\.";
    gzip_vary on;
    gzip_min_length 10240;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types application/x-javascript text/css application/javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon;

    ##
    # Virtual Host Configs
    ##

    #include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

}

## php.conf
location / {
    #try_files $uri $uri/ /index.php?$args;
    try_files $uri $uri/ /index.php$is_args$args;
}

location ~ \.php$ {
    include snippets/fastcgi-php.conf; ## atau masukan alamat dari fastcgi_params

    # With php5-fpm:
    fastcgi_pass unix:/var/run/php5-fpm.sock; ## see config on file www.conf (on php*-fpm directory)
    # Prevent 504 Gateway Timeout
    fastcgi_read_timeout 360; ## 10 menit, other ex : 3600 (1 jam)
}

## sysctl.conf
###
### GENERAL SYSTEM SECURITY OPTIONS ###
###

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

#Allow for more PIDs
kernel.pid_max = 65535

# The contents of /proc/<pid>/maps and smaps files are only visible to
# readers that are allowed to ptrace() the process
kernel.maps_protect = 1

#Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 2

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65535

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65535

# Restrict core dumps
fs.suid_dumpable = 0

# Hide exposed kernel pointers
kernel.kptr_restrict = 1


###
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
###

# Increase size of file handles and inode cache
fs.file-max = 209708

# Do less swapping
vm.swappiness = 30
vm.dirty_ratio = 30
vm.dirty_background_ratio = 5

# specifies the minimum virtual address that a process is allowed to mmap
vm.mmap_min_addr = 4096

# 50% overcommitment of available memory
vm.overcommit_ratio = 50
vm.overcommit_memory = 0

# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456
kernel.shmall = 268435456

# Keep at least 64MB of free RAM space available
vm.min_free_kbytes = 65535


###
### GENERAL NETWORK SECURITY OPTIONS ###
###

#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096

# Disables packet forwarding
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0

# Disables IP source routing
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 7

# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15

# Don't relay bootp
net.ipv4.conf.all.bootp_relay = 0

# Don't proxy arp for anyone
net.ipv4.conf.all.proxy_arp = 0

# Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
net.ipv4.tcp_timestamps = 1

# Don't ignore directed pings
net.ipv4.icmp_echo_ignore_all = 0

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65535

# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
net.ipv4.tcp_rfc1337 = 1

# Do not auto-configure IPv6
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.eth0.autoconf=0
net.ipv6.conf.eth0.accept_ra=0


###
### TUNING NETWORK PERFORMANCE ###
###

# Use BBR TCP congestion control and set tcp_notsent_lowat to 16384 to ensure HTTP/2 prioritization works optimally
# Do a 'modprobe tcp_bbr' first (kernel > 4.9)
# Fall-back to htcp if bbr is unavailable (older kernels)
net.ipv4.tcp_congestion_control = htcp
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_notsent_lowat = 16384

# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
net.core.default_qdisc = fq

# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1

# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384
net.core.rmem_default = 262144
net.core.rmem_max = 16777216

# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384
net.core.wmem_default = 262144
net.core.wmem_max = 16777216

# Increase number of incoming connections
net.core.somaxconn = 32768

# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 16384
net.core.dev_weight = 64

# Increase the maximum amount of option memory buffers
net.core.optmem_max = 65535

# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000

# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 1

# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_orphan_retries = 0

# Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
net.ipv4.ipfrag_low_thresh = 196608
net.ipv6.ip6frag_low_thresh = 196608
net.ipv4.ipfrag_high_thresh = 262144
net.ipv6.ip6frag_high_thresh = 262144


# don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1

# Increase size of RPC datagram queue length
net.unix.max_dgram_qlen = 50

# Don't allow the arp table to become bigger than this
net.ipv4.neigh.default.gc_thresh3 = 2048

# Tell the gc when to become aggressive with arp table cleaning.
# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
net.ipv4.neigh.default.gc_thresh2 = 1024

# Adjust where the gc will leave arp table alone - set to 32.
net.ipv4.neigh.default.gc_thresh1 = 32

# Adjust to arp table gc to clean-up more often
net.ipv4.neigh.default.gc_interval = 30

# Increase TCP queue length
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6

# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_reordering = 3

# How many times to retry killing an alive TCP connection
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3

# Avoid falling back to slow start after a connection goes idle
# keeps our cwnd large with the keep alive connections (kernel > 3.6)
net.ipv4.tcp_slow_start_after_idle = 0

# Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7)
net.ipv4.tcp_fastopen = 3

# This will enusre that immediatly subsequent connections use the new values
net.ipv4.route.flush = 1
net.ipv6.route.flush = 1
	# regex to split $uri to $fastcgi_script_name and $fastcgi_path
	fastcgi_split_path_info ^(.+\.php)(/.+)$;

	# Check that the PHP script exists before passing it
	try_files $fastcgi_script_name =404;

	# Bypass the fact that try_files resets $fastcgi_path_info
	# see: http://trac.nginx.org/nginx/ticket/321
	set $path_info $fastcgi_path_info;
	fastcgi_param PATH_INFO $path_info;

	fastcgi_index index.php;
	include fastcgi.conf;
	location = /favicon.ico {
	access_log off;
	log_not_found off;
	expires max;
	}

	location = /robots.txt {
	# Some WordPress plugin gererate robots.txt file
	# Refer #340 issue
	try_files $uri $uri/ /index.php?$args;
	access_log off;
	log_not_found off;
	}

	# Cache static files
	location ~* \.(ogg\|ogv\|svg\|svgz\|eot\|otf\|woff\|woff2\|mp4\|ttf\|ttc\|font.css\|css\|rss\|atom\|js\|jpg\|jpeg\|gif\|png\|ico\|zip\|tgz\|gz\|rar\|bz2\|doc\|xls\|exe\|ppt\|tar\|mid\|midi\|wav\|bmp\|rtf\|swf)$ {
	add_header "Access-Control-Allow-Origin" "*";
	access_log off;
	log_not_found off;
	expires max;
	}

	# Security settings for better privacy
	# Deny hidden files
	location ~ /\.well-known {
	allow all;
	}

	location ~ /\. {
	deny all;
	access_log off;
	log_not_found off;
	}

	# Deny backup extensions & log files
	location ~* ^.+\.(bak\|log\|old\|orig\|original\|php#\|php~\|php_bak\|save\|swo\|swp\|sql)$ {
	deny all;
	access_log off;
	log_not_found off;
	}

	# Return 403 forbidden for readme.(txt\|html) or license.(txt\|html) or example.(txt\|html)
	if ($uri ~* "^.+(readme\|license\|example)\.(txt\|html)$") {
	return 403;
	}
	types {
	text/html html htm shtml;
	text/css css;
	text/xml xml;
	image/gif gif;
	image/jpeg jpeg jpg;
	application/javascript js;
	application/atom+xml atom;
	application/rss+xml rss;

	text/mathml mml;
	text/plain txt;
	text/vnd.sun.j2me.app-descriptor jad;
	text/vnd.wap.wml wml;
	text/x-component htc;

	image/png png;
	image/tiff tif tiff;
	image/vnd.wap.wbmp wbmp;
	image/x-icon ico;
	image/x-jng jng;
	image/x-ms-bmp bmp;
	image/svg+xml svg svgz;
	image/webp webp;

	application/font-woff woff;
	application/font-woff2 woff2;
	application/x-font-ttf ttc ttf;
	application/x-font-otf otf;

	application/java-archive jar war ear;
	application/json json;
	application/mac-binhex40 hqx;
	application/msword doc;
	application/pdf pdf;
	application/postscript ps eps ai;
	application/rtf rtf;
	application/vnd.apple.mpegurl m3u8;
	application/vnd.ms-excel xls;
	application/vnd.ms-fontobject eot;
	application/vnd.ms-powerpoint ppt;
	application/vnd.wap.wmlc wmlc;
	application/vnd.google-earth.kml+xml kml;
	application/vnd.google-earth.kmz kmz;
	application/x-7z-compressed 7z;
	application/x-cocoa cco;
	application/x-java-archive-diff jardiff;
	application/x-java-jnlp-file jnlp;
	application/x-makeself run;
	application/x-perl pl pm;
	application/x-pilot prc pdb;
	application/x-rar-compressed rar;
	application/x-redhat-package-manager rpm;
	application/x-sea sea;
	application/x-shockwave-flash swf;
	application/x-stuffit sit;
	application/x-tcl tcl tk;
	application/x-x509-ca-cert der pem crt;
	application/x-xpinstall xpi;
	application/xhtml+xml xhtml;
	application/xspf+xml xspf;
	application/zip zip;

	application/octet-stream bin exe dll;
	application/octet-stream deb;
	application/octet-stream dmg;
	application/octet-stream iso img;
	application/octet-stream msi msp msm;

	application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
	application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;

	audio/midi mid midi kar;
	audio/mpeg mp3;
	audio/ogg ogg;
	audio/x-m4a m4a;
	audio/x-realaudio ra;

	video/3gpp 3gpp 3gp;
	video/mp2t ts;
	video/mp4 mp4;
	video/mpeg mpeg mpg;
	video/quicktime mov;
	video/webm webm;
	video/x-flv flv;
	video/x-m4v m4v;
	video/x-mng mng;
	video/x-ms-asf asx asf;
	video/x-ms-wmv wmv;
	video/x-msvideo avi;
	}
	user nginx;
	worker_processes auto;

	events {
	#worker_connections 768;
	# multi_accept on;
	worker_connections 1024;
	use epoll;
	multi_accept on;
	}

	http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	keepalive_requests 100000;
	types_hash_max_size 2048;
	types_hash_bucket_size 128;
	# server_tokens off;
	client_body_buffer_size 128k;
	client_max_body_size 10m;
	client_header_buffer_size 1k;
	large_client_header_buffers 4 4k;
	output_buffers 1 32k;
	postpone_output 1460;
	client_header_timeout 3m;
	client_body_timeout 3m;
	send_timeout 3m;
	open_file_cache max=1000 inactive=20s;
	open_file_cache_valid 30s;
	open_file_cache_min_uses 5;
	open_file_cache_errors off;

	server_names_hash_bucket_size 64;
	#server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# Logging Settings
	##

	#access_log logs/access.log;
	#error_log logs/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "MSIE [1-6]\.";
	gzip_vary on;
	gzip_min_length 10240;
	gzip_proxied expired no-cache no-store private auth;
	gzip_types application/x-javascript text/css application/javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon;

	##
	# Virtual Host Configs
	##

	#include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;

	}
	location / {
	#try_files $uri $uri/ /index.php?$args;
	try_files $uri $uri/ /index.php$is_args$args;
	}

	location ~ \.php$ {
	include snippets/fastcgi-php.conf; ## atau masukan alamat dari fastcgi_params

	# With php5-fpm:
	fastcgi_pass unix:/var/run/php5-fpm.sock; ## see config on file www.conf (on php*-fpm directory)
	# Prevent 504 Gateway Timeout
	fastcgi_read_timeout 360; ## 10 menit, other ex : 3600 (1 jam)
	}
	###
	### GENERAL SYSTEM SECURITY OPTIONS ###
	###

	# Controls the System Request debugging functionality of the kernel
	kernel.sysrq = 0

	# Controls whether core dumps will append the PID to the core filename.
	# Useful for debugging multi-threaded applications.
	kernel.core_uses_pid = 1

