Apache and Firewall Performance Tips from the Xenu.net Masters

Where
Scientology critics go, legal
threats follow.
Google's
decision to pull Xenu.net from its index, under the
controversial Digital Millennium Copyright Act, and the later
commitment
to making DMCA takedown letters public caused a publicity
storm that, when it cleared, left "Operation Clambake", Xenu.net,
at the top of a
Google
search for the word "Scientology".We asked Andreas Heldal-Lund, the site's webmaster, and Paul
Wouters, of their long-suffering ISP,
Xtended Internet, how the
popular site is handling the load.LJ: What hardware are you
running Linux on?Paul: The main servers are
running on Intel ISP boxes (1150s and 2150s). The load-balanced
server at XS4ALL is a
Penguin 2U
server.LJ: Andreas, what are the
secrets of developing a search-engine-friendly site?Andreas: I've not had to
focus on being search-engine-friendly for years. Xenu.net is on top
now basically because the cult attacks have generated so much
attention.LJ: How do you get so many
incoming links?Andreas: Mostly the same
reason as above. Few are so disliked as this cult here on the net.
Each time the cult tries to close my site, the more attention they
send my way.LJ: Your site has an awful
lot of general information. What should someone considering getting
involved in Scientology read first?Andreas: Besides the general
introductory, information I would suggest these two books:

• A
  Piece of Blue Sky
• Bare
  Faced Messiah

LJ: Can your Linux server(s)
handle the traffic?Paul: Right now there is no
problem whatsoever. The servers are doing less then 80KB/sec. We
did have some problems after being
slashdotted
twice and the site appearing in the Washington
Times and on CNN. When that happened, we had some
problems with Linux and Apache that we needed to address (which can
be seen back in the graph at
http://www.xenu.net/news/.)
On the 22nd of March, around 1pm, we noticed the increase in
bandwidth fell down. We then found the hardcoded limit of 128
Apache children had been reached on the main server. We recompiled
Apache with 512, which was reached again around 6pm. We then went
for 1024 and restarted. Only the restart of Apache caused that dip
in the statistics you see at 7pm. At this point we also added two
more servers and used DNS roundrobin to try and load balance things
a bit. Looking back, we should probably have used the Linux Virtual
Server setup we had ready, but we didn't feel confident enough to
deploy that. Running another Apache process on the main server
didn't work, the Ethernet card (EEPRO 100) started giving errors
(eth0: card out of resources), and we quickly gave up on that
idea.At the peak, at 8pm, we ran into performance problems on the
Linux firewall. These weren't resolved until after the massive
peaks. We optimized all the TCP socket options (based on the
results of experiments of people at the NIKHEF institute in
Amsterdam), which can be done through the Linux /proc interface,
and we added more memory to the firewall (the socket options eat up
a lot of memory).Here are the current socket options we use on our Linux
firewall:

RWIN_MIN="4096"
RWIN_MAX="25165824"
# NB: we have to force the default value to be equal to the max
# in order to have larger buffer assigned by the kernel
# RWIN_DEFAULT="87380"
RWIN_DEFAULT="25165824"
WWIN_MIN="4096"
WWIN_DEFAULT="65536"
WWIN_MAX="25165824"
    echo -n "Configuring socket parameters"
    echo "$RWIN_MIN $RWIN_DEFAULT $RWIN_MAX" > /proc/sys/net/ipv4/tcp_rmem
    echo "$WWIN_MIN $WWIN_DEFAULT $WWIN_MAX" > /proc/sys/net/ipv4/tcp_wmem
    echo  $RWIN_MAX > /proc/sys/net/core/rmem_max  
    echo  $RWIN_DEFAULT > /proc/sys/net/core/rmem_default
    echo  $WWIN_MAX > /proc/sys/net/core/wmem_max
    echo  $WWIN_DEFAULT > /proc/sys/net/core/wmem_default
    echo "."
# Having the ip_conntrack module loaded, even when not using it,
# will severely hamper and burden the firewall. If one REALLY has to
# run this, at least make sure it has enough connection bufferS:
echo  32768 >  /proc/sys/net/ipv4/ip_conntrack_max

Don Marti is technical
editor of Linux Journal.

email: dmarti@ssc.com