Add web profile for web servers, API gateways, and reverse proxies.
Parameters
The following is just a quick draft of possibly relevant parameters and recommended values. Researching them in + reasoning for implementation is the actual work to do.
Connection handling
| Parameter |
Value |
Auto-calculated |
net.core.somaxconn |
65535 |
- |
net.ipv4.tcp_max_syn_backlog |
65535 |
- |
net.core.netdev_max_backlog |
65535 |
- |
net.netfilter.nf_conntrack_max |
- |
RAM_MB * 16 |
fs.file-max |
- |
max(RAM_MB * 100, 100000) |
fs.nr_open |
1048576 |
- |
TCP
| Parameter |
Value |
net.ipv4.tcp_fin_timeout |
15 |
net.ipv4.tcp_tw_reuse |
1 |
net.ipv4.tcp_max_tw_buckets |
262144 |
net.ipv4.ip_local_port_range |
"1024 65535" |
net.ipv4.tcp_slow_start_after_idle |
0 |
net.ipv4.tcp_syncookies |
1 |
Buffers (auto-calculated)
| Parameter |
Formula |
net.core.rmem_max |
min(RAM_bytes / 128, 16777216) |
net.core.wmem_max |
min(RAM_bytes / 128, 16777216) |
Network
| Parameter |
Value |
net.ipv4.conf.all.rp_filter |
1 |
net.ipv4.conf.default.rp_filter |
1 |
net.ipv4.conf.all.accept_redirects |
0 |
net.ipv4.conf.default.accept_redirects |
0 |
net.ipv4.conf.all.send_redirects |
0 |
net.ipv4.conf.default.send_redirects |
0 |
net.ipv4.conf.all.accept_source_route |
0 |
net.ipv4.conf.default.accept_source_route |
0 |
net.ipv4.conf.all.log_martians |
1 |
net.ipv4.conf.default.log_martians |
1 |
net.ipv4.icmp_echo_ignore_broadcasts |
1 |
net.ipv4.icmp_ignore_bogus_error_responses |
1 |
net.ipv6.conf.all.accept_redirects |
0 |
net.ipv6.conf.default.accept_redirects |
0 |
net.ipv6.conf.all.accept_source_route |
0 |
net.ipv6.conf.default.accept_source_route |
0 |
Kernel
| Parameter |
Value |
kernel.randomize_va_space |
2 |
Filesystem
| Parameter |
Value |
fs.protected_hardlinks |
1 |
fs.protected_symlinks |
1 |
fs.protected_fifos |
2 |
fs.protected_regular |
2 |
fs.suid_dumpable |
0 |
References
Acceptance criteria
