New system configuration – It’s not just the application server!

A common consulting engagement for us is configuring a new system for optimal use. It’s not just the application server that’ll need configuring, don’t forget the application server relies on a lot of underlying infrastructure including the network and OS. Often this stage gets over-looked or you’ll (often incorrectly) assume your hosting provider will have performed these steps already.

Every application is different, there’s no golden rules but there are some simple steps you can take to improve performance, security & stability. For a typical web & application server machine let’s look at an example Linux setup. Here’s just the tip of the iceberg…

Tune TCP/IP Kernel Parameters

  • Disable response to ICMP Echo broadcasts
    • net.ipv4.icmp_echo_ignore_broadcasts = 1
  • Filter packets not meant for this network.
    • net.ipv4.conf.eth0.rp_filter=1
    • net.ipv4.conf.lo.rp_filter=1
    • net.ipv4.conf.default.rp_filter=1
    • net.ipv4.conf.all.rp_filter=1
  • Set buffer TCP buffer MAX limits
    • net.core.rmem_max = 16777216
    • net.core.wmem_max = 16777216
  • Increase Linux autotuning TCP buffer limits (min, default, and max number of bytes to use)
    • net.ipv4.tcp_rmem = 4096 10000000 16777216
    • net.ipv4.tcp_wmem = 4096 65536 16777216
  • Disable IP spoofing
    • net.ipv4.conf.eth0.accept_source_route=0
    • net.ipv4.conf.lo.accept_source_route=0
    • net.ipv4.conf.default.accept_source_route=0
    • net.ipv4.conf.all.accept_source_route=0
  • TIME_WAIT sockets for new connections can be reused. This helps on any server that receives many connections at the same time.
    • net.ipv4.tcp_tw_reuse=1
    • net.ipv4.tcp_fin_timeout=30
  • Move keepalive from 2hrs to 30 min. (May want to tune this up or down)
    • net.ipv4.tcp_keepalive_time=1800
  • Help protect from denial-of-service (syn-flood) attack:
    • net.ipv4.tcp_max_syn_backlog=4096
  • Allow redirects from trusted sources (pick only trusted sources)
    • net.ipv4.conf.eth0.secure_redirects=1
    • net.ipv4.conf.lo.secure_redirects=1
    • net.ipv4.conf.default.secure_redirects=1
    • net.ipv4.conf.all.secure_redirects=1
  • Don’t allow ICMP redirects (pick only un-trusted sources)
    • net.ipv4.conf.eth0.accept_redirects=0
    • net.ipv4.conf.lo.accept_redirects=0
    • net.ipv4.conf.default.accept_redirects=0
    • net.ipv4.conf.all.accept_redirects=0
  • Do not send redirects (we’re not acting as a router)
    • net.ipv4.conf.eth0.send_redirects=0
    • net.ipv4.conf.lo.send_redirects=0
    • net.ipv4.conf.default.send_redirects=0
    • net.ipv4.conf.all.send_redirects=0

Tune User Security Limit Parameters

  • Define “soft” & “hard” limits for max open file handles for all users
    • * soft nofile 20000
    • * hard nofile 20000
  • Define “soft” & “hard” limits for max concurrent processes for all users
    • * soft nproc 8192
    • * hard nproc 8192

What’s Next?!

Making good progress? What about the network, firewall, loadbalancer, web server, JVM, application server, application code…. the list goes on – save yourself the headache, call the experts!