我检查了所有的设置本地服务器的apche和PHP,外网API所在的nginx和node.js的timeout的设置,包括代码里的,都是远大于60秒的,为啥运行时还是出现60秒准时中断,反馈500错误。后来我在本地服务器做了单独测试,发现本地可以正常运行200s,但是每次访问服务器时会出现大约到52秒左右,请求API时中断的情况。我查了几天了没找到原因,不确定是哪些默认配置导致此类情况,阿里云服务器。
[root@iZbp13bbmz6agygqmhn6m4Z ~]# sysctl net.ipv4.tcp_keepalive_time
net.ipv4.tcp_keepalive_time = 7200
[root@iZbp13bbmz6agygqmhn6m4Z ~]# sysctl net.ipv4.tcp_keepalive_intvl
net.ipv4.tcp_keepalive_intvl = 75
[root@iZbp13bbmz6agygqmhn6m4Z ~]# sysctl net.ipv4.tcp_keepalive_probes
net.ipv4.tcp_keepalive_probes = 9
keepalive设置是正常的(7200秒),这排除了系统TCP层面的问题。
[root@iZbp13bbmz6agygqmhn6m4Z ~]# iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
4 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
5 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
6 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
4 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
5 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
6 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
7 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
8 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
9 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD_IN_ZONES (1 references)
num target prot opt source destination
1 FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
num target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
num target prot opt source destination
1 FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num target prot opt source destination
Chain FORWARD_direct (1 references)
num target prot opt source destination
Chain FWDI_public (1 references)
num target prot opt source destination
1 FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
2 FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
3 FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain FWDI_public_allow (1 references)
num target prot opt source destination
Chain FWDI_public_deny (1 references)
num target prot opt source destination
Chain FWDI_public_log (1 references)
num target prot opt source destination
Chain FWDO_public (1 references)
num target prot opt source destination
1 FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0
2 FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0
3 FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0
Chain FWDO_public_allow (1 references)
num target prot opt source destination
Chain FWDO_public_deny (1 references)
num target prot opt source destination
Chain FWDO_public_log (1 references)
num target prot opt source destination
Chain INPUT_ZONES (1 references)
num target prot opt source destination
1 IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain INPUT_ZONES_SOURCE (1 references)
num target prot opt source destination
Chain INPUT_direct (1 references)
num target prot opt source destination
1 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22 match-set f2b-sshd src reject-with icmp-port-unreachable
Chain IN_public (1 references)
num target prot opt source destination
1 IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
2 IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
3 IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
Chain IN_public_allow (1 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 ctstate NEW,UNTRACKED
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:13549 ctstate NEW,UNTRACKED
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:39000:40000 ctstate NEW,UNTRACKED
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:888 ctstate NEW,UNTRACKED
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5000 ctstate NEW,UNTRACKED
11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 ctstate NEW,UNTRACKED
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 ctstate NEW,UNTRACKED
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3001 ctstate NEW,UNTRACKED
Chain IN_public_deny (1 references)
num target prot opt source destination
Chain IN_public_log (1 references)
num target prot opt source destination
Chain OUTPUT_direct (1 references)
num target prot opt source destination
[root@iZbp13bbmz6agygqmhn6m4Z ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
POSTROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
POSTROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT_direct (1 references)
target prot opt source destination
Chain POSTROUTING_ZONES (1 references)
target prot opt source destination
POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain POSTROUTING_ZONES_SOURCE (1 references)
target prot opt source destination
Chain POSTROUTING_direct (1 references)
target prot opt source destination
Chain POST_public (1 references)
target prot opt source destination
POST_public_log all -- 0.0.0.0/0 0.0.0.0/0
POST_public_deny all -- 0.0.0.0/0 0.0.0.0/0
POST_public_allow all -- 0.0.0.0/0 0.0.0.0/0
Chain POST_public_allow (1 references)
target prot opt source destination
Chain POST_public_deny (1 references)
target prot opt source destination
Chain POST_public_log (1 references)
target prot opt source destination
Chain PREROUTING_ZONES (1 references)
target prot opt source destination
PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
Chain PREROUTING_ZONES_SOURCE (1 references)
target prot opt source destination
Chain PREROUTING_direct (1 references)
target prot opt source destination
Chain PRE_public (1 references)
target prot opt source destination
PRE_public_log all -- 0.0.0.0/0 0.0.0.0/0
PRE_public_deny all -- 0.0.0.0/0 0.0.0.0/0
PRE_public_allow all -- 0.0.0.0/0 0.0.0.0/0
Chain PRE_public_allow (1 references)
target prot opt source destination
Chain PRE_public_deny (1 references)
target prot opt source destination
Chain PRE_public_log (1 references)
target prot opt source destination从iptables规则来看,没有发现明显的连接超时限制。规则主要是端口放行和基本的防火墙策略。
[root@iZbp13bbmz6agygqmhn6m4Z ~]# cat /proc/sys/net/netfilter/nf_conntrack_count
42
[root@iZbp13bbmz6agygqmhn6m4Z ~]# cat /proc/sys/net/netfilter/nf_conntrack_max
65536
[root@iZbp13bbmz6agygqmhn6m4Z ~]# cat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
432000
[root@iZbp13bbmz6agygqmhn6m4Z ~]# cat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_close_wait
60
[root@iZbp13bbmz6agygqmhn6m4Z ~]# cat /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_fin_wait
120
[root@iZbp13bbmz6agygqmhn6m4Z ~]#根本原因:nf_conntrack_tcp_timeout_close_wait = 60 导致停留在CLOSE_WAIT状态的连接在60秒后被强制关闭。
解决方案:
立即调整conntrack超时设置
检查并修复应用程序的连接管理代码
确保HTTP客户端和服务端都正确关闭连接
评论