Apache and Firewall Performance Tips from the Xenu.net Masters
Where Scientology critics go, legal threats follow. Google's decision to pull Xenu.net from its index, under the controversial Digital Millennium Copyright Act, and the later commitment to making DMCA takedown letters public caused a publicity storm that, when it cleared, left "Operation Clambake", Xenu.net, at the top of a Google search for the word "Scientology".
We asked Andreas Heldal-Lund, the site's webmaster, and Paul Wouters, of their long-suffering ISP, Xtended Internet, how the popular site is handling the load.
LJ: What hardware are you running Linux on?
Paul: The main servers are running on Intel ISP boxes (1150s and 2150s). The load-balanced server at XS4ALL is a Penguin 2U server.
LJ: Andreas, what are the secrets of developing a search-engine-friendly site?
Andreas: I've not had to focus on being search-engine-friendly for years. Xenu.net is on top now basically because the cult attacks have generated so much attention.
LJ: How do you get so many incoming links?
Andreas: Mostly the same reason as above. Few are so disliked as this cult here on the net. Each time the cult tries to close my site, the more attention they send my way.
LJ: Your site has an awful lot of general information. What should someone considering getting involved in Scientology read first?
Andreas: Besides the general introductory, information I would suggest these two books:
LJ: Can your Linux server(s) handle the traffic?
Paul: Right now there is no problem whatsoever. The servers are doing less then 80KB/sec. We did have some problems after being slashdotted twice and the site appearing in the Washington Times and on CNN. When that happened, we had some problems with Linux and Apache that we needed to address (which can be seen back in the graph at http://www.xenu.net/news/.) On the 22nd of March, around 1pm, we noticed the increase in bandwidth fell down. We then found the hardcoded limit of 128 Apache children had been reached on the main server. We recompiled Apache with 512, which was reached again around 6pm. We then went for 1024 and restarted. Only the restart of Apache caused that dip in the statistics you see at 7pm. At this point we also added two more servers and used DNS roundrobin to try and load balance things a bit. Looking back, we should probably have used the Linux Virtual Server setup we had ready, but we didn't feel confident enough to deploy that. Running another Apache process on the main server didn't work, the Ethernet card (EEPRO 100) started giving errors (eth0: card out of resources), and we quickly gave up on that idea.
At the peak, at 8pm, we ran into performance problems on the Linux firewall. These weren't resolved until after the massive peaks. We optimized all the TCP socket options (based on the results of experiments of people at the NIKHEF institute in Amsterdam), which can be done through the Linux /proc interface, and we added more memory to the firewall (the socket options eat up a lot of memory).
Here are the current socket options we use on our Linux firewall:
RWIN_MIN="4096" RWIN_MAX="25165824" # NB: we have to force the default value to be equal to the max # in order to have larger buffer assigned by the kernel # RWIN_DEFAULT="87380" RWIN_DEFAULT="25165824" WWIN_MIN="4096" WWIN_DEFAULT="65536" WWIN_MAX="25165824" echo -n "Configuring socket parameters" echo "$RWIN_MIN $RWIN_DEFAULT $RWIN_MAX" > /proc/sys/net/ipv4/tcp_rmem echo "$WWIN_MIN $WWIN_DEFAULT $WWIN_MAX" > /proc/sys/net/ipv4/tcp_wmem echo $RWIN_MAX > /proc/sys/net/core/rmem_max echo $RWIN_DEFAULT > /proc/sys/net/core/rmem_default echo $WWIN_MAX > /proc/sys/net/core/wmem_max echo $WWIN_DEFAULT > /proc/sys/net/core/wmem_default echo "." # Having the ip_conntrack module loaded, even when not using it, # will severely hamper and burden the firewall. If one REALLY has to # run this, at least make sure it has enough connection bufferS: echo 32768 > /proc/sys/net/ipv4/ip_conntrack_max
Don Marti is technical editor of Linux Journal.