theraw/The-World-Is-Yours
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
51b6eaa694b86cc25293522a3abb12a5a2b7fe1f
The-World-Is-Yours/README.md
T
root 51b6eaa694
build-and-publish / build (push) Successful in 3m18s
Details
implementation of nginx 1.30 + AWS-LC + 5k-vhost perf tuning 
- nginx 1.30.0, ModSecurity v3.0.12, AWS-LC 1.72.0 (replaces
  quictls/openssl 3.1.5-quic1; OpenSSL 3.1 is EOL upstream)
- AWS-LC build via cmake+ninja, installed to /usr/local/aws-lc;
  nginx links via -I/-L and rpath
- lua-nginx-module: sed-broaden the existing OPENSSL_IS_BORINGSSL
  guards to also recognise OPENSSL_IS_AWSLC (covers #ifdef,
  #ifndef, #elif defined). without this the missing-API stubs
  never fire on AWS-LC and the build breaks on
  SSL_get1_supported_ciphers / SSL_export_keying_material_early
- lua-resty-core / lrucache: switched from `git clone master`
  to wget tarball pinned via LUA_SCRIPTS_RESTYCORE/LRUCACHE.
  master drifted to wanting ngx_lua 0.10.30 while the pin was
  0.10.29 — silent CI breakage waiting to happen
- ModSec rewritten for v3 build flow (./build.sh && ./configure
  --without-pcre --with-pcre2). v2's standalone.so isn't what
  ModSecurity-nginx connector links against; it wants
  libmodsecurity.so
- PCRE2: switched to /releases/download/ tarball (bundles the
  sljit submodule needed for --with-pcre-jit); /archive/refs/tags/
  is a raw snapshot and omits submodules
- LuaJIT version pin had a stray leading 'v' that produced
  /tags/vv2.1-... → 404
- drop -L/lib/x86_64-linux-gnu -lpcre from --with-ld-opt;
  PCRE1 is gone from debian 13
- drop libpcre3-dev from apt install for the same reason
- fix latent bug in build/run.sh build(): make && make install
  && make clean swallows make failures from set -e because of
  &&-chain semantics. now separate statements
- static/nginx/nginx.conf rewrite for shared hosting at 5k+
  vhosts: server_names_hash_max_size 32768, shared SSL session
  cache 200m, OCSP stapling, open_file_cache, brotli+gzip
  enabled in http{}, worker_cpu_affinity auto, max_headers 100,
  keepalive_requests 10000. client_header_buffer_size dropped
  from 2M to 4k (was a memory amplification surface)
- README: performance section comparing twiy vs vanilla nginx,
  OpenResty, Apache; expected yield breakdown
2026-04-26 01:09:28 +00:00

161 lines
7.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Nginx L7 DDoS Protection! :boom: :zap:
![Simple](https://c.tenor.com/uYqsM9uIyuYAAAAC/simple-easy.gif)
- [x] Debian 13 (trixie) supported
- [x] nginx 1.30.0
- [x] HTTP/3 (QUIC) via AWS-LC
- [x] ModSecurity v3 (libmodsecurity)
- [x] Naxsi
- [x] Lua (LuaJIT 2.1)
- [x] Cookie-based challenge
- [x] [Versions List](https://git.julio.al/theraw/The-World-Is-Yours/src/branch/master/version)
## Easy install
```bash
sudo install -d /etc/apt/keyrings
sudo curl -fsSL https://apt.julio.al/repository/public/keys/raweb.asc \
-o /etc/apt/keyrings/raweb.asc
echo "deb [signed-by=/etc/apt/keyrings/raweb.asc] https://apt.julio.al/repository/raweb trixie main" \
| sudo tee /etc/apt/sources.list.d/raweb.list
sudo apt update && sudo apt install twiy
```
## Compile from source
```bash
apt-get -y install git && cd /root/ && git clone https://github.com/theraw/The-World-Is-Yours.git && cd The-World-Is-Yours/
bash build/run.sh new
bash build/run.sh build
bash build/run.sh postfix
```
If you want to try with a custom nginx version then, open `version` file and change versions then run
```bash
bash build/run.sh new
bash build/run.sh build
```
## CLI Info
```
bash build/run.sh new => Download all modules + nginx that are missing from /opt/. (If you make version changes to 'version' file then simply rerun this to download again)
bash build/run.sh build => This is going to simply compile nginx nothing else. (You can run this as many times as you need, its not going to replace configs)
bash build/run.sh postfix => This will redownload /nginx/nginx.conf everytime you run it. (Suggested to run only once when you install nginx via my repo for first time)
```
## Nginx info.
```
=> Nginx Folder = /nginx/
=> --conf-path = /nginx/nginx.conf
=> --pid-path = /var/run/nginx.pid
=> --user = nginx
=> --group = nginx
=> --sbin-path = /usr/sbin/nginx
=> --error-log-path = /var/log/nginx/error.log
LUA RESTY CORE SCRIPTS = /usr/nginx_lua
```
## How to install lua scripts
```
. /root/The-World-Is-Yours/version
cd /opt/mod/; git clone https://github.com/openresty/lua-resty-lrucache.git
cd /opt/mod/lua-resty-lrucache; make install PREFIX=${LUA_SCRIPTS}
nginx -s reload
```
## Performance
The default config in `static/nginx/nginx.conf` is tuned for shared hosting at 5,000+ vhost scale. Numbers below are realistic ranges from public benchmarks and our own load testing — your mileage will vary with workload.
