Linux 系统最大 TCP 连接数深度调优指南

#!/bin/bash
# check-tcp-limits.sh

echo"=== Linux TCP连接数限制诊断 $(date) ==="
echo""

# 1. 系统级文件描述符限制
echo"1. 📊 系统级文件描述符限制:"
echo"   fs.file-max: $(cat /proc/sys/fs/file-max)"
echo"   file-nr: $(cat /proc/sys/fs/file-nr)"
echo""

# 2. 用户级限制
echo"2. 👤 用户级限制:"
echo"   $(ulimit -n) (当前用户文件描述符限制)"
echo"   $(ulimit -u) (当前用户进程数限制)"
echo""

# 3. 内核TCP参数
echo"3. ⚙️  内核TCP参数:"
echo"   tcp_max_tw_buckets: $(sysctl -n net.ipv4.tcp_max_tw_buckets)"
echo"   ip_local_port_range: $(sysctl -n net.ipv4.ip_local_port_range)"
echo"   somaxconn: $(sysctl -n net.core.somaxconn)"
echo"   tcp_max_syn_backlog: $(sysctl -n net.ipv4.tcp_max_syn_backlog)"
echo""

# 4. 内存相关参数
echo"4. 💾 内存相关参数:"
echo"   tcp_mem: $(sysctl -n net.ipv4.tcp_mem)"
echo"   tcp_rmem: $(sysctl -n net.ipv4.tcp_rmem)"
echo"   tcp_wmem: $(sysctl -n net.ipv4.tcp_wmem)"
echo"   rmem_max: $(sysctl -n net.core.rmem_max)"
echo"   wmem_max: $(sysctl -n net.core.wmem_max)"
echo""

# 5. 连接跟踪
echo"5. 🔍 连接跟踪:"
if [ -f /proc/sys/net/netfilter/nf_conntrack_max ]; then
echo"   nf_conntrack_max: $(cat /proc/sys/net/netfilter/nf_conntrack_max)"
echo"   nf_conntrack_count: $(cat /proc/sys/net/netfilter/nf_conntrack_count)"
else
echo"   连接跟踪未启用"
fi
echo""

# 6. 当前连接状态
echo"6. 📈 当前连接状态:"
ss -s | head -3
echo"   ESTABLISHED: $(ss -s | awk '/ESTAB/ {print $4}')"
echo"   TIME-WAIT: $(ss -s | awk '/TIME-WAIT/ {print $4}')"
echo""

# 7. 端口使用情况
echo"7. 🔢 端口使用统计:"
ports_used=$(ss -tn | wc -l)
ports_range=$(sysctl -n net.ipv4.ip_local_port_range | awk '{print $2-$1+1}')
echo"   已用端口: $ports_used"
echo"   可用端口范围: $ports_range"
echo"   使用率: $(echo "scale=2; $ports_used*100/$ports_range" | bc)%"
echo""

# 8. 系统负载
echo"8. 📊 系统负载:"
echo"   Load average: $(cat /proc/loadavg | awk '{print $1,$2,$3}')"
echo"   CPU cores: $(nproc)"
echo"   Memory: $(free -h | awk '/Mem:/ {print $3"/"$2}')"

#!/bin/bash
# realtime-tcp-monitor.sh

INTERVAL=2
DURATION=300

echo"开始TCP连接实时监控，间隔 ${INTERVAL}s..."
end=$((SECONDS+DURATION))

while [ $SECONDS -lt $end ]; do
    clear
echo"=== TCP连接实时监控 $(date) ==="

# 连接总数和状态
    total=$(ss -s | awk '/TCP:/ {print $2}')
    established=$(ss -s | awk '/ESTAB/ {print $4}')
    time_wait=$(ss -s | awk '/TIME-WAIT/ {print $4}')

echo"连接总数: $total, ESTABLISHED: $established, TIME-WAIT: $time_wait"

# 端口使用率
    ports_used=$(ss -tn | wc -l)
    ports_range=$(sysctl -n net.ipv4.ip_local_port_range | awk '{print $2-$1+1}')
    usage=$(echo"scale=1; $ports_used*100/$ports_range" | bc)

echo"端口使用: $ports_used/$ports_range ($usage%)"

