From 0559c31f920a0be59e8f9fa10733ce82ef0b131a Mon Sep 17 00:00:00 2001
From: cnphpbb <moqiruyi@126.com>
Date: Sun, 11 May 2025 12:48:49 +0800
Subject: [PATCH] =?UTF-8?q?chore:=20=E6=B7=BB=E5=8A=A0=E7=B3=BB=E7=BB=9F?=
 =?UTF-8?q?=E5=AE=89=E5=85=A8=E4=B8=8E=E6=80=A7=E8=83=BD=E4=BC=98=E5=8C=96?=
 =?UTF-8?q?=E9=85=8D=E7=BD=AE=E6=96=87=E4=BB=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

添加了 `limits.conf` 和 `sysctl.conf` 配置文件，用于优化系统资源限制、网络性能和安全性。这些配置包括增加文件句柄数、优化TCP连接、防止资源耗尽以及增强系统安全性等。
---
 etc/security/limits.conf |  9 ++++++
 etc/sysctl.conf          | 69 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+)
 create mode 100644 etc/security/limits.conf
 create mode 100644 etc/sysctl.conf

diff --git a/etc/security/limits.conf b/etc/security/limits.conf
new file mode 100644
index 0000000..f3de7bf
--- /dev/null
+++ b/etc/security/limits.conf
@@ -0,0 +1,9 @@
+#<domain>      <type>  <item>         <value>
+#
+
+*        soft    nproc           65535
+*        hard    nproc           65535
+*        soft    nofile          65535
+*        hard    nofile          65535
+root     soft    nofile          65535
+root     hard    nofile          65535
\ No newline at end of file
diff --git a/etc/sysctl.conf b/etc/sysctl.conf
new file mode 100644
index 0000000..cf97f1b
--- /dev/null
+++ b/etc/sysctl.conf
@@ -0,0 +1,69 @@
+# 网络桥接配置
+net.bridge.bridge-nf-call-ip6tables = 1
+net.bridge.bridge-nf-call-iptables = 1
+net.bridge.bridge-nf-call-arptables = 1
+net.ipv4.ip_forward = 1
+
+# 减少TIME_WAIT数量（高并发场景）
+net.ipv4.tcp_keepalive_time = 600
+net.ipv4.tcp_keepalive_probes = 3
+net.ipv4.tcp_keepalive_intvl = 15
+
+# 提升连接数和吞吐量
+net.core.somaxconn = 65535
+net.core.netdev_max_backlog = 32768
+
+# 加快TCP回收和重用 (适用于短连接服务)
+net.ipv4.tcp_fin_timeout = 30
+net.ipv4.tcp_tw_reuse = 1
+
+# 减少TIME_WAIT数量（高并发场景）
+net.ipv4.tcp_keepalive_time = 600
+net.ipv4.tcp_keepalive_probes = 3
+net.ipv4.tcp_keepalive_intvl = 15
+
+# 内存缓存优化
+net.core.rmem_max = 16777216        # 接收窗口最大值
+net.core.wmem_max = 16777216        # 发送窗口最大值
+net.ipv4.tcp_rmem = 4096 87380 16777216
+net.ipv4.tcp_wmem = 4096 16384 16777216
+
+vm.swappiness = 0                 # 降低交换分区使用倾向
+vm.dirty_ratio = 20                # 系统级脏页占比阈值 
+vm.dirty_background_ratio = 10     # 后台回写脏页阈值
+vm.dirty_expire_centisecs = 3000   # 脏页超时回写时间（单位：厘秒）
+
+# 防止资源耗尽
+kernel.pid_max = 4194303             # 支持更多进程（容器场景需要）
+user.max_pid_namespaces = 14336      # 适应大量容器实例
+fs.file-max = 1000000                # 最大文件句柄数
+fs.protected_hardlinks = 1           # 禁止恶意硬链接操作
+fs.protected_symlinks = 1            # 禁止恶意软链接操作
+
+# 限制内核信息暴露（等保要求）
+kernel.kptr_restrict = 2
+kernel.dmesg_restrict = 1
+
+# 禁止ICMP重定向（防中间人攻击）
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+
+# 开启反向路径过滤（防IP欺骗）
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+
+net.core.netdev_budget = 600         # 增加单次NAPI处理数据包数量
+net.ipv4.tcp_abort_on_overflow = 1   # 拒绝超过队列的请求（防雪崩）
+# 加速连接回收（短连接RPC场景）
+net.ipv4.tcp_fastopen = 3            # 开启TFO加速（需应用层支持）
+net.ipv4.tcp_slow_start_after_idle = 0
+net.ipv4.tcp_adv_win_scale = 2       # 增加应用层缓冲区比例
+net.ipv4.tcp_app_win = 64            # 保留最后64字节数据防重叠
+
+# 防止SYN洪水
+net.ipv4.tcp_syncookies = 1          # 开启SYN Cookie
+net.ipv4.tcp_max_syn_backlog = 8192  # 最大SYN队列长度
+net.ipv4.tcp_synack_retries = 2      # SYN-ACK重试次数
+net.ipv4.tcp_syn_retries = 2         # SYN重试次数
\ No newline at end of file