nginx: increase cache filesystem levels

[chef.git] / cookbooks / nginx / templates / default / nginx.conf.erb
diff --git a/cookbooks/nginx/templates/default/nginx.conf.erb b/cookbooks/nginx/templates/default/nginx.conf.erb

index c16aa965020cb002c50eb4f8c32302e5b4e66a12..fc2a462d9a4f5d9e9b0923784dd098f416ded660 100644 (file)
--- a/cookbooks/nginx/templates/default/nginx.conf.erb
+++ b/cookbooks/nginx/templates/default/nginx.conf.erb
@@ -1,37 +1,73 @@
  # DO NOT EDIT - This file is being maintained by Chef
  
  # DO NOT EDIT - This file is being maintained by Chef
  
-<% if node[:lsb][:release].to_f >= 14.04 -%>
-  user  www-data;
-<% else -%>
-  user  nginx;
-<% end -%>
-worker_processes <%= node['cpu']['total'] %>;
+user  www-data;
+worker_processes auto;
+worker_cpu_affinity auto;
+worker_rlimit_nofile 98304;
  
  error_log  /var/log/nginx/error.log warn;
  pid        /var/run/nginx.pid;
  
  
  events {
  
  error_log  /var/log/nginx/error.log warn;
  pid        /var/run/nginx.pid;
  
  
  events {
-    worker_connections  1024;
+    worker_connections  8192;
  }
  
  }
  
-
  http {
      include       /etc/nginx/mime.types;
      default_type  application/octet-stream;
  
  http {
      include       /etc/nginx/mime.types;
      default_type  application/octet-stream;
  
+    server_names_hash_bucket_size 128;
+    map_hash_bucket_size 128;
+
+<% if node[:nginx][:access_log] -%>
      log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';
  
      log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';
  
-    access_log  /var/log/nginx/access.log  main;
+    access_log  <%= node[:nginx][:access_log] %>  main  buffer=32k flush=1m;
+<% else -%>
+    access_log  off;
+<% end -%>
+
+    keepalive_timeout  30;
+
+    server_tokens off;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+    ssl_ciphers <%= node[:ssl][:openssl_ciphers] -%>;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 30m;
+
+    ssl_stapling on;
+
+    # Validate the stapling response is signed by a trusted certificate
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
  
  
-    sendfile        on;
-    #tcp_nopush     on;
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    resolver <%= @resolvers.join(" ") %>;
+    resolver_timeout 5s;
  
  
-    keepalive_timeout  65;
+    <% if node['nginx']['cache']['fastcgi']['enable'] -%>
+    fastcgi_cache_path /var/cache/nginx/fastcgi-cache levels=2:2:2 use_temp_path=off keys_zone=<%= node['nginx']['cache']['fastcgi']['keys_zone'] %> inactive=<%= node['nginx']['cache']['fastcgi']['inactive'] %> max_size=<%= node['nginx']['cache']['fastcgi']['max_size'] %>;
+    <% end -%>
+    <% if node['nginx']['cache']['proxy']['enable'] -%>
+    proxy_cache_path /var/cache/nginx/proxy-cache levels=2:2:2 use_temp_path=off keys_zone=<%= node['nginx']['cache']['proxy']['keys_zone'] %> inactive=<%= node['nginx']['cache']['proxy']['inactive'] %> max_size=<%= node['nginx']['cache']['proxy']['max_size'] %>;
+    <% end -%>
  
  
-    #gzip  on;
+    # Internal site for munin monitoring
+    server {
+      listen 127.0.0.1:8050;
+      server_name localhost;
+      location /nginx_status {
+        stub_status on;
+        access_log off;
+        allow 127.0.0.1;
+        deny all;
+      }
+    }
  
      include /etc/nginx/conf.d/*.conf;
  }
  
      include /etc/nginx/conf.d/*.conf;
  }