nginx: add munin monitoring

[chef.git] / cookbooks / nginx / templates / default / nginx.conf.erb

diff --git a/cookbooks/nginx/templates/default/nginx.conf.erb b/cookbooks/nginx/templates/default/nginx.conf.erb
index a475f166c7297830b6efe93516a6b943916765d1..a16d2581237258dd9117963ae8784c5a3cccab5e 100644 (file)
--- a/cookbooks/nginx/templates/default/nginx.conf.erb
+++ b/cookbooks/nginx/templates/default/nginx.conf.erb
@@ -1,15 +1,16 @@
 # DO NOT EDIT - This file is being maintained by Chef
 
 user  www-data;
 # DO NOT EDIT - This file is being maintained by Chef
 
 user  www-data;

-worker_processes <%= node['cpu']['total'] %>;
-worker_rlimit_nofile 65536;
+worker_processes auto;
+worker_cpu_affinity auto;
+worker_rlimit_nofile 98304;

 
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
 
 
 events {
 
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
 
 
 events {

-    worker_connections  1024;
+    worker_connections  8192;

 }
 
 http {
 }
 
 http {


@@ -17,23 +18,56 @@ http {
     default_type  application/octet-stream;
 
     server_names_hash_bucket_size 128;
     default_type  application/octet-stream;
 
     server_names_hash_bucket_size 128;

+    map_hash_bucket_size 128;

 
 

+<% if node[:nginx][:access_log] -%>

     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
 
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
 

-    access_log  /var/log/nginx/access.log  main  buffer=32k flush=1m;
+    access_log  <%= node[:nginx][:access_log] %>  main  buffer=32k flush=1m;
+<% else -%>
+    access_log  off;
+<% end -%>

 
 

-    keepalive_timeout  65;
+    keepalive_timeout  30;

 
     server_tokens off;
 
 
     server_tokens off;
 

+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_ciphers <%= node[:ssl][:openssl_ciphers] -%>;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 30m;
+
+    ssl_stapling on;
+
+    # Validate the stapling response is signed by a trusted certificate
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    resolver <%= @resolvers.join(" ") %>;
+    resolver_timeout 5s;
+

     <% if node['nginx']['cache']['fastcgi']['enable'] -%>
     <% if node['nginx']['cache']['fastcgi']['enable'] -%>

-    fastcgi_cache_path /var/cache/nginx/fastcgi-cache levels=1:2 keys_zone=<%= node['nginx']['cache']['fastcgi']['keys_zone'] %> inactive=<%= node['nginx']['cache']['fastcgi']['inactive'] %> max_size=<%= node['nginx']['cache']['fastcgi']['max_size'] %>;
+    fastcgi_cache_path /var/cache/nginx/fastcgi-cache levels=1:2 use_temp_path=off keys_zone=<%= node['nginx']['cache']['fastcgi']['keys_zone'] %> inactive=<%= node['nginx']['cache']['fastcgi']['inactive'] %> max_size=<%= node['nginx']['cache']['fastcgi']['max_size'] %>;

     <% end -%>
     <% if node['nginx']['cache']['proxy']['enable'] -%>
     <% end -%>
     <% if node['nginx']['cache']['proxy']['enable'] -%>

-    fastcgi_cache_path /var/cache/nginx/proxy-cache levels=1:2 keys_zone=<%= node['nginx']['cache']['proxy']['keys_zone'] %> inactive=<%= node['nginx']['cache']['proxy']['inactive'] %> max_size=<%= node['nginx']['cache']['proxy']['max_size'] %>;
+    proxy_cache_path /var/cache/nginx/proxy-cache levels=1:2 use_temp_path=off keys_zone=<%= node['nginx']['cache']['proxy']['keys_zone'] %> inactive=<%= node['nginx']['cache']['proxy']['inactive'] %> max_size=<%= node['nginx']['cache']['proxy']['max_size'] %>;

     <% end -%>
 
     <% end -%>
 

+    # Internal site for munin monitoring
+    server {
+      listen 127.0.0.1:8050;
+      server_name localhost;
+      location /nginx_status {
+        stub_status on;
+        access_log off;
+        allow 127.0.0.1;
+        deny all;
+      }
+    }
+

     include /etc/nginx/conf.d/*.conf;
 }
     include /etc/nginx/conf.d/*.conf;
 }