Additional Nginx tweaks

2019-08-16 22:57:26 +02:00
parent 5b654b64b3
commit aa1a830c5b
5 changed files with 589 additions and 562 deletions
--- a/wo/cli/plugins/stack_pref.py
+++ b/wo/cli/plugins/stack_pref.py
@@ -179,6 +179,14 @@ def post_pref(self, apt_packages, packages):
                    (data), 'brotli.mustache', out=wo_nginx)
                wo_nginx.close()

+            Log.debug(self, 'Writting the nginx configuration to '
+                      'file /etc/nginx/conf.d/tweaks.conf')
+            wo_nginx = open('/etc/nginx/conf.d/tweaks.conf',
+                            encoding='utf-8', mode='w')
+            self.app.render(
+                (data), 'tweaks.mustache', out=wo_nginx)
+            wo_nginx.close()
+
            # Fix for white screen death with NGINX PLUS
            if not WOFileUtils.grep(self, '/etc/nginx/fastcgi_params',
                                    'SCRIPT_FILENAME'):
--- a/wo/cli/templates/nginx-core.mustache
+++ b/wo/cli/templates/nginx-core.mustache
@@ -1,143 +1,124 @@
-user www-data;
-worker_processes auto;
-worker_cpu_affinity auto;
-worker_rlimit_nofile 100000;
-pid /run/nginx.pid;
-
-pcre_jit on;
-
-events {
-	multi_accept on;
-	worker_connections 50000;
-	accept_mutex on;
-	use epoll;
-}
-
-
-http {
-	##
-	# WordOps Settings
-	##
-
-	sendfile on;
-	sendfile_max_chunk 512k;
-
-	tcp_nopush on;
-	tcp_nodelay on;
-
-	keepalive_timeout 8;
-	keepalive_requests 500;
-	keepalive_disable msie6;
-
-	lingering_time 20s;
-	lingering_timeout 5s;
-
-	# Nginx AIO : See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
-	# http://nginx.org/en/docs/http/ngx_http_core_module.html#aio
-	aio threads;
-
-	server_tokens off;
-	reset_timedout_connection on;
-	more_set_headers "X-Powered-By : WordOps";
-
-    open_file_cache max=50000 inactive=60s;
-    open_file_cache_errors off;
-    open_file_cache_min_uses 2;
-    open_file_cache_valid 120s;
-    open_log_file_cache max=10000 inactive=30s min_uses=2;
-
-	# Limit Request
-	limit_req_status 403;
-	limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
-
-	# Proxy Settings
-	# set_real_ip_from	proxy-server-ip;
-	# real_ip_header	X-Forwarded-For;
-
-	fastcgi_read_timeout 300;
-	client_max_body_size 100m;
-
-	# ngx_vts_module
-	vhost_traffic_status_zone;
-
-	# tls dynamic records patch directive
-	ssl_dyn_rec_enable on;
-
-
-	##
-	# SSL Settings
-	##
-
-	ssl_session_timeout 1d;
-	ssl_session_cache shared:SSL:50m;
-	ssl_session_tickets off;
-	ssl_prefer_server_ciphers on;
-	{{#tls13}}ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20';
-	ssl_protocols TLSv1.2 TLSv1.3;{{/tls13}}
-	ssl_ecdh_curve X25519:P-521:P-384:P-256;
-	# Previous TLS v1.2 configuration
-	{{^tls13}}ssl_protocols TLSv1.2;
-	ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES;{{/tls13}}
-
-	# Common security headers
-	more_set_headers "X-Frame-Options : SAMEORIGIN";
-	more_set_headers "X-Xss-Protection : 1; mode=block";
-	more_set_headers "X-Content-Type-Options : nosniff";
-	more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
-	more_set_headers "X-Download-Options : noopen";
-
-	# oscp settings
-	resolver 8.8.8.8 1.1.1.1 8.8.4.4 1.0.0.1 valid=300s;
-	resolver_timeout 10;
-	ssl_stapling on;
-
-	##
-	# Basic Settings
-	##
-	# server_names_hash_bucket_size 64;
-	# server_name_in_redirect off;
-
-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
-
-	##
-	# Logging Settings
-	##
-
-	access_log off;
-	error_log /var/log/nginx/error.log;
-
-	# Log format Settings
-	log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] '
-	'$http_host "$request" $status $body_bytes_sent '
-	'"$http_referer" "$http_user_agent" "$server_protocol"';
-
-	##
-	# Virtual Host Configs
-	##
-
-	include /etc/nginx/conf.d/*.conf;
-	include /etc/nginx/sites-enabled/*;
-}
-
-
-#mail {
-#	# See sample authentication script at:
-#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
-#
-#	# auth_http localhost/auth.php;
-#	# pop3_capabilities "TOP" "USER";
-#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
-#
-#	server {
-#		listen	 localhost:110;
-#		protocol   pop3;
-#		proxy	  on;
-#	}
-#
-#	server {
-#		listen	 localhost:143;
-#		protocol   imap;
-#		proxy	  on;
-#	}
-#}
+user www-data;
+worker_processes auto;
+worker_cpu_affinity auto;
+worker_rlimit_nofile 100000;
+pid /run/nginx.pid;
+
+pcre_jit on;
+
+events {
+	multi_accept on;
+	worker_connections 50000;
+	accept_mutex on;
+	use epoll;
+}
+
+
+http {
+
+	##
+	# WordOps Settings
+	##
+
+	# Nginx AIO : See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
+	# http://nginx.org/en/docs/http/ngx_http_core_module.html#aio
+	aio threads;
+
+	server_tokens off;
+	reset_timedout_connection on;
+	more_set_headers "X-Powered-By : WordOps";
+
+    # Limit Request
+	limit_req_status 403;
+	limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
+
+	# Proxy Settings
+	# set_real_ip_from	proxy-server-ip;
+	# real_ip_header	X-Forwarded-For;
+
+	fastcgi_read_timeout 300;
+	client_max_body_size 100m;
+
+	# ngx_vts_module
+	vhost_traffic_status_zone;
+
+	# tls dynamic records patch directive
+	ssl_dyn_rec_enable on;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_session_timeout 1d;
+	ssl_session_cache shared:SSL:50m;
+	ssl_session_tickets off;
+	ssl_prefer_server_ciphers on;
+	{{#tls13}}ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20';
+	ssl_protocols TLSv1.2 TLSv1.3;{{/tls13}}
+	ssl_ecdh_curve X25519:P-521:P-384:P-256;
+	# Previous TLS v1.2 configuration
+	{{^tls13}}ssl_protocols TLSv1.2;
+	ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES;{{/tls13}}
+
+	# Common security headers
+	more_set_headers "X-Frame-Options : SAMEORIGIN";
+	more_set_headers "X-Xss-Protection : 1; mode=block";
+	more_set_headers "X-Content-Type-Options : nosniff";
+	more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
+	more_set_headers "X-Download-Options : noopen";
+
+	# oscp settings
+	resolver 8.8.8.8 1.1.1.1 8.8.4.4 1.0.0.1 valid=300s;
+	resolver_timeout 10;
+	ssl_stapling on;
+
+	##
+	# Basic Settings
+	##
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# Logging Settings
+	##
+
+	access_log off;
+	error_log /var/log/nginx/error.log;
+
+	# Log format Settings
+	log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] '
+	'$http_host "$request" $status $body_bytes_sent '
+	'"$http_referer" "$http_user_agent" "$server_protocol"';
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+#	server {
+#		listen	 localhost:110;
+#		protocol   pop3;
+#		proxy	  on;
+#	}
+#
+#	server {
+#		listen	 localhost:143;
+#		protocol   imap;
+#		proxy	  on;
+#	}
+#}
--- a/wo/cli/templates/tweaks.mustache
+++ b/wo/cli/templates/tweaks.mustache
@@ -0,0 +1,30 @@
+# NGINX Tweaks  - WO v3.9.8
+	directio 4m;
+	directio_alignment 512;
+	http2_max_field_size 16k;
+	http2_max_header_size 32k;
+
+	large_client_header_buffers 8 64k;
+
+	postpone_output 1460;
+	proxy_buffers 8 32k;
+	proxy_buffer_size 64k;
+
+	sendfile on;
+	sendfile_max_chunk 512k;
+
+	tcp_nopush on;
+	tcp_nodelay on;
+
+	keepalive_timeout 8;
+	keepalive_requests 500;
+	keepalive_disable msie6;
+
