theraw/The-World-Is-Yours
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

implementation of nginx 1.30 + AWS-LC + 5k-vhost perf tuning
build-and-publish / build (push) Successful in 3m18s
Details

Browse Source 
- nginx 1.30.0, ModSecurity v3.0.12, AWS-LC 1.72.0 (replaces
  quictls/openssl 3.1.5-quic1; OpenSSL 3.1 is EOL upstream)
- AWS-LC build via cmake+ninja, installed to /usr/local/aws-lc;
  nginx links via -I/-L and rpath
- lua-nginx-module: sed-broaden the existing OPENSSL_IS_BORINGSSL
  guards to also recognise OPENSSL_IS_AWSLC (covers #ifdef,
  #ifndef, #elif defined). without this the missing-API stubs
  never fire on AWS-LC and the build breaks on
  SSL_get1_supported_ciphers / SSL_export_keying_material_early
- lua-resty-core / lrucache: switched from `git clone master`
  to wget tarball pinned via LUA_SCRIPTS_RESTYCORE/LRUCACHE.
  master drifted to wanting ngx_lua 0.10.30 while the pin was
  0.10.29 — silent CI breakage waiting to happen
- ModSec rewritten for v3 build flow (./build.sh && ./configure
  --without-pcre --with-pcre2). v2's standalone.so isn't what
  ModSecurity-nginx connector links against; it wants
  libmodsecurity.so
- PCRE2: switched to /releases/download/ tarball (bundles the
  sljit submodule needed for --with-pcre-jit); /archive/refs/tags/
  is a raw snapshot and omits submodules
- LuaJIT version pin had a stray leading 'v' that produced
  /tags/vv2.1-... → 404
- drop -L/lib/x86_64-linux-gnu -lpcre from --with-ld-opt;
  PCRE1 is gone from debian 13
- drop libpcre3-dev from apt install for the same reason
- fix latent bug in build/run.sh build(): make && make install
  && make clean swallows make failures from set -e because of
  &&-chain semantics. now separate statements
- static/nginx/nginx.conf rewrite for shared hosting at 5k+
  vhosts: server_names_hash_max_size 32768, shared SSL session
  cache 200m, OCSP stapling, open_file_cache, brotli+gzip
  enabled in http{}, worker_cpu_affinity auto, max_headers 100,
  keepalive_requests 10000. client_header_buffer_size dropped
  from 2M to 4k (was a memory amplification surface)
- README: performance section comparing twiy vs vanilla nginx,
  OpenResty, Apache; expected yield breakdown
This commit is contained in:
root
2026-04-26 01:09:28 +00:00
parent f703f1eaba
commit 51b6eaa694
5 changed files with 218 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files
static/nginx/nginx.conf
+64 -11
View File
@@ -1,8 +1,14 @@
# Suggestions? => https://github.com/theraw/The-World-Is-Yours/issues
# Problems? => https://github.com/theraw/The-World-Is-Yours/issues
#
# Tuned for shared hosting at 5,000+ vhost scale.
# Per-vhost listen/ssl_certificate directives live in /nginx/live/* — this
# file only contains the global event/http settings.
user nginx;
pid /var/run/nginx.pid;
worker_processes auto;
worker_cpu_affinity auto; # Pin workers to cores for L1/L2 locality.
worker_rlimit_nofile 65535;
events {
@@ -26,21 +32,51 @@ http {
# =================== END LOGS ========================= #
# ==================== GENERAL ========================= #
client_body_buffer_size 2M;
client_header_buffer_size 2M;
client_body_timeout 90s;
client_header_timeout 90s;
# Header buffers — keep small. The previous 2M default was a memory
# amplification target (per-conn × worker_connections = absurd worst case).
client_header_buffer_size 4k;
large_client_header_buffers 4 16k;
client_body_buffer_size 16k;
client_max_body_size 2M;
keepalive_timeout 15s;
client_body_timeout 30s;
client_header_timeout 30s;
send_timeout 30s;
reset_timedout_connection on; # Free sockets fast under churn.
keepalive_timeout 65s; # Amortise TCP setup across requests.
keepalive_requests 10000; # Default 1000 too low for HTTP/2.
max_headers 100; # nginx 1.29.8 — slowloris defence.
port_in_redirect off;
sendfile on;
server_names_hash_bucket_size 6969;
server_name_in_redirect off;
server_tokens off;
sendfile_max_chunk 1m;
tcp_nodelay on;
tcp_nopush on;
types_hash_max_size 2048;
resolver 1.1.1.1 1.0.0.1;
server_tokens off;
server_name_in_redirect off;
# 5,000+ vhost hash sizing. _max_size must exceed total server names;
# _bucket_size must be a CPU-cache-line multiple (32/64/128/256/512/1024).
server_names_hash_bucket_size 128;
server_names_hash_max_size 32768;
types_hash_max_size 4096;
# File metadata cache — biggest single win for static-heavy shared hosting.
open_file_cache max=200000 inactive=30s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# ===================== TLS ============================ #
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off; # TLS 1.3 ciphers, client picks.
ssl_session_cache shared:SSL:200m; # ~800k sessions shared across workers
ssl_session_timeout 1d;
ssl_session_tickets off; # Off unless you have ticket-key rotation.
ssl_stapling on; # OCSP stapling — avoid per-handshake OCSP lookups.
ssl_stapling_verify on;
# ===================== END TLS ======================== #
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
default_type application/octet-stream;
include /nginx/mime.types;
@@ -48,8 +84,25 @@ http {
default upgrade;
'' close;
}
# ==================== COMPRESSION ===================== #
# Compiled in, now actually enabled. Bandwidth saving on text responses
# is typically 60-80% for HTML/JSON/CSS/JS/SVG. Comp level 4 is the
# sweet spot for CPU vs ratio on shared hosting.
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 4;
gzip_min_length 256;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
brotli on;
brotli_comp_level 4;
brotli_min_length 256;
brotli_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
# =================== END COMPRESSION ================== #
# =================== END GENERAL ====================== #
# ================ LOAD VHOST +CONFIGS ================= #
include live/*;
include conf.d/*;