Apache and Firewall Performance Tips from the Xenu.net Masters
April 30th, 2002 by Don Marti in
Where Scientology critics go, legal threats follow. Google's decision to pull Xenu.net from its index, under the controversial Digital Millennium Copyright Act, and the later commitment to making DMCA takedown letters public caused a publicity storm that, when it cleared, left "Operation Clambake", Xenu.net, at the top of a Google search for the word "Scientology".
We asked Andreas Heldal-Lund, the site's webmaster, and Paul Wouters, of their long-suffering ISP, Xtended Internet, how the popular site is handling the load.
LJ: What hardware are you running Linux on?
Paul: The main servers are running on Intel ISP boxes (1150s and 2150s). The load-balanced server at XS4ALL is a Penguin 2U server.
LJ: Andreas, what are the secrets of developing a search-engine-friendly site?
Andreas: I've not had to focus on being search-engine-friendly for years. Xenu.net is on top now basically because the cult attacks have generated so much attention.
LJ: How do you get so many incoming links?
Andreas: Mostly the same reason as above. Few are so disliked as this cult here on the net. Each time the cult tries to close my site, the more attention they send my way.
LJ: Your site has an awful lot of general information. What should someone considering getting involved in Scientology read first?
Andreas: Besides the general introductory, information I would suggest these two books:
LJ: Can your Linux server(s) handle the traffic?
Paul: Right now there is no problem whatsoever. The servers are doing less then 80KB/sec. We did have some problems after being slashdotted twice and the site appearing in the Washington Times and on CNN. When that happened, we had some problems with Linux and Apache that we needed to address (which can be seen back in the graph at http://www.xenu.net/news/.) On the 22nd of March, around 1pm, we noticed the increase in bandwidth fell down. We then found the hardcoded limit of 128 Apache children had been reached on the main server. We recompiled Apache with 512, which was reached again around 6pm. We then went for 1024 and restarted. Only the restart of Apache caused that dip in the statistics you see at 7pm. At this point we also added two more servers and used DNS roundrobin to try and load balance things a bit. Looking back, we should probably have used the Linux Virtual Server setup we had ready, but we didn't feel confident enough to deploy that. Running another Apache process on the main server didn't work, the Ethernet card (EEPRO 100) started giving errors (eth0: card out of resources), and we quickly gave up on that idea.
At the peak, at 8pm, we ran into performance problems on the Linux firewall. These weren't resolved until after the massive peaks. We optimized all the TCP socket options (based on the results of experiments of people at the NIKHEF institute in Amsterdam), which can be done through the Linux /proc interface, and we added more memory to the firewall (the socket options eat up a lot of memory).
Here are the current socket options we use on our Linux firewall:
RWIN_MIN="4096"
RWIN_MAX="25165824"
# NB: we have to force the default value to be equal to the max
# in order to have larger buffer assigned by the kernel
# RWIN_DEFAULT="87380"
RWIN_DEFAULT="25165824"
WWIN_MIN="4096"
WWIN_DEFAULT="65536"
WWIN_MAX="25165824"
echo -n "Configuring socket parameters"
echo "$RWIN_MIN $RWIN_DEFAULT $RWIN_MAX" > /proc/sys/net/ipv4/tcp_rmem
echo "$WWIN_MIN $WWIN_DEFAULT $WWIN_MAX" > /proc/sys/net/ipv4/tcp_wmem
echo $RWIN_MAX > /proc/sys/net/core/rmem_max
echo $RWIN_DEFAULT > /proc/sys/net/core/rmem_default
echo $WWIN_MAX > /proc/sys/net/core/wmem_max
echo $WWIN_DEFAULT > /proc/sys/net/core/wmem_default
echo "."
# Having the ip_conntrack module loaded, even when not using it,
# will severely hamper and burden the firewall. If one REALLY has to
# run this, at least make sure it has enough connection bufferS:
echo 32768 > /proc/sys/net/ipv4/ip_conntrack_max
Don Marti is technical editor of Linux Journal.
Special Magazine Offer -- Free Gift with Subscription
Receive a free digital copy of Linux Journal's System Administration Special Edition as well as instant online access to current and past issues. CLICK HERE for offer
Linux Journal: delivering readers the advice and inspiration they need to get the most out of their Linux systems since 1994.
Delicious
Digg
StumbleUpon
Reddit
Facebook
Post to TwitterSubscribe now!
The Latest
Newsletter
Tech Tip Videos
Recently Popular
From the Magazine
December 2009, #188
If last month's Infrastrucuture issue was too "big" for you then try on this month's Embedded issue. Find out how to use Player for programming mobile robots, build a humidity controller for your root cellar, find out how to reduce the boot time of your embedded system, and if you're new to embedded systems find out the basics that go into one. You can also read about the Beagle Board, the Mesh Potato and a spate of other interestingly named items. And along with our regular columns don't miss our new monthly column: Economy Size Geek.
Updated net.core settings.
On January 21st, 2007 Julius (not verified) says:
Hmm.. these are rather old for todays network and backbone topologies.
I have a speed-adapted and security hardened recent /etc/sysctl.conf for you here: http://lulligvoorje.nl/net/
These are for a 100 mbit/s bandwidth NIC on a machine with a Core 2 or Dual Core DDR2 or faster machinery, built around 2006, and targeted towards an average RTT of 32 milliseconds, which these days IS the average for nearby visitors.
Re: Apache and Firewall Performance Tips from the Xenu.net Maste
On April 30th, 2002 Anonymous says:
it should probably be noted that a better place for these settings is probably /etc/sysctl.conf
that just gets read by sysctl at boottime in most distros, and they're all in one place. of course, that doesn't include as many comments by default.
ashridah
Re: Apache and Firewall Performance Tips from the Xenu.net Maste
On May 1st, 2002 Anonymous says:
a better place for these settings is probably /etc/sysctl.conf
This is true, but you can load these without a reboot by typing in sysctl -p.
Performance Tips from the Kalamazoo Linux User's Group
On April 30th, 2002 Anonymous says:
I have a Linux perfomance tuning presentation at -
ftp://kalamazoolinux.org/pub/pdf/PerfTune2001.pdf
that covers the above tweeks and many more. For lots of other presentations see - http://www.kalamazoolinux.org/presentations/
you don't exist
On May 1st, 2002 Anonymous says:
dig kalamazoolinux.org
; > DiG 9.2.0 > kalamazoolinux.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39953
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;kalamazoolinux.org. IN A
;; Query time: 263 msec
;; SERVER: 10.1.1.1#53(10.1.1.1)
;; WHEN: Wed May 1 10:03:08 2002
;; MSG SIZE rcvd: 36
your DNS is screwed up
On May 1st, 2002 Anonymous says:
dig kalamazoolinux.org
; > DiG 9.1.3 > kalamazoolinux.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59659
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;kalamazoolinux.org. IN A
;; ANSWER SECTION:
kalamazoolinux.org. 86400 IN A 63.148.122.250
;; AUTHORITY SECTION:
kalamazoolinux.org. 86400 IN NS dns2.armintl.com.
kalamazoolinux.org. 86400 IN NS dns1.armintl.com.
;; ADDITIONAL SECTION:
dns1.armintl.com. 172800 IN A 63.148.122.200
dns2.armintl.com. 172800 IN A 63.148.122.210
;; Query time: 125 msec
;; SERVER: edit#53(edit)
;; WHEN: Wed May 1 14:05:53 2002
;; MSG SIZE rcvd: 133
Post new comment