cnphpbb/deploy.stack
1
0
Fork 0
forked from DevOps/deploy.stack
Code Pull Requests Activity
Files
main
deploy.stack/etc/sysctl.conf
cnphpbb 0559c31f92 chore: 添加系统安全与性能优化配置文件 
添加了 `limits.conf` 和 `sysctl.conf` 配置文件,用于优化系统资源限制、网络性能和安全性。这些配置包括增加文件句柄数、优化TCP连接、防止资源耗尽以及增强系统安全性等。
2025-05-11 12:48:49 +08:00

69 lines
2.6 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# 网络桥接配置
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
net.ipv4.ip_forward = 1
# 减少TIME_WAIT数量高并发场景
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
# 提升连接数和吞吐量
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 32768
# 加快TCP回收和重用 (适用于短连接服务)
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_reuse = 1
# 减少TIME_WAIT数量高并发场景
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl = 15
# 内存缓存优化
net.core.rmem_max = 16777216 # 接收窗口最大值
net.core.wmem_max = 16777216 # 发送窗口最大值
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 16384 16777216
vm.swappiness = 0 # 降低交换分区使用倾向
vm.dirty_ratio = 20 # 系统级脏页占比阈值
vm.dirty_background_ratio = 10 # 后台回写脏页阈值
vm.dirty_expire_centisecs = 3000 # 脏页超时回写时间(单位:厘秒)
# 防止资源耗尽
kernel.pid_max = 4194303 # 支持更多进程(容器场景需要)
user.max_pid_namespaces = 14336 # 适应大量容器实例
fs.file-max = 1000000 # 最大文件句柄数
fs.protected_hardlinks = 1 # 禁止恶意硬链接操作
fs.protected_symlinks = 1 # 禁止恶意软链接操作
# 限制内核信息暴露(等保要求)
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
# 禁止ICMP重定向防中间人攻击
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# 开启反向路径过滤防IP欺骗
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.core.netdev_budget = 600 # 增加单次NAPI处理数据包数量
net.ipv4.tcp_abort_on_overflow = 1 # 拒绝超过队列的请求(防雪崩)
# 加速连接回收短连接RPC场景
net.ipv4.tcp_fastopen = 3 # 开启TFO加速需应用层支持
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_adv_win_scale = 2 # 增加应用层缓冲区比例
net.ipv4.tcp_app_win = 64 # 保留最后64字节数据防重叠
# 防止SYN洪水
net.ipv4.tcp_syncookies = 1 # 开启SYN Cookie
net.ipv4.tcp_max_syn_backlog = 8192 # 最大SYN队列长度
net.ipv4.tcp_synack_retries = 2 # SYN-ACK重试次数
net.ipv4.tcp_syn_retries = 2 # SYN重试次数
View Git Blame Copy Permalink