Various enhancements and tweaks for nginx.

dokterbob · dokterbob · commit 44a351bc84f0 · 2022-12-28T14:33:56.000+01:00
diff --git a/roles/services/frontend/templates/nginx-frontend.conf.j2 b/roles/services/frontend/templates/nginx-frontend.conf.j2
@@ -38,39 +38,39 @@ server {
 
 upstream search {
     ip_hash;
-    keepalive 32;
+    keepalive {{ groups['search_api'] | length * 2 }}; # 2 connections per backend server.
 
     {% for host in groups['search_api'] %}
         server {{ hostvars[host]['vlan_ip'] | ipaddr('address') }} max_fails=3 fail_timeout=10s;
     {% endfor %}
 }
 
 upstream metadata {
-    keepalive 32;
+    keepalive {{ groups['search_api'] | length * 2 }};
 
     {% for host in groups['search_api'] %}
         server {{ hostvars[host]['vlan_ip'] | ipaddr('address') }} max_fails=3 fail_timeout=10s;
     {% endfor %}
 }
 
 upstream nsfw {
-    keepalive 32;
+    keepalive {{ groups['search_api'] | length * 2 }};
 
     {% for host in groups['nsfw_server'] %}
         server {{ hostvars[host]['vlan_ip'] | ipaddr('address') }} max_fails=3 fail_timeout=10;
     {% endfor %}
 }
 
 upstream pinservice {
-    keepalive 32;
+    keepalive {{ groups['search_api'] | length * 2 }};
 
     {% for host in groups['pinservice'] %}
         server {{ hostvars[host]['vlan_ip'] | ipaddr('address') }} max_fails=3 fail_timeout=10;
     {% endfor %}
 }
 
 upstream nyats {
-    keepalive 32;
+    keepalive {{ groups['search_api'] | length * 2 }};
 
     {% for host in groups['nyats'] %}
         server {{ hostvars[host]['vlan_ip'] | ipaddr('address') }} max_fails=0 fail_timeout=120s;
@@ -90,15 +90,18 @@ server {
         return 301 https://app.swaggerhub.com/apis-docs/ipfs-search/ipfs-search;
     }
 
-    location /v1/search {
-        proxy_pass http://search/v1/search;
+    # Required for backend keepalive
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+
+    # Pass on remote address
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
-        # Required for backend keepalive
-        proxy_http_version 1.1;
-        proxy_set_header Connection "";
+    proxy_hide_header Access-Control-Allow-Origin;
+    add_header Access-Control-Allow-Origin '*' always;
 
-        # Pass on remote address
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    location /v1/search {
+        proxy_pass http://search/v1/search;
 
         proxy_cache search_cache;
         proxy_cache_use_stale updating;
@@ -112,37 +115,17 @@ server {
         expires 15m;
 
         add_header X-Cache-Status $upstream_cache_status always;
-
-        proxy_hide_header Access-Control-Allow-Origin;
-        add_header Access-Control-Allow-Origin '*' always;
     }
 
     location /v1/queue-pinservice {
         proxy_pass http://pinservice/v1/queue-pinservice;
 
-        # Required for backend keepalive
-        proxy_http_version 1.1;
-        proxy_set_header Connection "";
-
-        # Pass on remote address
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-        proxy_read_timeout 5s;
-
-        proxy_hide_header Access-Control-Allow-Origin;
-        add_header Access-Control-Allow-Origin '*' always;
+        proxy_read_timeout 1s;
     }
 
     location /v1/metadata {
         proxy_pass http://metadata/v1/metadata;
 
-        # Required for backend keepalive
-        proxy_http_version 1.1;
-        proxy_set_header Connection "";
-
-        # Pass on remote address
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
         proxy_cache metadata_cache;
         proxy_cache_use_stale updating;
         proxy_cache_lock on;
@@ -155,21 +138,11 @@ server {
         expires 1y;
 
         add_header X-Cache-Status $upstream_cache_status always;
-
-        proxy_hide_header Access-Control-Allow-Origin;
-        add_header Access-Control-Allow-Origin '*' always;
     }
 
     location /v1/nsfw {
         proxy_pass http://nsfw/v1/nsfw;
 
-        # Required for backend keepalive
-        proxy_http_version 1.1;
-        proxy_set_header Connection "";
-
-        # Pass on remote address
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
         proxy_cache nsfw_cache;
         proxy_cache_use_stale updating;
         proxy_cache_lock on;
@@ -182,21 +155,11 @@ server {
         expires 1y;
 
         add_header X-Cache-Status $upstream_cache_status always;
-
-        proxy_hide_header Access-Control-Allow-Origin;
-        add_header Access-Control-Allow-Origin '*' always;
     }
 
     location /v1/thumbnail {
         proxy_pass http://nyats/v1/thumbnail;
 
-        # Required for backend keepalive
-        proxy_http_version 1.1;
-        proxy_set_header Connection "";
-
-        # Pass on remote address
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
         proxy_cache thumbnail_cache;
         proxy_cache_use_stale updating;
         proxy_cache_lock on;
@@ -209,13 +172,11 @@ server {
         expires 1y;
 
         add_header X-Cache-Status $upstream_cache_status always;
-
-        proxy_hide_header Access-Control-Allow-Origin;
-        add_header Access-Control-Allow-Origin '*' always;
     }
 
     include {{ options_ssl_nginx }};
 
     ssl_certificate /etc/letsencrypt/live/{{ certbot_name }}/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/{{ certbot_name }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ certbot_name }}/chain.pem;
 }
diff --git a/roles/vendor/certbot/templates/options-ssl-nginx.conf.j2 b/roles/vendor/certbot/templates/options-ssl-nginx.conf.j2
@@ -4,17 +4,24 @@
 # the up-to-date file that you will need to refer to when manually updating
 # this file.
 
-ssl_session_cache shared:le_nginx_SSL:1m;
-ssl_session_timeout 1440m;
+ssl_session_cache shared:le_nginx_SSL:10m;  # about 40000 sessions
+ssl_session_timeout 1d;
+ssl_session_tickets off;
 
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-ssl_prefer_server_ciphers on;
-
-ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+# intermediate configuration
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
 
 ssl_dhparam {{ dh_params }};
 
 # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
 # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
 # also https://hstspreload.org/
 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+
+# OCSP stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+
+resolver 127.0.0.53 valid=5m;
diff --git a/roles/vendor/nginx/templates/nginx.conf.j2 b/roles/vendor/nginx/templates/nginx.conf.j2
@@ -2,8 +2,10 @@ user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
 
+worker_rlimit_nofile 65535;
+
 events {
-	worker_connections 768;
+	worker_connections 4096;
 	# multi_accept on;
 }
 
@@ -14,6 +16,7 @@ http {
 	##
 
 	sendfile on;
+	sendfile_max_chunk 512K;
 	tcp_nopush on;
 	tcp_nodelay on;
 	keepalive_timeout 65;
