Linux TCP并发请求溢出调优指南

#!/bin/bash
# tcp-connection-check.sh

echo"=== TCP连接状态诊断 $(date) ==="

# 1. 当前TCP连接统计
echo"1. 📊 当前TCP连接统计:"
ss -s | head -3

# 2. 连接状态分布
echo -e "\n2. 🔍 TCP连接状态分布:"
ss -t -a | awk '{print $1}' | sort | uniq -c | sort -nr

# 3. 查看连接队列
echo -e "\n3. 📈 连接队列监控:"
netstat -tn | awk '
    $6 == "ESTABLISHED" {established++}
    $6 == "SYN_RECV" {syn_recv++} 
    $6 == "TIME_WAIT" {time_wait++}
    END {
        printf "ESTABLISHED: %d, SYN_RECV: %d, TIME_WAIT: %d\n", 
        established, syn_recv, time_wait
    }'

# 4. 检查连接溢出
echo -e "\n4. ⚠️  连接溢出检查:"
# 检查是否因为队列满而丢弃连接
if dmesg | grep -i "drop" | grep -i "tcp" | tail -3; then
echo"检测到TCP连接丢弃!"
else
echo"未发现明显的连接丢弃日志"
fi

# 5. 端口使用情况
echo -e "\n5. 🔢 本地端口使用情况:"
ss -tn src :80 | wc -l | awk '{print "HTTP连接数: "$1}'
ss -tn src :443 | wc -l | awk '{print "HTTPS连接数: "$1}'

#!/bin/bash
# tcp-realtime-monitor.sh

INTERVAL=2
DURATION=30

echo"开始TCP连接实时监控，间隔 ${INTERVAL}s，持续 ${DURATION}s..."
end=$((SECONDS+DURATION))

while [ $SECONDS -lt $end ]; do
    clear
echo"=== TCP连接实时监控 $(date) ==="

# 连接总数
    total=$(ss -s | awk '/TCP:/ {print $2}')
    established=$(ss -s | awk '/ESTAB/ {print $4}')

echo"连接总数: $total, ESTABLISHED: $established"

# 状态分布
echo"状态分布:"
    ss -t -a | awk '{print $1}' | sort | uniq -c | sort -nr | head -5

# 队列监控
    syn_queue=$(netstat -tn | awk '$6 == "SYN_RECV" {count++} END {print count}')
    accept_queue=$(ss -tn state syn-recv | wc -l)

echo"SYN队列: $syn_queue, Accept队列: $accept_queue"

# 端口使用
echo"端口使用 - HTTP: $(ss -tn src :80 | wc -l), HTTPS: $(ss -tn src :443 | wc -l)"

    sleep $INTERVAL
done

#!/bin/bash
# tcp-kernel-optimization.sh

echo"=== TCP内核参数优化配置 ==="

# 备份当前配置
cp /etc/sysctl.conf /etc/sysctl.conf.backup.$(date +%Y%m%d)

echo"应用TCP并发优化参数..."

# 添加到sysctl.conf
cat >> /etc/sysctl.conf << 'EOF'

# ==================== TCP并发优化配置 ====================
# 连接队列相关
net.core.somaxconn = 32768
net.ipv4.tcp_max_syn_backlog = 32768
net.core.netdev_max_backlog = 30000

# 连接建立优化
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_abort_on_overflow = 0

# 连接重用和快速回收
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0    # 在NAT环境下建议为0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_max_tw_buckets = 2000000

# 内存缓冲区优化
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.rmem_default = 16777216
net.core.wmem_default = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_mem = 786432 1048576 1572864

# 拥塞控制算法
net.ipv4.tcp_congestion_control = cubic

# 保活机制
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 5

# 时间戳和窗口缩放
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_window_scaling = 1

# 快速打开
net.ipv4.tcp_fastopen = 3

# 连接跟踪
net.netfilter.nf_conntrack_max = 524288
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
EOF

# 应用配置
sysctl -p

echo"TCP内核参数优化完成!"

