Apache and Firewall Performance Tips from the Xenu.net Masters

Litigious scam religions are its best web site promotion tool, but how does the Scientology exposé site Xenu.net, number one in a Google search for "Scientology", handle all that traffic?

Where Scientology critics go, legal threats follow. Google's decision to pull Xenu.net from its index, under the controversial Digital Millennium Copyright Act, and the later commitment to making DMCA takedown letters public caused a publicity storm that, when it cleared, left "Operation Clambake", Xenu.net, at the top of a Google search for the word "Scientology".

We asked Andreas Heldal-Lund, the site's webmaster, and Paul Wouters, of their long-suffering ISP, Xtended Internet, how the popular site is handling the load.

LJ: What hardware are you running Linux on?

Paul: The main servers are running on Intel ISP boxes (1150s and 2150s). The load-balanced server at XS4ALL is a Penguin 2U server.

LJ: Andreas, what are the secrets of developing a search-engine-friendly site?

Andreas: I've not had to focus on being search-engine-friendly for years. Xenu.net is on top now basically because the cult attacks have generated so much attention.

LJ: How do you get so many incoming links?

Andreas: Mostly the same reason as above. Few are so disliked as this cult here on the net. Each time the cult tries to close my site, the more attention they send my way.

LJ: Your site has an awful lot of general information. What should someone considering getting involved in Scientology read first?

Andreas: Besides the general introductory, information I would suggest these two books:

LJ: Can your Linux server(s) handle the traffic?

Paul: Right now there is no problem whatsoever. The servers are doing less then 80KB/sec. We did have some problems after being slashdotted twice and the site appearing in the Washington Times and on CNN. When that happened, we had some problems with Linux and Apache that we needed to address (which can be seen back in the graph at http://www.xenu.net/news/.) On the 22nd of March, around 1pm, we noticed the increase in bandwidth fell down. We then found the hardcoded limit of 128 Apache children had been reached on the main server. We recompiled Apache with 512, which was reached again around 6pm. We then went for 1024 and restarted. Only the restart of Apache caused that dip in the statistics you see at 7pm. At this point we also added two more servers and used DNS roundrobin to try and load balance things a bit. Looking back, we should probably have used the Linux Virtual Server setup we had ready, but we didn't feel confident enough to deploy that. Running another Apache process on the main server didn't work, the Ethernet card (EEPRO 100) started giving errors (eth0: card out of resources), and we quickly gave up on that idea.

At the peak, at 8pm, we ran into performance problems on the Linux firewall. These weren't resolved until after the massive peaks. We optimized all the TCP socket options (based on the results of experiments of people at the NIKHEF institute in Amsterdam), which can be done through the Linux /proc interface, and we added more memory to the firewall (the socket options eat up a lot of memory).

Here are the current socket options we use on our Linux firewall:

RWIN_MIN="4096"
RWIN_MAX="25165824"
# NB: we have to force the default value to be equal to the max
# in order to have larger buffer assigned by the kernel
# RWIN_DEFAULT="87380"
RWIN_DEFAULT="25165824"
WWIN_MIN="4096"
WWIN_DEFAULT="65536"
WWIN_MAX="25165824"
    echo -n "Configuring socket parameters"
    echo "$RWIN_MIN $RWIN_DEFAULT $RWIN_MAX" > /proc/sys/net/ipv4/tcp_rmem
    echo "$WWIN_MIN $WWIN_DEFAULT $WWIN_MAX" > /proc/sys/net/ipv4/tcp_wmem
    echo  $RWIN_MAX > /proc/sys/net/core/rmem_max  
    echo  $RWIN_DEFAULT > /proc/sys/net/core/rmem_default
    echo  $WWIN_MAX > /proc/sys/net/core/wmem_max
    echo  $WWIN_DEFAULT > /proc/sys/net/core/wmem_default
    echo "."
# Having the ip_conntrack module loaded, even when not using it,
# will severely hamper and burden the firewall. If one REALLY has to
# run this, at least make sure it has enough connection bufferS:
echo  32768 >  /proc/sys/net/ipv4/ip_conntrack_max

Don Marti is technical editor of Linux Journal.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Updated net.core settings.

Julius's picture

Hmm.. these are rather old for todays network and backbone topologies.
I have a speed-adapted and security hardened recent /etc/sysctl.conf for you here: http://lulligvoorje.nl/net/

These are for a 100 mbit/s bandwidth NIC on a machine with a Core 2 or Dual Core DDR2 or faster machinery, built around 2006, and targeted towards an average RTT of 32 milliseconds, which these days IS the average for nearby visitors.

Re: Apache and Firewall Performance Tips from the Xenu.net Maste

Anonymous's picture

it should probably be noted that a better place for these settings is probably /etc/sysctl.conf

that just gets read by sysctl at boottime in most distros, and they're all in one place. of course, that doesn't include as many comments by default.

ashridah

Re: Apache and Firewall Performance Tips from the Xenu.net Maste

Anonymous's picture

a better place for these settings is probably /etc/sysctl.conf

This is true, but you can load these without a reboot by typing in sysctl -p.

Performance Tips from the Kalamazoo Linux User's Group

Anonymous's picture

I have a Linux perfomance tuning presentation at -

ftp://kalamazoolinux.org/pub/pdf/PerfTune2001.pdf

that covers the above tweeks and many more. For lots of other presentations see - http://www.kalamazoolinux.org/presentations/

you don't exist

Anonymous's picture

dig kalamazoolinux.org

; > DiG 9.2.0 > kalamazoolinux.org

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39953

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;kalamazoolinux.org. IN A

;; Query time: 263 msec

;; SERVER: 10.1.1.1#53(10.1.1.1)

;; WHEN: Wed May 1 10:03:08 2002

;; MSG SIZE rcvd: 36

your DNS is screwed up

Anonymous's picture

dig kalamazoolinux.org

; > DiG 9.1.3 > kalamazoolinux.org

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59659

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:

;kalamazoolinux.org. IN A

;; ANSWER SECTION:

kalamazoolinux.org. 86400 IN A 63.148.122.250

;; AUTHORITY SECTION:

kalamazoolinux.org. 86400 IN NS dns2.armintl.com.

kalamazoolinux.org. 86400 IN NS dns1.armintl.com.

;; ADDITIONAL SECTION:

dns1.armintl.com. 172800 IN A 63.148.122.200

dns2.armintl.com. 172800 IN A 63.148.122.210

;; Query time: 125 msec

;; SERVER: edit#53(edit)

;; WHEN: Wed May 1 14:05:53 2002

;; MSG SIZE rcvd: 133

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix