We are in the process of transitioning to Amazon Gnu/Linux 2023, and during the course of this migration, I came across some Ansible code that modifies kernel parameters.
I would greatly appreciate it if you could review the parameters below and provide me with your feedback and comments.
Server Type: Web servers (w/ NGINX) - EC2 Instances t3a.medium
Stacks: PHP & Golang
# Tune Kernel
sysctl_params: [
# Network Hardening
{ name: 'net.ipv4.ip_forward', value: 0 },
{ name: 'net.ipv4.icmp_echo_ignore_broadcasts', value: 1 },
{ name: 'net.ipv4.conf.all.log_martians', value: 1 },
{ name: 'net.ipv4.conf.all.rp_filter', value: 1 },
{ name: 'net.ipv4.conf.default.rp_filter', value: 1 },
{ name: 'net.ipv6.conf.all.disable_ipv6', value: 1 },
{ name: 'net.ipv6.conf.default.disable_ipv6', value: 1 },
# Network Tunning
{ name: 'net.ipv4.ip_local_port_range', value: '1024 65535' },
{ name: 'net.ipv4.tcp_window_scaling', value: 1 },
{ name: 'net.ipv4.tcp_congestion_control', value: 'cubic' },
{ name: 'net.ipv4.tcp_syncookies', value: 1 },
{ name: 'net.ipv4.tcp_max_syn_backlog', value: 65535 },
{ name: 'net.ipv4.tcp_rmem', value: '4096 87380 16777216' },
{ name: 'net.ipv4.tcp_wmem', value: '4096 65536 16777216' },
{ name: 'net.core.somaxconn', value: 65535 },
{ name: 'net.core.rmem_max', value: 16777216 },
{ name: 'net.core.wmem_max', value: 16777216 },
{ name: 'net.core.netdev_max_backlog', value: 16384 },
{ name: 'net.ipv4.tcp_sack', value: 1 },
{ name: 'net.ipv4.tcp_fack', value: 1 }
]
