Tweaked sysctl.conf for ubuntu

Tweak nginx performance is not enough. High performance web server also need tune sysctl.conf file.

edit file /etc/sysctl.conf

 #  
 # /etc/sysctl.conf - Configuration file for setting system variables  
 # See /etc/sysctl.d/ for additional system variables.  
 # See sysctl.conf (5) for information.  
 #  
 #kernel.domainname = example.com  
 # Uncomment the following to stop low-level messages on console  
 #kernel.printk = 3 4 1 3  
 ##############################################################3  
 # Functions previously found in netbase  
 #  
 # Uncomment the next two lines to enable Spoof protection (reverse-path filter)  
 # Turn on Source Address Verification in all interfaces to  
 # prevent some spoofing attacks  
 #net.ipv4.conf.default.rp_filter=1  
 #net.ipv4.conf.all.rp_filter=1  
 # Uncomment the next line to enable TCP/IP SYN cookies  
 # See http://lwn.net/Articles/277146/  
 # Note: This may impact IPv6 TCP sessions too  
 #net.ipv4.tcp_syncookies=1  
 # Uncomment the next line to enable packet forwarding for IPv4  
 #net.ipv4.ip_forward=1  
 # Uncomment the next line to enable packet forwarding for IPv6  
 # Enabling this option disables Stateless Address Autoconfiguration  
 # based on Router Advertisements for this host  
 #net.ipv6.conf.all.forwarding=1  
 ###################################################################  
 # Additional settings - these settings can improve the network  
 # security of the host and prevent against some network attacks  
 # including spoofing attacks and man in the middle attacks through  
 # redirection. Some network environments, however, require that these  
 # settings are disabled so review and enable them as needed.  
 #  
 # Do not accept ICMP redirects (prevent MITM attacks)  
 #net.ipv4.conf.all.accept_redirects = 0  
 #net.ipv6.conf.all.accept_redirects = 0  
 # _or_  
 # Accept ICMP redirects only for gateways listed in our default  
 # gateway list (enabled by default)  
 # net.ipv4.conf.all.secure_redirects = 1  
 #  
 # Do not send ICMP redirects (we are not a router)  
 #net.ipv4.conf.all.send_redirects = 0  
 #  
 # Do not accept IP source route packets (we are not a router)  
 #net.ipv4.conf.all.accept_source_route = 0  
 #net.ipv6.conf.all.accept_source_route = 0  
 #  
 # Log Martian Packets  
 #net.ipv4.conf.all.log_martians = 1  
 #  
 ### IMPROVE SYSTEM MEMORY MANAGEMENT ###  
 # Increase size of file handles and inode cache  
 fs.file-max = 2097152  
 # Do less swapping  
 vm.swappiness = 10  
 vm.dirty_ratio = 60  
 vm.dirty_background_ratio = 2  
 ### GENERAL NETWORK SECURITY OPTIONS ###  
 # Number of times SYNACKs for passive TCP connection.  
 net.ipv4.tcp_synack_retries = 2  
 # Allowed local port range  
 net.ipv4.ip_local_port_range = 2000 65535  
 # Protect Against TCP Time-Wait  
 net.ipv4.tcp_rfc1337 = 1  
 # Decrease the time default value for tcp_fin_timeout connection  
 net.ipv4.tcp_fin_timeout = 15  
 # Decrease the time default value for connections to keep alive  
 net.ipv4.tcp_keepalive_time = 300  
 net.ipv4.tcp_keepalive_probes = 5  
 net.ipv4.tcp_keepalive_intvl = 15  
 ### TUNING NETWORK PERFORMANCE ###  
 # Default Socket Receive Buffer  
 net.core.rmem_default = 31457280  
 # Maximum Socket Receive Buffer  
 net.core.rmem_max = 12582912  
 # Default Socket Send Buffer  
 net.core.wmem_default = 31457280  
 # Maximum Socket Send Buffer  
 net.core.wmem_max = 12582912  
 # Increase number of incoming connections  
 net.core.somaxconn = 4096  
 # Increase number of incoming connections backlog  
 net.core.netdev_max_backlog = 65536  
 # Increase the maximum amount of option memory buffers  
 net.core.optmem_max = 25165824  
 # Increase the maximum total buffer-space allocatable  
 # This is measured in units of pages (4096 bytes)  
 net.ipv4.tcp_mem = 65536 131072 262144  
 net.ipv4.udp_mem = 65536 131072 262144  
 # Increase the read-buffer space allocatable  
 net.ipv4.tcp_rmem = 8192 87380 16777216  
 net.ipv4.udp_rmem_min = 16384  
 # Increase the write-buffer-space allocatable  
 net.ipv4.tcp_wmem = 8192 65536 16777216  
 net.ipv4.udp_wmem_min = 16384  
 # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks  
 net.ipv4.tcp_max_tw_buckets = 1440000  
 net.ipv4.tcp_tw_recycle = 1  
 net.ipv4.tcp_tw_reuse = 1  

Reload changed by command sysctl -p

note: wrong config may kernel panic

 
Ref

• https://gist.github.com/jgeiger/d1a2f72b42adb3ab048f
• https://rtcamp.com/tutorials/linux/sysctl-conf/