Add web profile for web servers, API gateways, and reverse proxies.
Parameters
The following is just a quick draft of possibly relevant parameters and recommended values. Researching them in + reasoning for implementation is the actual work to do.
Connection handling
| Parameter |
Value |
Auto-calculated |
net.core.somaxconn |
65535 |
- |
net.ipv4.tcp_max_syn_backlog |
65535 |
- |
net.core.netdev_max_backlog |
65535 |
- |
net.netfilter.nf_conntrack_max |
- |
RAM_MB * 16 |
fs.file-max |
- |
max(RAM_MB * 100, 100000) |
fs.nr_open |
1048576 |
- |
TCP
| Parameter |
Value |
net.ipv4.tcp_fin_timeout |
15 |
net.ipv4.tcp_tw_reuse |
1 |
net.ipv4.tcp_max_tw_buckets |
262144 |
net.ipv4.ip_local_port_range |
"1024 65535" |
net.ipv4.tcp_slow_start_after_idle |
0 |
net.ipv4.tcp_syncookies |
1 |
Buffers (auto-calculated)
| Parameter |
Formula |
net.core.rmem_max |
min(RAM_bytes / 128, 16777216) |
net.core.wmem_max |
min(RAM_bytes / 128, 16777216) |
Network
| Parameter |
Value |
net.ipv4.conf.all.rp_filter |
1 |
net.ipv4.conf.default.rp_filter |
1 |
net.ipv4.conf.all.accept_redirects |
0 |
net.ipv4.conf.default.accept_redirects |
0 |
net.ipv4.conf.all.send_redirects |
0 |
net.ipv4.conf.default.send_redirects |
0 |
net.ipv4.conf.all.accept_source_route |
0 |
net.ipv4.conf.default.accept_source_route |
0 |
net.ipv4.conf.all.log_martians |
1 |
net.ipv4.conf.default.log_martians |
1 |
net.ipv4.icmp_echo_ignore_broadcasts |
1 |
net.ipv4.icmp_ignore_bogus_error_responses |
1 |
net.ipv6.conf.all.accept_redirects |
0 |
net.ipv6.conf.default.accept_redirects |
0 |
net.ipv6.conf.all.accept_source_route |
0 |
net.ipv6.conf.default.accept_source_route |
0 |
Kernel
| Parameter |
Value |
kernel.randomize_va_space |
2 |
Filesystem
| Parameter |
Value |
fs.protected_hardlinks |
1 |
fs.protected_symlinks |
1 |
fs.protected_fifos |
2 |
fs.protected_regular |
2 |
fs.suid_dumpable |
0 |
References
Acceptance criteria
Add
webprofile for web servers, API gateways, and reverse proxies.Parameters
The following is just a quick draft of possibly relevant parameters and recommended values. Researching them in + reasoning for implementation is the actual work to do.
Connection handling
net.core.somaxconnnet.ipv4.tcp_max_syn_backlognet.core.netdev_max_backlognet.netfilter.nf_conntrack_maxRAM_MB * 16fs.file-maxmax(RAM_MB * 100, 100000)fs.nr_openTCP
net.ipv4.tcp_fin_timeoutnet.ipv4.tcp_tw_reusenet.ipv4.tcp_max_tw_bucketsnet.ipv4.ip_local_port_rangenet.ipv4.tcp_slow_start_after_idlenet.ipv4.tcp_syncookiesBuffers (auto-calculated)
net.core.rmem_maxmin(RAM_bytes / 128, 16777216)net.core.wmem_maxmin(RAM_bytes / 128, 16777216)Network
net.ipv4.conf.all.rp_filternet.ipv4.conf.default.rp_filternet.ipv4.conf.all.accept_redirectsnet.ipv4.conf.default.accept_redirectsnet.ipv4.conf.all.send_redirectsnet.ipv4.conf.default.send_redirectsnet.ipv4.conf.all.accept_source_routenet.ipv4.conf.default.accept_source_routenet.ipv4.conf.all.log_martiansnet.ipv4.conf.default.log_martiansnet.ipv4.icmp_echo_ignore_broadcastsnet.ipv4.icmp_ignore_bogus_error_responsesnet.ipv6.conf.all.accept_redirectsnet.ipv6.conf.default.accept_redirectsnet.ipv6.conf.all.accept_source_routenet.ipv6.conf.default.accept_source_routeKernel
kernel.randomize_va_spaceFilesystem
fs.protected_hardlinksfs.protected_symlinksfs.protected_fifosfs.protected_regularfs.suid_dumpableReferences
Acceptance criteria
roles/sysctl/vars/profiles/web.ymlroles/sysctl/vars/profiles/web.md