BBR - xxooxxooxx/xxooxxooxx.github.io GitHub Wiki
debian11 to debian 12
apt update
apt list --upgradable
apt dist-upgrade
apt-mark showhold
apt-mark unhold
reboot
apt --purge autoremove
cat /etc/debian_version
- /etc/apt/sources.list
deb https://ftp.debian.org/debian/ bookworm contrib main non-free non-free-firmware
# deb-src https://ftp.debian.org/debian/ bookworm contrib main non-free non-free-firmware
deb https://ftp.debian.org/debian/ bookworm-updates contrib main non-free non-free-firmware
# deb-src https://ftp.debian.org/debian/ bookworm-updates contrib main non-free non-free-firmware
deb https://ftp.debian.org/debian/ bookworm-proposed-updates contrib main non-free non-free-firmware
# deb-src https://ftp.debian.org/debian/ bookworm-proposed-updates contrib main non-free non-free-firmware
deb https://ftp.debian.org/debian/ bookworm-backports contrib main non-free non-free-firmware
# deb-src https://ftp.debian.org/debian/ bookworm-backports contrib main non-free non-free-firmware
deb https://security.debian.org/debian-security/ bookworm-security contrib main non-free non-free-firmware
# deb-src https://security.debian.org/debian-security/ bookworm-security contrib main non-free non-free-firmware
apt update
apt upgrade --without-new-pkgs
apt dist-upgrade
reboot
apt --purge autoremove
auto-upgrades
apt -y update
apt -y install unattended-upgrades
systemctl enable --now unattended-upgrades
vi /etc/apt/apt.conf.d/50unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades
vi /etc/apt/apt.conf.d/20auto-upgrades
unattended-upgrade --dry-run
执行 lsmod | grep bbr,如果结果中没有 tcp_bbr 的话就先执行
modprobe tcp_bbr
echo "tcp_bbr" >> /etc/modules-load.d/modules.conf
执行
echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.core.somaxconn = 2048" >> /etc/sysctl.conf
echo "kernel.msgmnb = 65536" >> /etc/sysctl.conf
echo "kernel.msgmax = 65536" >> /etc/sysctl.conf
echo "net.core.wmem_max = 12582912" >> /etc/sysctl.conf
echo "net.core.rmem_max = 12582912" >> /etc/sysctl.conf
echo "net.ipv4.tcp_rmem = 10240 87380 12582912" >> /etc/sysctl.conf
echo "net.ipv4.tcp_wmem = 10240 87380 12582912" >> /etc/sysctl.conf
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
apt install bash-completion lsb-release net-tools netfilter-persistent iptables-persistent git
git clone --depth=1 https://github.com/amix/vimrc.git ~/.vim_runtime
sh ~/.vim_runtime/install_basic_vimrc.sh
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
iptables -t filter -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport l2tp -j ACCEPT
iptables -t filter -A INPUT -p udp -m udp --dport l2tp -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --sport l2tp -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m udp --sport l2tp -j REJECT --reject-with icmp-port-unreachable
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t nat -I POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
保存生效
sysctl -p
执行
sysctl net.ipv4.tcp_available_congestion_control
sysctl net.ipv4.tcp_congestion_control
如果结果都有 bbr, 则证明你的内核已开启 bbr
执行 lsmod | grep bbr, 看到有 tcp_bbr 模块即说明 bbr 已启动
ulimit -n 1048576 #用户单进程的最大文件数 当前会话生效
echo 'root soft nofile 1048576' >> /etc/security/limits.conf
echo 'root hard nofile 1048576' >> /etc/security/limits.conf
#echo "net.ipv4.ip_local_port_range = 1024 65000" >>/etc/sysctl.conf
#echo "net.ipv4.tcp_tw_recycle = 1" >>/etc/sysctl.conf
#echo "net.ipv4.tcp_tw_reuse = 1" >>/etc/sysctl.conf
#echo "net.ipv4.tcp_syncookies = 1" >>/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.core.somaxconn = 2048
kernel.msgmnb = 65536
kernel.msgmax = 65536
net.core.wmem_max = 12582912
net.core.rmem_max = 12582912
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912
#允许系统打开的端口范围。
#启用 timewait 快速回收。
#开启重用。允许将 TIME-WAIT sockets 重新用于新的 TCP 连接。
#开启 SYN Cookies,当出现 SYN 等待队列溢出时,启用 cookies 来处理。
#应用中 listen 函数的 backlog 默认会给我们内核参数的 net.core.somaxconn 限制到128(默认)
- nginx
apt install curl gnupg2 ca-certificates lsb-release debian-archive-keyring
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/debian `lsb_release -cs` nginx" \
| tee /etc/apt/sources.list.d/nginx.list
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
| tee /etc/apt/preferences.d/99nginx
apt update && apt install nginx
- /etc/nginx/nginx.conf
worker_processes auto;
worker_rlimit_nofile 1048576;
events {
worker_connections 65535;
multi_accept on;
use epoll;
}
vi /etc/systemd/system/multi-user.target.wants/nginx.service
[Service]
LimitNOFILE=infinity
ps aux |grep nginx
root 3201 0.0 0.0 21532 968 ? Ss 04:31 0:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
nginx 3202 0.0 0.3 48996 30480 ? S 04:31 0:00 nginx: worker process
nginx 3203 0.0 0.3 48996 30480 ? S 04:31 0:00 nginx: worker process
nginx 3204 0.0 0.0 21860 3728 ? S 04:31 0:00 nginx: cache manager process
cat /proc/3202/limits
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size 8388608 unlimited bytes
Max core file size 0 unlimited bytes
Max resident set unlimited unlimited bytes
Max processes 31398 31398 processes
Max open files 1048576 1048576 files
Max locked memory 65536 65536 bytes
Max address space unlimited unlimited bytes
Max file locks unlimited unlimited locks
Max pending signals 31398 31398 signals
Max msgqueue size 819200 819200 bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
- example1
stream {
server {
listen 192.151.192.90:80;
set $backend1 gw-elb-166687928.ap-southeast-1.elb.amazonaws.com:80;
resolver 8.8.8.8 valid=10s ipv6=off;
resolver_timeout 10s;
proxy_pass $backend1;
}
server {
listen 192.151.192.90:443;
set $backend2 gw-elb-166687928.ap-southeast-1.elb.amazonaws.com:443;
resolver 8.8.8.8 valid=10s ipv6=off;
resolver_timeout 10s;
proxy_pass $backend2;
}
upstream test {
server 180.215.228.11:500;
}
upstream test2 {
server 180.215.228.11:4500;
}
upstream test3 {
server 133.88.75.228:1701;
}
server {
listen 500 udp;
proxy_pass test;
}
server {
listen 4500 udp;
proxy_pass test2;
}
server {
listen 1701 udp;
proxy_pass test3;
}
}