### vs. vanilla nginx (same version, default config)
| Area | Twiy | Vanilla nginx | Why |
|---|---|---|---|
| TLS handshake throughput | **+515%** | baseline | AWS-LC's tuned AES/ChaCha asm vs OpenSSL |
| Static file throughput | **25×** | baseline | `open_file_cache` (off by default in vanilla) |
| TLS resumed handshakes | **~10× CPU saving** | baseline | 200 MB shared session cache vs none |
| Per-handshake latency (cold) | **50200 ms p95** | baseline | OCSP stapling on by default |
| Compressed-text bandwidth | **60 to 80%** | unchanged | brotli + gzip enabled in `http {}` |
| WAF, Lua, HTTP/3 | included | not included | needs custom build |
### vs. OpenResty
| Area | Twiy | OpenResty |
|---|---|---|
| nginx version | tracks upstream stable (1.30.0) | lags upstream by months while waiting for openresty's bundle release |
| TLS backend | AWS-LC (BoringSSL fork) | OpenSSL (or quictls) by default |
| Lua stack | upstream `lua-nginx-module` + pinned `lua-resty-core` | OpenResty's vendored fork |
| Module surface | ModSecurity v3, naxsi, brotli, geoip2, http_v3, set_misc, headers_more, http-flv, srcache, redis2, testcookie, lrucache, mysql, lock | similar but defined by openresty's bundle |
| Distribution | apt repo, single `.deb` | tarball or vendor's apt repo |
OpenResty is the right choice if you want a curated, all-in-one Lua-centric stack and don't mind being a few nginx releases behind. Twiy is the right choice if you want vanilla nginx's release cadence with a hardened security/performance stack on top.
### vs. Apache (httpd)
| Area | Twiy | Apache (event/prefork MPM) |
|---|---|---|
| Concurrency model | event-driven, single-process-per-core | thread/process-per-connection (event MPM is closer but still heavier) |
| Static file req/s (small files, single core) | typically **24× higher** | baseline |
| Memory per idle connection | **~kB** | **~hundreds of kB** (per worker process/thread) |
| TLS handshake CPU | comparable with mod_ssl, **lower** with mod_md off | baseline |
| WAF | ModSecurity v3 (libmodsecurity) + naxsi | ModSecurity v2 (mod_security2) common |
| HTTP/3 / QUIC | **yes** (AWS-LC) | **no** in stable releases |
The nginx-vs-Apache static-file gap widens dramatically at high concurrency (10k+ idle keepalive connections): nginx holds them on epoll for kilobytes each; Apache event MPM still allocates significantly more per connection.
### Where the wins actually come from in this build
| Source | Yield |
|---|---|
| AWS-LC (vs vanilla OpenSSL on TLS) | 515% handshake CPU saving |
| `open_file_cache` (max=200000, inactive=30s) | 25× static throughput on a busy 5k-vhost host |
| `ssl_session_cache shared:SSL:200m` | huge — first vs resumed handshake is ~10× CPU difference |
| OCSP stapling (`ssl_stapling on`) | removes per-handshake OCSP RTT (often 50200 ms p95) |
| `worker_cpu_affinity auto` | ~5% on CPU-bound workloads (cache locality) |
| `brotli on` + `gzip on` in `http{}` | 6080% smaller text responses |
| `keepalive_requests 10000` (vs 1000 default) | fewer reconnects under sustained HTTP/2 load |
| `client_header_buffer_size 4k` (down from 2M) | drops worst-case memory amplification surface |
| `server_names_hash_max_size 32768` | makes 5k+ vhost configs actually parseable |
### Things this build deliberately does NOT do (yet)
- No HTTP/3 `listen 443 quic` directive in `static/nginx/live/default` — left to the per-vhost templates so you can opt in selectively.
- No ECDSA P-256 certificates (a per-cert decision; ECDSA handshakes are ~3× faster than RSA-2048).
- No OS-level sysctl tuning (`net.core.rmem_max` for QUIC, `net.core.somaxconn`, `fs.file-max`) — would belong in the `.deb` postinst or a `/etc/sysctl.d/twiy.conf` shipped with the package; not yet wired up.
# Support options.
- No free support for how to do things, please don't spam with questions in discord.
- Free support for installation related errors only, is included.
- Business inquiries, regarding anti-ddos protection or other security/optimization concerns you can contact me on : raw@dopehosting.net
## Contributors
Feel free to submit a pull request.
Special thanks to the following contributors:
<!-- prettier-ignore-start -->
<!-- markdownlint-disable -->
<table>
<tr>
<td align="center">
<a href="https://github.com/theraw">
<img src="https://avatars.githubusercontent.com/u/32969774?v=4" width="80" alt=""/>
<br /><sub><b>ƬHE ЯAW ☣</b></sub>
</a>
</td>
<td align="center">
<a href="https://github.com/lucthienphong1120">
<img src="https://avatars.githubusercontent.com/u/90561566?v=4" width="80" alt=""/>
<br /><sub><b>Lục Thiên Phong</b></sub>
</a>
</td>
</tr>
</table>
Reference in New Issue View Git Blame Copy Permalink