Nginx充当广告服务器的反向代理,每分钟接收20k个请求。响应发生在从广告服务器到nginx的100毫秒内
在配置为的虚拟机上运行 128GB内存 4 vCPU 100GB硬盘
考虑到上面的问题,Nginx和sysctl.conf
的设置是什么答案 0 :(得分:4)
请记住,内核调整很复杂,需要大量评估才能获得正确的结果。如果有人发现错误,请告诉我,以便我可以调整自己的配置: - )
此外,如果此服务器仅运行Nginx,您的内存对于请求数量来说相当高,您可以检查在高峰时段使用的数量并相应地进行调整。
要检查的重要一点是文件描述符的数量,在您的情况下,我会将其设置为65.000以应对每秒20.000+个请求。原因是在正常情况下,您只需要大约4.000个文件描述符,因为您有4.000个同时打开的连接(20.000 * 2 * 0.1)。但是,如果后端出现问题,则加载广告可能需要1秒或更长时间。在这种情况下,同时开放连接的数量会更高:
20.000 * 2 * 1.5 = 60.000.
所以将它设置为65K在我看来是一个保存值。
您可以通过以下方式检查文件描述符的数量:
cat /proc/sys/fs/file-max
如果低于65000,你需要在/etc/sysctl.conf中设置它:
fs.file-max = 65000
同样对于Nginx,您需要在文件中添加以下内容:/etc/systemd/system/nginx.service.d/override.conf
[Service]
LimitNOFILE=65000
在nginx.conf文件中:
worker_rlimit_nofile 65000;
添加后,您需要应用更改:
sudo sysctl -p
sudo systemctl daemon-reload
sudo systemctl restart nginx
完成这些设置后,您将开始使用以下设置:
vm.swappiness = 0 # The kernel will swap only to avoid an out of memory condition
vm.min_free_kbytes = 327680 # The kernel will start swapping when memory is below this limit (300MB)
vm.vfs_cache_pressure = 125 # reclaim memory which is used for caching of VFS caches quickly
vm.dirty_ratio = 15 # Write pages to disk when 15% of memory is dirty
vm.dirty_background_ratio = 10 # System can start writing pages to disk when 15% of memory is dirty
此外,我在sysctl配置中使用以下安全设置以及上面的可调参数。随意使用它们,for credits
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
当您代理请求时,我会将以下内容添加到您的sysctl.conf文件中,以确保您没有用完端口,这是可选的,但如果您遇到问题,请记住:
net.ipv4.ip_local_port_range=1024 65000
由于我通常会评估默认设置并进行相应调整,因此我没有提供IPv4和ipv4.tcp_选项。你可以在下面找到一个例子,但请不要复制和粘贴,在开始调整这些变量之前,你需要做一些阅读。
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
以上参数并非您应该考虑的所有内容,您可以调整更多参数example: