Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 8. Tuning applications with a large number of incoming requests

If you run an application that handles a large number of incoming requests, such as web servers, it can be necessary to tune Red Hat Enterprise Linux to optimize the performance.

When an application opens a TCP socket in LISTEN state, the kernel limits the number of accepted client connections this socket can handle. If clients try to establish more connections than the application can handle, new ones get dropped or the kernel sends SYN cookies.

If the system is under normal workload and too many connections from legitimate clients cause the kernel to send SYN cookies, tune Red Hat Enterprise Linux (RHEL) to avoid them.

Prerequisites

  • RHEL logs possible SYN flooding on port <ip_address>:<port_number> error messages in the Systemd journal.
  • The high number of connection attempts are from valid sources and not caused by an attack.

Procedure

  1. To verify whether tuning is required, display the statistics for the affected port: 

    # ss -ntl '( sport = :443 )'
State    Recv-Q   Send-Q   Local Address:Port   Peer Address:Port  Process
LISTEN   650      500      192.0.2.1:443        0.0.0.0:*

    If the current number of connections in the backlog (Recv-Q) is larger than the socket backlog (Send-Q), the listen backlog is still not large enough and tuning is required.

  2. Optional: Display the current TCP listen backlog limit: 

    # sysctl net.core.somaxconn
net.core.somaxconn = 4096

  3. Create the /etc/sysctl.d/10-socket-backlog-limit.conf file, and set a larger listen backlog limit: 

    net.core.somaxconn = 8192

    Note that applications can request a larger listen backlog than specified in the net.core.somaxconn kernel parameter but the kernel limits the application to the number you set in this parameter.

  4. Load the setting from the /etc/sysctl.d/10-socket-backlog-limit.conf file: 

    # sysctl -p /etc/sysctl.d/10-socket-backlog-limit.conf

  5. Reconfigure the application to use the new listen backlog limit:

    • If the application provides a config option for the limit, update it. For example, the Apache HTTP Server provides the ListenBacklog configuration option to set the listen backlog limit for this service.
    • If you cannot configure the limit, recompile the application.
    Important

    You must always update both the net.core.somaxconn kernel setting and the application’s settings.

  6. Restart the application.

Verification

  1. Monitor the Systemd journal for further occurrences of possible SYN flooding on port <port_number> error messages.

  2. Monitor the current number of connections in the backlog and compare it with the socket backlog: 

    # ss -ntl '( sport = :443 )'
State    Recv-Q   Send-Q   Local Address:Port   Peer Address:Port  Process
LISTEN   0        500      192.0.2.1:443        0.0.0.0:*

    If the current number of connections in the backlog (Recv-Q) is larger than the socket backlog (Send-Q), the listen backlog is not large enough and further tuning is required.

Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2026 Red HatRetour au début