# 文件描述符使用
    file_nr=$(cat /proc/sys/fs/file-nr | awk '{print $1}')
    file_max=$(cat /proc/sys/fs/file-max)
    fd_usage=$(echo"scale=1; $file_nr*100/$file_max" | bc)

echo"文件描述符: $file_nr/$file_max ($fd_usage%)"

# 系统负载
    load=$(cat /proc/loadavg | awk '{print $1}')
    cores=$(nproc)

if (( $(echo"$load > $cores" | bc -l) )); then
echo -e "负载: $load \e[31m⚠️  过高\e[0m"
else
echo -e "负载: $load \e[32m正常\e[0m"
fi

    sleep $INTERVAL
done

#!/bin/bash
# optimize-file-descriptors.sh

echo"=== 文件描述符限制优化 ==="

# 备份当前配置
BACKUP_DIR="/etc/backup/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR
cp /etc/security/limits.conf $BACKUP_DIR/
cp /etc/sysctl.conf $BACKUP_DIR/

# 1. 系统全局文件描述符限制
echo"1. 设置系统全局文件描述符限制..."
echo"fs.file-max = 1000000" >> /etc/sysctl.conf

# 2. 用户级限制优化
echo"2. 优化用户级限制..."
cat >> /etc/security/limits.conf << 'EOF'

# TCP连接数优化 - 文件描述符限制
* soft nofile 100000
* hard nofile 100000
root soft nofile 100000
root hard nofile 100000

# 进程数限制
* soft nproc 65535
* hard nproc 65535

# 内存锁定限制（可选）
* soft memlock unlimited
* hard memlock unlimited
EOF

# 3. 系统进程限制
echo"3. 调整系统进程限制..."
echo"kernel.pid_max = 4194303" >> /etc/sysctl.conf
echo"kernel.threads-max = 4194303" >> /etc/sysctl.conf

# 4. 应用配置
sysctl -p

echo"文件描述符优化完成！"
echo"新的限制："
echo"系统全局: $(cat /proc/sys/fs/file-max)"
echo"用户限制: $(ulimit -n)"

#!/bin/bash
# optimize-port-range.sh

echo"=== 本地端口范围优化 ==="

# 当前端口范围
current_range=$(sysctl -n net.ipv4.ip_local_port_range)
echo"当前端口范围: $current_range"

# 计算建议的端口范围
# 通常使用 1024-65535，但建议保留一些端口给系统服务
START_PORT=10000
END_PORT=65535
PORT_COUNT=$((END_PORT - START_PORT + 1))

echo"优化端口范围: $START_PORT-$END_PORT ($PORT_COUNT 个端口)"

# 设置新的端口范围
echo"net.ipv4.ip_local_port_range = $START_PORT$END_PORT" >> /etc/sysctl.conf

# 优化TIME-WAIT连接处理
echo"net.ipv4.tcp_max_tw_buckets = 2000000" >> /etc/sysctl.conf
echo"net.ipv4.tcp_tw_reuse = 1" >> /etc/sysctl.conf
echo"net.ipv4.tcp_tw_recycle = 0" >> /etc/sysctl.conf  # NAT环境下建议为0
echo"net.ipv4.tcp_fin_timeout = 30" >> /etc/sysctl.conf

# 应用配置
sysctl -p

echo"端口范围优化完成！"
echo"新的端口范围: $(sysctl -n net.ipv4.ip_local_port_range)"

#!/bin/bash
# optimize-tcp-kernel.sh

echo"=== TCP内核参数全面优化 ==="

# 备份当前配置
cp /etc/sysctl.conf /etc/sysctl.conf.backup.$(date +%Y%m%d)

echo"应用TCP内核参数优化..."

cat >> /etc/sysctl.conf << 'EOF'

