HAProxy Enterprise Documentation 2.3r1
To get the best performance for your particular environment, consider the following recommendations for tuning your system.
Enable SYSCTL features
In Linux, you can use the program sysctl to read and/or modify the attributes of the system kernel, including its maximum limits and security settings.
When you install HAProxy Enterprise, some recommended sysctl settings are written to its configuration file. These sysctl settings are disabled by default.
Open the configuration file
Enable the settings by un-commenting them (remove the prefixing hash sign).
Reload the file using
systemctl restart systemd-sysctl.
# Limit the per-socket default receive/send buffers to limit memory usage
# when running with a lot of concurrent connections. Values are in bytes
# and represent minimum, default and maximum. Defaults: 4096 87380 4194304
# net.ipv4.tcp_rmem = 4096 16060 262144
# net.ipv4.tcp_wmem = 4096 16384 262144
# Allow early reuse of a same source port for outgoing connections. It is
# required above a few hundred connections per second. Defaults: 0
# net.ipv4.tcp_tw_reuse = 1
# Extend the source port range for outgoing TCP connections. This limits early
# port reuse and makes use of 64000 source ports. Defaults: 32768 61000
# net.ipv4.ip_local_port_range = 1024 65023
# Increase the TCP SYN backlog size. This is generally required to support very
# high connection rates as well as to resist SYN flood attacks. Setting it too
# high will delay SYN cookie usage though. Defaults: 1024
# net.ipv4.tcp_max_syn_backlog = 60000
# Timeout in seconds for the TCP FIN_WAIT state. Lowering it speeds up release
# of dead connections, though it will cause issues below 25-30 seconds. It is
# preferable not to change it if possible. Default: 60
# net.ipv4.tcp_fin_timeout = 30
# Limit the number of outgoing SYN-ACK retries. This value is a direct
# amplification factor of SYN floods, so it is important to keep it reasonably
# low. However, too low will prevent clients on lossy networks from connecting.
# Using 3 as a default value gives good results (4 SYN-ACK total) and lowering
# it to 1 under SYN flood attack can save a lot of bandwidth. Default: 5
# net.ipv4.tcp_synack_retries = 3
# Set this to one to allow local processes to bind to an IP which is not yet
# present on the system. This is typically what happens with a shared VRRP
# address, where you want both primary and backup to be started even though the
# IP is not yet present. Always leave it to 1. Default: 0
# net.ipv4.ip_nonlocal_bind = 1
# Serves as a higher bound for all of the system's SYN backlogs. Put it at
# least as high as tcp_max_syn_backlog, otherwise clients may experience
# difficulties to connect at high rates or under SYN attacks. Default: 128
# net.core.somaxconn = 60000
Next up Installation