Created
April 10, 2018 21:23
-
-
Save jimmiehansson/681a9c7ad8c6f11940ea0c6d617c1a00 to your computer and use it in GitHub Desktop.
System optimized (sysctl.conf) for Nginx 4-2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # /etc/sysctl.conf - Configuration file for setting system variables | |
| # See /etc/sysctl.d/ for additional system variables. | |
| # See sysctl.conf (5) for information. | |
| # | |
| #kernel.domainname = example.com | |
| # Uncomment the following to stop low-level messages on console | |
| #kernel.printk = 3 4 1 3 | |
| ##############################################################3 | |
| # Functions previously found in netbase | |
| # | |
| # Uncomment the next two lines to enable Spoof protection (reverse-path filter) | |
| # Turn on Source Address Verification in all interfaces to | |
| # prevent some spoofing attacks | |
| #net.ipv4.conf.default.rp_filter=1 | |
| #net.ipv4.conf.all.rp_filter=1 | |
| # Uncomment the next line to enable TCP/IP SYN cookies | |
| # See http://lwn.net/Articles/277146/ | |
| # Note: This may impact IPv6 TCP sessions too | |
| #net.ipv4.tcp_syncookies=1 | |
| # Uncomment the next line to enable packet forwarding for IPv4 | |
| #net.ipv4.ip_forward=1 | |
| # Uncomment the next line to enable packet forwarding for IPv6 | |
| # Enabling this option disables Stateless Address Autoconfiguration | |
| # based on Router Advertisements for this host | |
| #net.ipv6.conf.all.forwarding=1 | |
| ################################################################### | |
| # Additional settings - these settings can improve the network | |
| # security of the host and prevent against some network attacks | |
| # including spoofing attacks and man in the middle attacks through | |
| # redirection. Some network environments, however, require that these | |
| # settings are disabled so review and enable them as needed. | |
| # | |
| # Do not accept ICMP redirects (prevent MITM attacks) | |
| #net.ipv4.conf.all.accept_redirects = 0 | |
| #net.ipv6.conf.all.accept_redirects = 0 | |
| # _or_ | |
| # Accept ICMP redirects only for gateways listed in our default | |
| # gateway list (enabled by default) | |
| # net.ipv4.conf.all.secure_redirects = 1 | |
| # | |
| # Do not send ICMP redirects (we are not a router) | |
| #net.ipv4.conf.all.send_redirects = 0 | |
| # | |
| # Do not accept IP source route packets (we are not a router) | |
| #net.ipv4.conf.all.accept_source_route = 0 | |
| #net.ipv6.conf.all.accept_source_route = 0 | |
| # | |
| # Log Martian Packets | |
| #net.ipv4.conf.all.log_martians = 1 | |
| # | |
| # KERNEL TUNING | |
| ######################### | |
| # Memory paging | |
| vm.swappiness = 0 | |
| vm.min_free_kbytes = 327680 | |
| vm.vfs_cache_pressure = 125 | |
| vm.dirty_ratio = 15 | |
| vm.dirty_background_ratio = 10 | |
| # ulimit on descriptors and inode cache | |
| fs.file-max = 50000 | |
| fs.nr_open = 50000 | |
| # Limit kernel migration time | |
| kernel.sched_migration_cost_ns = 5000000 | |
| # Isolate kernel execution space | |
| kernel.exec-shield = 1 | |
| kernel.randomize_va_space = 1 | |
| # NETWORK TUNING | |
| ######################### | |
| # Keep port range wide for proxying | |
| net.ipv4.ip_local_port_range=1024 65000 | |
| # Reuse protocol-safe TCP connections | |
| net.ipv4.tcp_tw_reuse=1 | |
| net.ipv4.tcp_tw_recycle=1 | |
| # Limit TIME_WAIT connections | |
| net.ipv4.tcp_fin_timeout=7 | |
| net.ipv4.tcp_slow_start_after_idle = 0 | |
| # inode memory mapping and limits | |
| net.core.rmem_max=8388608 | |
| net.core.somaxconn=8192 | |
| net.core.wmem_max=8388608 | |
| net.core.rmem_default=8388608 | |
| net.core.wmem_default=8388608 | |
| # Set backlog size balance | |
| net.core.netdev_max_backlog=65536 | |
| net.ipv4.tcp_max_syn_backlog=65536 | |
| # TCP traffic | |
| net.ipv4.tcp_max_orphans=65536 | |
| net.ipv4.tcp_max_tw_buckets=65536 | |
| net.ipv4.tcp_no_metrics_save=1 | |
| net.ipv4.tcp_rmem=4096 87380 8388608 | |
| net.ipv4.tcp_syn_retries=2 | |
| net.ipv4.tcp_synack_retries=2 | |
| net.ipv4.tcp_wmem=4096 87380 8388608 | |
| net.ipv4.tcp_mem=4096 87380 8388608 | |
| vm.min_free_kbytes=65536 | |
| net.ipv6.conf.all.disable_ipv6=1 | |
| # Security configuration | |
| # Don't reply to broadcasts. Prevents joining a smurf attack | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| # Enable protection for bad icmp error messages | |
| net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
| # Enable syncookies for SYN flood attack protection | |
| net.ipv4.tcp_syncookies = 1 | |
| # Log spoofed, source routed, and redirect packets | |
| net.ipv4.conf.all.log_martians = 1 | |
| net.ipv4.conf.default.log_martians = 1 | |
| # Don't allow source routed packets | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| # Turn on reverse path filtering | |
| net.ipv4.conf.all.rp_filter = 1 | |
| net.ipv4.conf.default.rp_filter = 1 | |
| # Don't allow outsiders to alter the routing tables | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| net.ipv4.conf.all.secure_redirects = 0 | |
| net.ipv4.conf.default.secure_redirects = 0 | |
| # Don't pass traffic between networks or act as a router | |
| net.ipv4.ip_forward = 0 | |
| net.ipv4.conf.all.send_redirects = 0 | |
| net.ipv4.conf.default.send_redirects = 0 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment