]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/nginx/templates/default/nginx.conf.erb
Add authentication results header for email from external hosts
[chef.git] / cookbooks / nginx / templates / default / nginx.conf.erb
index a895af303c46e8b930625ada40ddee164e267b4b..f5d4fc26904e22bb9544b8c34a4104b7a974cf69 100644 (file)
@@ -3,14 +3,14 @@
 user  www-data;
 worker_processes auto;
 worker_cpu_affinity auto;
 user  www-data;
 worker_processes auto;
 worker_cpu_affinity auto;
-worker_rlimit_nofile 65536;
+worker_rlimit_nofile 98304;
 
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
 
 
 events {
 
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
 
 
 events {
-    worker_connections  1024;
+    worker_connections  8192;
 }
 
 http {
 }
 
 http {
@@ -18,23 +18,56 @@ http {
     default_type  application/octet-stream;
 
     server_names_hash_bucket_size 128;
     default_type  application/octet-stream;
 
     server_names_hash_bucket_size 128;
+    map_hash_bucket_size 128;
 
 
+<% if node[:nginx][:access_log] -%>
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
 
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
 
-    access_log  /var/log/nginx/access.log  main  buffer=32k flush=1m;
+    access_log  <%= node[:nginx][:access_log] %>  main buffer=256k flush=1m;
+<% else -%>
+    access_log  off;
+<% end -%>
 
 
-    keepalive_timeout  65;
+    keepalive_timeout 20 20;
 
     server_tokens off;
 
 
     server_tokens off;
 
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_ciphers <%= node[:ssl][:openssl_ciphers] -%>;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 30m;
+
+    ssl_stapling on;
+
+    # Validate the stapling response is signed by a trusted certificate
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    resolver 127.0.0.53 ipv6=off;
+    resolver_timeout 5s;
+
     <% if node['nginx']['cache']['fastcgi']['enable'] -%>
     <% if node['nginx']['cache']['fastcgi']['enable'] -%>
-    fastcgi_cache_path /var/cache/nginx/fastcgi-cache levels=1:2 keys_zone=<%= node['nginx']['cache']['fastcgi']['keys_zone'] %> inactive=<%= node['nginx']['cache']['fastcgi']['inactive'] %> max_size=<%= node['nginx']['cache']['fastcgi']['max_size'] %>;
+    fastcgi_cache_path <%= node['nginx']['cache']['fastcgi']['directory'] %> levels=2:2:2 use_temp_path=off keys_zone=<%= node['nginx']['cache']['fastcgi']['keys_zone'] %> inactive=<%= node['nginx']['cache']['fastcgi']['inactive'] %> max_size=<%= node['nginx']['cache']['fastcgi']['max_size'] %>;
     <% end -%>
     <% if node['nginx']['cache']['proxy']['enable'] -%>
     <% end -%>
     <% if node['nginx']['cache']['proxy']['enable'] -%>
-    proxy_cache_path /var/cache/nginx/proxy-cache levels=1:2 keys_zone=<%= node['nginx']['cache']['proxy']['keys_zone'] %> inactive=<%= node['nginx']['cache']['proxy']['inactive'] %> max_size=<%= node['nginx']['cache']['proxy']['max_size'] %>;
+    proxy_cache_path <%= node['nginx']['cache']['proxy']['directory'] %> levels=2:2:2 use_temp_path=off keys_zone=<%= node['nginx']['cache']['proxy']['keys_zone'] %> inactive=<%= node['nginx']['cache']['proxy']['inactive'] %> max_size=<%= node['nginx']['cache']['proxy']['max_size'] %>;
     <% end -%>
 
     <% end -%>
 
+    # Internal site for munin monitoring
+    server {
+      listen 127.0.0.1:8050;
+      server_name localhost;
+      location /nginx_status {
+        stub_status on;
+        access_log off;
+        allow 127.0.0.1;
+        deny all;
+      }
+    }
+
     include /etc/nginx/conf.d/*.conf;
 }
     include /etc/nginx/conf.d/*.conf;
 }