	#Allow for more PIDs
	kernel.pid_max = 65535

	# The contents of /proc/<pid>/maps and smaps files are only visible to
	# readers that are allowed to ptrace() the process
	kernel.maps_protect = 1

	#Enable ExecShield protection
	kernel.exec-shield = 1
	kernel.randomize_va_space = 2

	# Controls the maximum size of a message, in bytes
	kernel.msgmnb = 65535

	# Controls the default maxmimum size of a mesage queue
	kernel.msgmax = 65535

	# Restrict core dumps
	fs.suid_dumpable = 0

	# Hide exposed kernel pointers
	kernel.kptr_restrict = 1



	###
	### IMPROVE SYSTEM MEMORY MANAGEMENT ###
	###

	# Increase size of file handles and inode cache
	fs.file-max = 209708

	# Do less swapping
	vm.swappiness = 30
	vm.dirty_ratio = 30
	vm.dirty_background_ratio = 5

	# specifies the minimum virtual address that a process is allowed to mmap
	vm.mmap_min_addr = 4096

	# 50% overcommitment of available memory
	vm.overcommit_ratio = 50
	vm.overcommit_memory = 0

	# Set maximum amount of memory allocated to shm to 256MB
	kernel.shmmax = 268435456
	kernel.shmall = 268435456

	# Keep at least 64MB of free RAM space available
	vm.min_free_kbytes = 65535



	###
	### GENERAL NETWORK SECURITY OPTIONS ###
	###

	#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
	net.ipv4.tcp_syncookies = 1
	net.ipv4.tcp_syn_retries = 2
	net.ipv4.tcp_synack_retries = 2
	net.ipv4.tcp_max_syn_backlog = 4096

	# Disables packet forwarding
	net.ipv4.ip_forward = 0
	net.ipv4.conf.all.forwarding = 0
	net.ipv4.conf.default.forwarding = 0
	net.ipv6.conf.all.forwarding = 0
	net.ipv6.conf.default.forwarding = 0

	# Disables IP source routing
	net.ipv4.conf.all.send_redirects = 0
	net.ipv4.conf.default.send_redirects = 0
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv4.conf.default.accept_source_route = 0
	net.ipv6.conf.all.accept_source_route = 0
	net.ipv6.conf.default.accept_source_route = 0

	# Enable IP spoofing protection, turn on source route verification
	net.ipv4.conf.all.rp_filter = 1
	net.ipv4.conf.default.rp_filter = 1

	# Disable ICMP Redirect Acceptance
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv4.conf.default.accept_redirects = 0
	net.ipv4.conf.all.secure_redirects = 0
	net.ipv4.conf.default.secure_redirects = 0
	net.ipv6.conf.all.accept_redirects = 0
	net.ipv6.conf.default.accept_redirects = 0

	# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
	net.ipv4.conf.all.log_martians = 1
	net.ipv4.conf.default.log_martians = 1

	# Decrease the time default value for tcp_fin_timeout connection
	net.ipv4.tcp_fin_timeout = 7

	# Decrease the time default value for connections to keep alive
	net.ipv4.tcp_keepalive_time = 300
	net.ipv4.tcp_keepalive_probes = 5
	net.ipv4.tcp_keepalive_intvl = 15

	# Don't relay bootp
	net.ipv4.conf.all.bootp_relay = 0

	# Don't proxy arp for anyone
	net.ipv4.conf.all.proxy_arp = 0

	# Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
	net.ipv4.tcp_timestamps = 1

	# Don't ignore directed pings
	net.ipv4.icmp_echo_ignore_all = 0

	# Enable ignoring broadcasts request
	net.ipv4.icmp_echo_ignore_broadcasts = 1

	# Enable bad error message Protection
	net.ipv4.icmp_ignore_bogus_error_responses = 1

	# Allowed local port range
	net.ipv4.ip_local_port_range = 16384 65535

	# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
	net.ipv4.tcp_rfc1337 = 1

	# Do not auto-configure IPv6
	net.ipv6.conf.all.autoconf=0
	net.ipv6.conf.all.accept_ra=0
	net.ipv6.conf.default.autoconf=0
	net.ipv6.conf.default.accept_ra=0
	net.ipv6.conf.eth0.autoconf=0
	net.ipv6.conf.eth0.accept_ra=0