#!/bin/bash
# tcp-parameter-verification.sh

echo"=== TCP参数验证与监控 ==="

# 验证当前参数值
echo"当前TCP参数值:"
echo"1. somaxconn: $(sysctl -n net.core.somaxconn)"
echo"2. tcp_max_syn_backlog: $(sysctl -n net.ipv4.tcp_max_syn_backlog)"
echo"3. netdev_max_backlog: $(sysctl -n net.core.netdev_max_backlog)"
echo"4. tcp_max_tw_buckets: $(sysctl -n net.ipv4.tcp_max_tw_buckets)"
echo"5. nf_conntrack_max: $(sysctl -n net.netfilter.nf_conntrack_max)"

# 监控连接跟踪表
if sysctl -n net.netfilter.nf_conntrack_max >/dev/null 2>&1; then
    current=$(cat /proc/sys/net/netfilter/nf_conntrack_count 2>/dev/null || echo"N/A")
    max=$(sysctl -n net.netfilter.nf_conntrack_max)
echo"连接跟踪表使用: $current/$max"
fi

# 检查端口范围
echo"本地端口范围: $(sysctl -n net.ipv4.ip_local_port_range)"

# 监控队列状态
echo -e "\n队列监控:"
echo"SYN队列: $(netstat -tn | grep SYN_RECV | wc -l)"
echo"Accept队列: $(ss -tn state syn-recv | wc -l)"

# 检查是否有连接丢弃
echo -e "\n连接丢弃统计:"
if [ -f /proc/net/netstat ]; then
    awk '/TcpExt/ {print "TCP扩展统计可用"}' /proc/net/netstat
fi

# nginx-tcp-optimization.conf

# 工作进程配置
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile100000;

# 事件模块配置
events {
worker_connections50000;
useepoll;
multi_accepton;
accept_mutexoff;
}

# HTTP配置
http {
# 连接超时优化
keepalive_timeout30;
keepalive_requests1000;

# 缓冲区优化
client_header_buffer_size4k;
large_client_header_buffers416k;
client_max_body_size100m;
client_body_buffer_size128k;
client_body_timeout12;
client_header_timeout12;

# TCP优化
sendfileon;
tcp_nopushon;
tcp_nodelayon;

# 文件传输优化
output_buffers432k;
postpone_output1460;

# 连接限制
limit_conn_zone$binary_remote_addr zone=addr:10m;
limit_conn addr 100;
}

# 服务器配置
server {
listen80 backlog=32768 reuseport;
listen443 backlog=32768 reuseport ssl http2;

# 启用TCP Fast Open
listen80 fastopen=256;
listen443 fastopen=256 ssl http2;
}

#!/bin/bash
# system-limits-optimization.sh

echo"=== 系统限制优化 ==="

# 备份当前limits配置
cp /etc/security/limits.conf /etc/security/limits.conf.backup.$(date +%Y%m%d)

# 优化文件描述符限制
echo"优化文件描述符限制..."
cat >> /etc/security/limits.conf << 'EOF'

# 高并发连接优化
* soft nofile 100000
* hard nofile 100000
* soft nproc 65535
* hard nproc 65535
root soft nofile 100000
root hard nofile 100000

# 进程限制优化
* soft memlock unlimited
* hard memlock unlimited
EOF

# 优化系统级限制
echo"fs.file-max = 1000000" >> /etc/sysctl.conf
echo"kernel.pid_max = 4194303" >> /etc/sysctl.conf
echo"kernel.threads-max = 4194303" >> /etc/sysctl.conf

# 应用配置
sysctl -p

echo"系统限制优化完成!"

#!/bin/bash
# network-interface-optimization.sh

echo"=== 网络接口优化 ==="

# 获取主要网络接口
INTERFACE=$(ip route | awk '/default/ {print $5}' | head -1)

if [ -z "$INTERFACE" ]; then
echo"未找到默认网络接口"
exit 1
fi

echo"优化网络接口: $INTERFACE"

# 优化网络接口参数
ethtool -G $INTERFACE rx 4096 tx 4096 2>/dev/null || echo"无法调整队列长度"
ethtool -K $INTERFACE gro on lro on 2>/dev/null || echo"无法调整GRO/LRO"
ethtool -C $INTERFACE rx-usecs 8 2>/dev/null || echo"无法调整中断合并"

# 优化中断亲和性
echo"优化中断亲和性..."
ifcommand -v irqbalance &>/dev/null; then
    systemctl enable irqbalance
    systemctl start irqbalance
else
echo"安装irqbalance: apt install irqbalance"
fi

# 设置RPS/RFS（多队列网卡）
echo"设置RPS/RFS..."
if [ -d /sys/class/net/$INTERFACE/queues ]; then
for queue in /sys/class/net/$INTERFACE/queues/rx-*; do
echo f > $queue/rps_cpus 2>/dev/null
echo 32768 > $queue/rps_flow_cnt 2>/dev/null
done
fi

echo"网络接口优化完成!"

