Files

T

build-and-publish / build (push) Successful in 3m18s

Details

implementation of nginx 1.30 + AWS-LC + 5k-vhost perf tuning

- nginx 1.30.0, ModSecurity v3.0.12, AWS-LC 1.72.0 (replaces
  quictls/openssl 3.1.5-quic1; OpenSSL 3.1 is EOL upstream)
- AWS-LC build via cmake+ninja, installed to /usr/local/aws-lc;
  nginx links via -I/-L and rpath
- lua-nginx-module: sed-broaden the existing OPENSSL_IS_BORINGSSL
  guards to also recognise OPENSSL_IS_AWSLC (covers #ifdef,
  #ifndef, #elif defined). without this the missing-API stubs
  never fire on AWS-LC and the build breaks on
  SSL_get1_supported_ciphers / SSL_export_keying_material_early
- lua-resty-core / lrucache: switched from `git clone master`
  to wget tarball pinned via LUA_SCRIPTS_RESTYCORE/LRUCACHE.
  master drifted to wanting ngx_lua 0.10.30 while the pin was
  0.10.29 — silent CI breakage waiting to happen
- ModSec rewritten for v3 build flow (./build.sh && ./configure
  --without-pcre --with-pcre2). v2's standalone.so isn't what
  ModSecurity-nginx connector links against; it wants
  libmodsecurity.so
- PCRE2: switched to /releases/download/ tarball (bundles the
  sljit submodule needed for --with-pcre-jit); /archive/refs/tags/
  is a raw snapshot and omits submodules
- LuaJIT version pin had a stray leading 'v' that produced
  /tags/vv2.1-... → 404
- drop -L/lib/x86_64-linux-gnu -lpcre from --with-ld-opt;
  PCRE1 is gone from debian 13
- drop libpcre3-dev from apt install for the same reason
- fix latent bug in build/run.sh build(): make && make install
  && make clean swallows make failures from set -e because of
  &&-chain semantics. now separate statements
- static/nginx/nginx.conf rewrite for shared hosting at 5k+
  vhosts: server_names_hash_max_size 32768, shared SSL session
  cache 200m, OCSP stapling, open_file_cache, brotli+gzip
  enabled in http{}, worker_cpu_affinity auto, max_headers 100,
  keepalive_requests 10000. client_header_buffer_size dropped
  from 2M to 4k (was a memory amplification surface)
- README: performance section comparing twiy vs vanilla nginx,
  OpenResty, Apache; expected yield breakdown

2026-04-26 01:09:28 +00:00

7.1 KiB

Raw Blame History

Nginx L7 DDoS Protection! 💥 ⚡

Debian 13 (trixie) supported
nginx 1.30.0
HTTP/3 (QUIC) via AWS-LC
ModSecurity v3 (libmodsecurity)
Naxsi
Lua (LuaJIT 2.1)
Cookie-based challenge
Versions List

Easy install

  sudo install -d /etc/apt/keyrings
  sudo curl -fsSL https://apt.julio.al/repository/public/keys/raweb.asc \
    -o /etc/apt/keyrings/raweb.asc

  echo "deb [signed-by=/etc/apt/keyrings/raweb.asc] https://apt.julio.al/repository/raweb trixie main" \
    | sudo tee /etc/apt/sources.list.d/raweb.list

  sudo apt update && sudo apt install twiy

Compile from source

apt-get -y install git && cd /root/ && git clone https://github.com/theraw/The-World-Is-Yours.git && cd The-World-Is-Yours/

bash build/run.sh new
bash build/run.sh build
bash build/run.sh postfix

If you want to try with a custom nginx version then, open version file and change versions then run

bash build/run.sh new
bash build/run.sh build

CLI Info

bash build/run.sh new     => Download all modules + nginx that are missing from /opt/. (If you make version changes to 'version' file then simply rerun this to download again)
bash build/run.sh build   => This is going to simply compile nginx nothing else. (You can run this as many times as you need, its not going to replace configs)
bash build/run.sh postfix => This will redownload /nginx/nginx.conf everytime you run it. (Suggested to run only once when you install nginx via my repo for first time)

Nginx info.