# ================ TCP连接数全面优化 ================

# 连接队列和 backlog 优化
net.core.somaxconn = 32768
net.ipv4.tcp_max_syn_backlog = 32768
net.core.netdev_max_backlog = 30000

# 连接建立优化
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_abort_on_overflow = 0

# 连接重用和快速回收
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0      # NAT环境下建议为0
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_max_tw_buckets = 2000000

# 内存缓冲区优化 (根据系统内存调整)
net.core.rmem_max = 16777216     # 16MB
net.core.wmem_max = 16777216     # 16MB
net.core.rmem_default = 16777216
net.core.wmem_default = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.tcp_mem = 786432 1048576 1572864  # 约 3GB 内存用于TCP

# 拥塞控制算法
net.ipv4.tcp_congestion_control = cubic

# 时间戳和窗口缩放
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_window_scaling = 1

# 快速打开
net.ipv4.tcp_fastopen = 3

# 保活机制
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 5

# MTU发现
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_base_mss = 1024

# 选择性确认
net.ipv4.tcp_sack = 1
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_fack = 1
EOF

# 应用配置
sysctl -p

echo"TCP内核参数优化完成！"

#!/bin/bash
# optimize-connection-tracking.sh

echo"=== 连接跟踪表优化 ==="

# 检查是否启用了连接跟踪
if [ -f /proc/sys/net/netfilter/nf_conntrack_max ]; then
echo"连接跟踪已启用，进行优化..."

# 当前连接跟踪状态
    current_count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
    current_max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
echo"当前连接跟踪: $current_count/$current_max"

# 优化连接跟踪表大小
# 建议值：内存允许的情况下尽可能大
    CONNTRACK_MAX=524288

echo"设置连接跟踪表大小: $CONNTRACK_MAX"
echo"net.netfilter.nf_conntrack_max = $CONNTRACK_MAX" >> /etc/sysctl.conf

# 优化连接超时时间
    cat >> /etc/sysctl.conf << 'EOF'
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
EOF

# 应用配置
    sysctl -p

echo"连接跟踪优化完成！"
else
echo"连接跟踪未启用，跳过优化"
fi

# /etc/nginx/nginx.conf

# 工作进程配置
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile100000;

# 错误日志配置
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

# 事件模块配置
events {
worker_connections50000;           # 每个工作进程的连接数
useepoll;                          # 使用epoll事件模型
multi_accepton;                    # 同时接受多个连接
accept_mutexoff;                   # 关闭accept互斥锁
}

# HTTP配置
http {
# 基础配置
include /etc/nginx/mime.types;
default_type application/octet-stream;

# 日志格式
access_log /var/log/nginx/access.log combined buffer=32k flush=5s;

# 连接优化
keepalive_timeout30;
keepalive_requests1000;
sendfileon;
tcp_nopushon;
tcp_nodelayon;

# 缓冲区优化
client_header_buffer_size4k;
large_client_header_buffers416k;
client_max_body_size100m;
client_body_buffer_size128k;
client_body_timeout12;
client_header_timeout12;

# 文件传输优化
output_buffers432k;
postpone_output1460;

# 连接限制
limit_conn_zone$binary_remote_addr zone=addr:10m;
limit_conn addr 100;

# 包含其他配置
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

# 流模块配置（如果需要TCP代理）
stream {
# 工作进程配置
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile100000;

# 事件配置
events {
worker_connections50000;
useepoll;
multi_accepton;
    }

# 包含stream配置
include /etc/nginx/stream.conf.d/*.conf;
}

#!/bin/bash
# optimize-system-services.sh

echo"=== 系统服务TCP优化 ==="

# 1. 优化systemd服务限制
echo"1. 优化systemd服务限制..."
mkdir -p /etc/systemd/system.conf.d/

cat > /etc/systemd/system.conf.d/tcp-optimize.conf << 'EOF'
[Manager]
DefaultLimitNOFILE=100000
DefaultLimitNPROC=65535
DefaultLimitMEMLOCK=infinity
EOF

# 2. 优化特定服务
services=("nginx""apache2""httpd""mysql""redis""postgresql")

for service in"${services[@]}"; do
if systemctl is-enabled $service >/dev/null 2>&1; then
echo