Skip to content

Instantly share code, notes, and snippets.

@jayjanssen
Created November 8, 2012 15:02
Show Gist options
  • Save jayjanssen/4039319 to your computer and use it in GitHub Desktop.
Save jayjanssen/4039319 to your computer and use it in GitHub Desktop.
sysctl tuning for HAproxy
net.core.somaxconn = 32768
net.ipv4.conf.all.send_redirects = 1
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.tcp_abort_on_overflow = 0
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_max_tw_buckets = 262144
net.ipv4.tcp_mem = 200000    280000    300000
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_rmem = 4096    87380    4120928
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_wmem = 4096    16384    4120928
net.ipv4.netfilter.ip_conntrack_max = 10485760
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 15
net.netfilter.nf_conntrack_max = 10485760
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 15
@srlowe
Copy link

srlowe commented Sep 26, 2014

Hi Jay, this came up in Google, and is pretty interesting to me (currently researching a problem related to nf_conntrack_max). Could you tell me if you have used this configuration in production? and if it stood up to high load? Thanks

@kenzodeluxe
Copy link

Seriously; do not use net.ipv4.tcp_tw_recycle, it will easily break your setup. See http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html for details.

@brandt
Copy link

brandt commented Mar 13, 2016

You probably don't want to disable net.ipv4.tcp_timestamps.

It's important to have that turned on in fast networks because it's used to detect sequence number wrapping (PAWS). It also makes the TCP congestion control algorithms work better. There are a lot of tuning guides out there that recommend turning it off, but they're often old or just cargo-culting outdated advice from a long time ago.

It's usually not necessary to set net.ipv4.tcp_mem. The kernel choses sane values for most use cases. Also, be advised it's specified in pages not bytes.

To echo the comment above, enabling net.ipv4.tcp_tw_recycle can cause problems -- especially on public-facing load balancers.

@kapad
Copy link

kapad commented Mar 1, 2018

which of the above settings will have the biggest impact to my server?

@JOduMonT
Copy link

ref: https://www.slideshare.net/haproxytech/haproxy-best-practice slide 13

net.ipv4.ip_local_port_range="1025 65534"
net.ipv4.tcp_max_syn_backlog = 100000
net.core.netdev_max_backlog = 100000
net.core.somaxconn = 65534
ipv4.tcp_rmem = "4096 16060 64060"
ipv4.tcp_wmem = "4096 16384 262144"

optional

tcp_slow_start_after_idle = 0
net.netfilter.nf_conntrack_max = 131072

from https://www.slideshare.net/haproxytech/haproxy-best-practice slide 13

@Lusitaniae
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment