FreeBSD acts as a temporary reverse proxy

As a temporary reverse proxy, FreeBSD has sent two old servers to the data center. But it took some time to configure munin, mainly because of IP Address Configuration problems. Www.2cto.com uses Dell 1950 as a temporary reverse proxy to process Access to All APIs. Refer to a great god's blog for the following settings, there are many values that are still not very clear why such settings should be made, it is necessary to gradually clarify/etc/sysctl. conf does not accept the source route information package, which can prevent your internal network from being detected. net. inet. ip. sourceroute = 0 net. inet. ip. accept_sourceroute = 0 # maximum buffer space of TCP data to be sent. net. inet. tcp. sendspace = 65536 # maximum accept TCP buffer space. net. inet. tcp. recvspace = 65536 # The data sending space of the local socket connection. net. local. stream. sendspace = 65535 # protocol for accelerating network performance www.2cto.com. inet. tcp. rfc1323 = 1 net. inet. tcp. rfc3042 = 1 net. inet. tcp. rfc3390 = 1 # maximum Socket buffer kern. ipc. max Sockbuf = 2097152 # maximum number of files allowed in the system kern. maxfiles = 65536 # maximum number of files simultaneously opened by each process (kern. maxfilesperproc = 65535 www.2cto.com # This option sets whether to delay ACK response packet. net. inet. tcp. delayed_ack = 1 # setting it to 1 will help the system clear TCP connections that are not normally disconnected. net. inet. tcp. always_keepalive = 1 # If you see net. inet. ip. intr_queue_drops is increasing. net needs to be increased. inet. ip. intr_queue_maxlen, preferably 0. net. inet. ip. intr_queue_maxlen= 1000 net. inet. ip. intr_queue_drops = 0 # prevent DOS attacks. The default value is 30000. net. inet. tcp. msl = 2500 # prevent DO S attacks. net. inet. tcp. syncookies = 1 # physical memory is only supported by threads. It requires more than 256 MB of memory kern. ipc. shm_use_phys = 1 # maximum shared memory kern available for the thread. ipc. shmmax = 67108864, but a large number of FIN_WAIT_2 statuses are found. After modifying net. inet. tcp. finwait2_timeout = 600net. inet. tcp. fast_finwait2_recycle = 1, a large number of FIN_WAIT_2 statuses will soon disappear. After these configurations, the access effect is significantly better than CentOS on Dell R610. In normal business conditions, TCP connections in the ESTABLISHED State can basically be kept at 350, and connections in the non-ESTABLISHED State are around 450. connections in the current business peak value of TCP in the ESTABLISHED State can basically be kept at 400, the status of non-ESTABLISHED is around 550. Www.2cto.com should deal with a large number of short and fast connections and reduce the value of net. inet. tcp. msl. We often see the following TCP states (netstat-n | awk '/^ tcp/{++ S [$ NF]} END {for (a in S) print, S [a]} ', a very effective command to get the status of all TCP at the current level) LAST_ACK waiting to close the confirmation status SYN_RECV has received the SYN status of the Connection Request (common on the server side) CLOSE_WAIT: Wait for the connection to be closed and wait for the closing request from the application. ESTABLISHED has ESTABLISHED the connection status. The FIN_WAIT1 application requires that the connection be closed and the disconnect request FIN has been issued. FIN_WAIT2 has closed the semi-connection status and waits for the other half-connection to be closed. Both parties also decided to close the connection status SYN_SENT and sent the connection request SYN status, waiting for ACK confirmation. (Common in clients) the value of MSL in TIME_WAIT wait time-out State refers to the maximum segment life, which is the maximum length of time that can survive in the network before the segment is discarded. This value directly affects the TIME_WAIT status. The TIME_WAIT status is part of the TCP/IP reliability guarantee. Although shortening the TIME_WAIT time can accelerate the closure of TCP connections, it cannot be shortened too short. Otherwise, some unnecessary problems may occur, such as data is not delivered normally, the connection of an infinite ACK loop is not synchronized, and connection errors are lost. For details, see the description in RFC1337.