	###
	### TUNING NETWORK PERFORMANCE ###
	###

	# Use BBR TCP congestion control and set tcp_notsent_lowat to 16384 to ensure HTTP/2 prioritization works optimally
	# Do a 'modprobe tcp_bbr' first (kernel > 4.9)
	# Fall-back to htcp if bbr is unavailable (older kernels)
	net.ipv4.tcp_congestion_control = htcp
	net.ipv4.tcp_congestion_control = bbr
	net.ipv4.tcp_notsent_lowat = 16384

	# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
	net.core.default_qdisc = fq

	# Turn on the tcp_window_scaling
	net.ipv4.tcp_window_scaling = 1

	# Increase the read-buffer space allocatable
	net.ipv4.tcp_rmem = 8192 87380 16777216
	net.ipv4.udp_rmem_min = 16384
	net.core.rmem_default = 262144
	net.core.rmem_max = 16777216

	# Increase the write-buffer-space allocatable
	net.ipv4.tcp_wmem = 8192 65536 16777216
	net.ipv4.udp_wmem_min = 16384
	net.core.wmem_default = 262144
	net.core.wmem_max = 16777216

	# Increase number of incoming connections
	net.core.somaxconn = 32768

	# Increase number of incoming connections backlog
	net.core.netdev_max_backlog = 16384
	net.core.dev_weight = 64

	# Increase the maximum amount of option memory buffers
	net.core.optmem_max = 65535

	# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
	net.ipv4.tcp_max_tw_buckets = 1440000

	# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
	net.ipv4.tcp_tw_recycle = 0
	net.ipv4.tcp_tw_reuse = 1

	# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
	net.ipv4.tcp_max_orphans = 16384
	net.ipv4.tcp_orphan_retries = 0

	# Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
	net.ipv4.ipfrag_low_thresh = 196608
	net.ipv6.ip6frag_low_thresh = 196608
	net.ipv4.ipfrag_high_thresh = 262144
	net.ipv6.ip6frag_high_thresh = 262144


	# don't cache ssthresh from previous connection
	net.ipv4.tcp_no_metrics_save = 1
	net.ipv4.tcp_moderate_rcvbuf = 1

	# Increase size of RPC datagram queue length
	net.unix.max_dgram_qlen = 50

	# Don't allow the arp table to become bigger than this
	net.ipv4.neigh.default.gc_thresh3 = 2048

	# Tell the gc when to become aggressive with arp table cleaning.
	# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
	net.ipv4.neigh.default.gc_thresh2 = 1024

	# Adjust where the gc will leave arp table alone - set to 32.
	net.ipv4.neigh.default.gc_thresh1 = 32

	# Adjust to arp table gc to clean-up more often
	net.ipv4.neigh.default.gc_interval = 30

	# Increase TCP queue length
	net.ipv4.neigh.default.proxy_qlen = 96
	net.ipv4.neigh.default.unres_qlen = 6

	# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
	net.ipv4.tcp_ecn = 1
	net.ipv4.tcp_reordering = 3

	# How many times to retry killing an alive TCP connection
	net.ipv4.tcp_retries2 = 15
	net.ipv4.tcp_retries1 = 3

	# Avoid falling back to slow start after a connection goes idle
	# keeps our cwnd large with the keep alive connections (kernel > 3.6)
	net.ipv4.tcp_slow_start_after_idle = 0

	# Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7)
	net.ipv4.tcp_fastopen = 3

	# This will enusre that immediatly subsequent connections use the new values
	net.ipv4.route.flush = 1
	net.ipv6.route.flush = 1