#!/bin/bash
# firewall-optimization.sh

echo"=== 防火墙连接跟踪优化 ==="

# 检查是否使用iptables
ifcommand -v iptables &>/dev/null; then
echo"优化iptables连接跟踪..."

# 调整连接跟踪超时时间
    iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK
    iptables -t raw -A PREROUTING -p tcp --sport 80 -j NOTRACK
    iptables -t raw -A OUTPUT -p tcp --sport 80 -j NOTRACK

# 优化连接跟踪表
echo"连接跟踪表大小: $(sysctl -n net.netfilter.nf_conntrack_max)"

elifcommand -v nft &>/dev/null; then
echo"优化nftables配置..."

# nftables优化配置
    nft add table raw
    nft add chain raw prerouting { type filter hook prerouting priority -300\; }
    nft add rule raw prerouting tcp dport 80 ct state untracked
    nft add rule raw prerouting tcp sport 80 ct state untracked

else
echo"未发现iptables或nftables"
fi

echo"防火墙优化完成!"

#!/bin/bash
# tcp-load-test.sh

echo"=== TCP并发压力测试 ==="

# 安装测试工具
if ! command -v wrk &>/dev/null; then
echo"安装wrk压力测试工具..."
    apt update && apt install -y wrk || yum install -y wrk
fi

if ! command -v siege &>/dev/null; then
echo"安装siege压力测试工具..."
    apt update && apt install -y siege || yum install -y siege
fi

TARGET_URL=${1:-"http://localhost"}
CONCURRENT=${2:-1000}
DURATION=${3:-"30s"}

echo"开始压力测试: $TARGET_URL"
echo"并发数: $CONCURRENT, 持续时间: $DURATION"

# 使用wrk进行测试
echo -e "\n1. 📊 WRK压力测试:"
wrk -t$(nproc) -c$CONCURRENT -d$DURATION --timeout 10s $TARGET_URL

# 使用siege进行测试
echo -e "\n2. 🚀 Siege压力测试:"
siege -c$CONCURRENT -t$DURATION -b $TARGET_URL

# 监控系统状态
echo -e "\n3. 📈 系统状态监控:"
echo"测试前连接数: $(ss -s | awk '/TCP:/ {print $2}')"
echo"测试前负载: $(cat /proc/loadavg)"

# 等待测试完成
sleep $(echo$DURATION | sed 's/s//')

echo -e "\n4. 📊 测试后状态:"
echo"测试后连接数: $(ss -s | awk '/TCP:/ {print $2}')"
echo"测试后负载: $(cat /proc/loadavg)"

#!/bin/bash
# tcp-performance-monitor.sh

INTERVAL=1
LOG_FILE="/var/log/tcp_performance.log"

echo"开始TCP性能监控，间隔 ${INTERVAL}s..."
echo"时间,连接数,ESTABLISHED,SYN_RECV,TIME_WAIT,负载,内存使用,CPU使用" > $LOG_FILE

whiletrue; do
# 获取当前时间
    timestamp=$(date +"%Y-%m-%d %H:%M:%S")

# 获取连接信息
    conn_total=$(ss -s | awk '/TCP:/ {print $2}')
    conn_estab=$(ss -s | awk '/ESTAB/ {print $4}')
    conn_syn=$(netstat -tn | grep SYN_RECV | wc -l)
    conn_timewait=$(netstat -tn | grep TIME_WAIT | wc -l)

# 获取系统状态
    load=$(cat /proc/loadavg | awk '{print $1}')
    mem_usage=$(free | awk '/Mem:/ {printf "%.1f", $3/$2*100}')
    cpu_usage=$(top -bn1 | grep "Cpu(s)" | awk '{printf "%.1f", 100-$8}')

# 输出到日志文件
echo"$timestamp,$conn_total,$conn_estab,$conn_syn,$conn_timewait,$load,$mem_usage,$cpu_usage" >> $LOG_FILE

# 屏幕输出
printf"\r时间: %s | 连接: %s | ESTAB: %s | SYN: %s | TIME_WAIT: %s | 负载: %s | 内存: %s%% | CPU: %s%%" \
"$timestamp""$conn_total""$conn_estab""$conn_syn""$conn_timewait""$load""$mem_usage""$cpu_usage"

    sleep $INTERVAL
done

#!/bin/bash
# tcp-troubleshooting.sh

echo"=== TCP连接故障排查 ==="

# 1. 检查连接溢出
echo"1. 🔍 检查连接溢出:"
if dmesg | grep -i "drop" | grep -i "tcp" | tail -5; then
echo"发现TCP连接丢弃!"
else
echo"未发现连接丢弃"
fi

# 2. 检查端口耗尽
echo -e "\n2. 🔢 检查端口耗尽:"
port_usage=$(ss -tn | wc -l)
port_max=$(sysctl -n net.ipv4.ip_local_port_range | awk '{print $2-$1}')
echo"已用端口: $port_usage, 可用端口范围: $port