+	lingering_time 20s;
+	lingering_timeout 5s;
+
+	open_file_cache max=50000 inactive=60s;
+	open_file_cache_errors off;
+	open_file_cache_min_uses 2;
+	open_file_cache_valid 120s;
+	open_log_file_cache max=10000 inactive=30s min_uses=2;
--- a/wo/cli/templates/upstream.mustache
+++ b/wo/cli/templates/upstream.mustache
@@ -1,86 +1,86 @@
-# NGINX UPSTREAM CONFIGURATION - WO v3.9.7
-# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
-#-------------------------------
-# PHP 5.6
-#-------------------------------
-upstream php {
-server 127.0.0.1:{{php}};
-}
-
-upstream debug {
-server 127.0.0.1:{{debug}};
-}
-
-
-#-------------------------------
-# PHP 7.0
-#-------------------------------
-
-upstream php7 {
-server 127.0.0.1:{{php7}};
-}
-upstream debug7 {
-# Debug Pool
-server 127.0.0.1:{{debug7}};
-}
-
-
-#-------------------------------
-# PHP 7.2
-#-------------------------------
-
-# PHP 7.2 upstream with load-balancing on two unix sockets
-upstream php72 {
-    least_conn;
-
-    server unix:/var/run/php/php72-fpm.sock;
-    server unix:/var/run/php/php72-two-fpm.sock;
-
-    keepalive 5;
-}
-
-# PHP 7.2 debug
-upstream debug72 {
-# Debug Pool
-server 127.0.0.1:9172;
-}
-
-#-------------------------------
-# PHP 7.3
-#-------------------------------
-
-# PHP 7.3 upstream with load-balancing on two unix sockets
-upstream php73 {
-    least_conn;
-
-    server unix:/var/run/php/php73-fpm.sock;
-    server unix:/var/run/php/php73-two-fpm.sock;
-
-    keepalive 5;
-}
-
-# PHP 7.3 debug
-upstream debug73 {
-# Debug Pool
-    server 127.0.0.1:9173;
-}
-
-#-------------------------------
-# Netdata
-#-------------------------------
-
-# Netdata Monitoring Upstream
-upstream netdata {
-    server 127.0.0.1:19999;
-    keepalive 64;
-}
-
-#-------------------------------
-# Redis
-#-------------------------------
-
-# Redis cache upstream
-upstream redis {
-    server 127.0.0.1:6379;
-    keepalive 10;
-}
+# NGINX UPSTREAM CONFIGURATION - WO v3.9.8
+# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
+#-------------------------------
+# PHP 5.6
+#-------------------------------
+upstream php {
+server 127.0.0.1:{{php}};
+}
+
+upstream debug {
+server 127.0.0.1:{{debug}};
+}
+
+
+#-------------------------------
+# PHP 7.0
+#-------------------------------
+
+upstream php7 {
+server 127.0.0.1:{{php7}};
+}
+upstream debug7 {
+# Debug Pool
+server 127.0.0.1:{{debug7}};
+}
+
+
+#-------------------------------
+# PHP 7.2
+#-------------------------------
+
+# PHP 7.2 upstream with load-balancing on two unix sockets
+upstream php72 {
+    least_conn;
+
+    server unix:/var/run/php/php72-fpm.sock;
+    server unix:/var/run/php/php72-two-fpm.sock;
+
+    keepalive 5;
+}
+
+# PHP 7.2 debug
+upstream debug72 {
+# Debug Pool
+server 127.0.0.1:9172;
+}
+
+#-------------------------------
+# PHP 7.3
+#-------------------------------
+
+# PHP 7.3 upstream with load-balancing on two unix sockets
+upstream php73 {
+    least_conn;
+
+    server unix:/var/run/php/php73-fpm.sock;
+    server unix:/var/run/php/php73-two-fpm.sock;
+
+    keepalive 5;
+}
+
+# PHP 7.3 debug
+upstream debug73 {
+# Debug Pool
+    server 127.0.0.1:9173;
+}
+
+#-------------------------------
+# Netdata
+#-------------------------------
+
+# Netdata Monitoring Upstream
+upstream netdata {
+    server 127.0.0.1:19999;
+    keepalive 64;
+}
+
+#-------------------------------
+# Redis
+#-------------------------------
+
+# Redis cache upstream
+upstream redis {
+    server 127.0.0.1:6379;
+    keepalive 10;
+}