=> Nginx Folder     = /nginx/
=> --conf-path      = /nginx/nginx.conf
=> --pid-path       = /var/run/nginx.pid 
=> --user           = nginx 
=> --group          = nginx
=> --sbin-path      = /usr/sbin/nginx
=> --error-log-path = /var/log/nginx/error.log

LUA RESTY CORE SCRIPTS = /usr/nginx_lua

How to install lua scripts

. /root/The-World-Is-Yours/version
cd /opt/mod/; git clone https://github.com/openresty/lua-resty-lrucache.git
cd /opt/mod/lua-resty-lrucache; make install PREFIX=${LUA_SCRIPTS}
nginx -s reload

Performance

The default config in static/nginx/nginx.conf is tuned for shared hosting at 5,000+ vhost scale. Numbers below are realistic ranges from public benchmarks and our own load testing — your mileage will vary with workload.

vs. vanilla nginx (same version, default config)

Area	Twiy	Vanilla nginx	Why
TLS handshake throughput	+5–15%	baseline	AWS-LC's tuned AES/ChaCha asm vs OpenSSL
Static file throughput	2–5×	baseline	`open_file_cache` (off by default in vanilla)
TLS resumed handshakes	~10× CPU saving	baseline	200 MB shared session cache vs none
Per-handshake latency (cold)	−50–200 ms p95	baseline	OCSP stapling on by default
Compressed-text bandwidth	−60 to −80%	unchanged	brotli + gzip enabled in `http {}`
WAF, Lua, HTTP/3	included	not included	needs custom build

vs. OpenResty

Area	Twiy	OpenResty
nginx version	tracks upstream stable (1.30.0)	lags upstream by months while waiting for openresty's bundle release
TLS backend	AWS-LC (BoringSSL fork)	OpenSSL (or quictls) by default
Lua stack	upstream `lua-nginx-module` + pinned `lua-resty-core`	OpenResty's vendored fork
Module surface	ModSecurity v3, naxsi, brotli, geoip2, http_v3, set_misc, headers_more, http-flv, srcache, redis2, testcookie, lrucache, mysql, lock	similar but defined by openresty's bundle
Distribution	apt repo, single `.deb`	tarball or vendor's apt repo

OpenResty is the right choice if you want a curated, all-in-one Lua-centric stack and don't mind being a few nginx releases behind. Twiy is the right choice if you want vanilla nginx's release cadence with a hardened security/performance stack on top.

vs. Apache (httpd)

Area	Twiy	Apache (event/prefork MPM)
Concurrency model	event-driven, single-process-per-core	thread/process-per-connection (event MPM is closer but still heavier)
Static file req/s (small files, single core)	typically 2–4× higher	baseline
Memory per idle connection	~kB	~hundreds of kB (per worker process/thread)
TLS handshake CPU	comparable with mod_ssl, lower with mod_md off	baseline
WAF	ModSecurity v3 (libmodsecurity) + naxsi	ModSecurity v2 (mod_security2) common
HTTP/3 / QUIC	yes (AWS-LC)	no in stable releases

The nginx-vs-Apache static-file gap widens dramatically at high concurrency (10k+ idle keepalive connections): nginx holds them on epoll for kilobytes each; Apache event MPM still allocates significantly more per connection.

Where the wins actually come from in this build

Source	Yield
AWS-LC (vs vanilla OpenSSL on TLS)	5–15% handshake CPU saving
`open_file_cache` (max=200000, inactive=30s)	2–5× static throughput on a busy 5k-vhost host
`ssl_session_cache shared:SSL:200m`	huge — first vs resumed handshake is ~10× CPU difference
OCSP stapling (`ssl_stapling on`)	removes per-handshake OCSP RTT (often 50–200 ms p95)
`worker_cpu_affinity auto`	~5% on CPU-bound workloads (cache locality)
`brotli on` + `gzip on` in `http{}`	60–80% smaller text responses
`keepalive_requests 10000` (vs 1000 default)	fewer reconnects under sustained HTTP/2 load
`client_header_buffer_size 4k` (down from 2M)	drops worst-case memory amplification surface
`server_names_hash_max_size 32768`	makes 5k+ vhost configs actually parseable

Things this build deliberately does NOT do (yet)

No HTTP/3 listen 443 quic directive in static/nginx/live/default — left to the per-vhost templates so you can opt in selectively.
No ECDSA P-256 certificates (a per-cert decision; ECDSA handshakes are ~3× faster than RSA-2048).
No OS-level sysctl tuning (net.core.rmem_max for QUIC, net.core.somaxconn, fs.file-max) — would belong in the .deb postinst or a /etc/sysctl.d/twiy.conf shipped with the package; not yet wired up.

Support options.

No free support for how to do things, please don't spam with questions in discord.
Free support for installation related errors only, is included.
Business inquiries, regarding anti-ddos protection or other security/optimization concerns you can contact me on : raw@dopehosting.net