2026

static/Jammy/nginx.service

@@ -6,6 +6,10 @@ Wants=network-online.target
 [Service]
 Type=forking
 PIDFile=/run/nginx.pid
+# jemalloc replaces glibc malloc — better fragmentation/perf under nginx's
+# alloc/free churn at scale. Package depends on libjemalloc2 so the .so is
+# guaranteed present. Removing this line falls back to glibc malloc cleanly.
+Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
 ExecStartPre=/usr/bin/install -d -o nginx -g nginx -m 0755 /usr/local/nginx /usr/local/nginx/client_body_temp /usr/local/nginx/proxy_temp /usr/local/nginx/fastcgi_temp /usr/local/nginx/uwsgi_temp /usr/local/nginx/scgi_temp /var/log/nginx
 ExecStartPre=/usr/sbin/nginx -t
 ExecStart=/usr/sbin/nginx

static/nginx/nginx.conf

@@ -8,7 +8,7 @@
 user nginx;
 pid /var/run/nginx.pid;
 worker_processes auto;
-worker_cpu_affinity auto;       # Pin workers to cores for L1/L2 locality.
+worker_cpu_affinity auto;
 worker_rlimit_nofile 65535;
 
 events {
@@ -32,8 +32,6 @@ http {
     # =================== END LOGS ========================= #
 
     # ==================== GENERAL ========================= #
-    # Header buffers — keep small. The previous 2M default was a memory
-    # amplification target (per-conn × worker_connections = absurd worst case).
     client_header_buffer_size      4k;
     large_client_header_buffers    4 16k;
     client_body_buffer_size        16k;
@@ -41,10 +39,10 @@ http {
     client_body_timeout            30s;
     client_header_timeout          30s;
     send_timeout                   30s;
-    reset_timedout_connection      on;        # Free sockets fast under churn.
-    keepalive_timeout              65s;       # Amortise TCP setup across requests.
-    keepalive_requests             10000;     # Default 1000 too low for HTTP/2.
-    max_headers                    100;       # nginx 1.29.8 — slowloris defence.
+    reset_timedout_connection      on;
+    keepalive_timeout              65s;
+    keepalive_requests             2000;
+    max_headers                    100;
     port_in_redirect               off;
     sendfile                       on;
     sendfile_max_chunk             1m;
@@ -53,8 +51,6 @@ http {
     server_tokens                  off;
     server_name_in_redirect        off;
 
-    # 5,000+ vhost hash sizing. _max_size must exceed total server names;
-    # _bucket_size must be a CPU-cache-line multiple (32/64/128/256/512/1024).
     server_names_hash_bucket_size  128;
     server_names_hash_max_size     32768;
     types_hash_max_size            4096;
@@ -67,14 +63,13 @@ http {
 
     # ===================== TLS ============================ #
     ssl_protocols                  TLSv1.2 TLSv1.3;
-    ssl_prefer_server_ciphers      off;        # TLS 1.3 ciphers, client picks.
-    ssl_session_cache              shared:SSL:200m;   # ~800k sessions shared across workers
+    ssl_prefer_server_ciphers      off;
+    ssl_session_cache              shared:SSL:200m;
     ssl_session_timeout            1d;
-    ssl_session_tickets            off;        # Off unless you have ticket-key rotation.
-    ssl_stapling                   on;         # OCSP stapling — avoid per-handshake OCSP lookups.
+    ssl_session_tickets            off;
+    ssl_stapling                   on;
     ssl_stapling_verify            on;
     # ===================== END TLS ======================== #
-
     resolver                       1.1.1.1 1.0.0.1 valid=300s;
     resolver_timeout               5s;
     default_type                   application/octet-stream;
@@ -86,9 +81,6 @@ http {
     }
 
     # ==================== COMPRESSION ===================== #
-    # Compiled in, now actually enabled. Bandwidth saving on text responses
-    # is typically 60-80% for HTML/JSON/CSS/JS/SVG. Comp level 4 is the
-    # sweet spot for CPU vs ratio on shared hosting.
     gzip                           on;
     gzip_vary                      on;
     gzip_proxied                   any;
@@ -100,6 +92,11 @@ http {
     brotli_comp_level              4;
     brotli_min_length              256;
     brotli_types                   text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
+
+    zstd                           on;
+    zstd_comp_level                4;
+    zstd_min_length                256;
+    zstd_types                     text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
     # =================== END COMPRESSION ================== #
     # =================== END GENERAL ====================== #