theraw/The-World-Is-Yours
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
51b6eaa694b86cc25293522a3abb12a5a2b7fe1f
The-World-Is-Yours/static/nginx/nginx.conf
T
root 51b6eaa694
build-and-publish / build (push) Successful in 3m18s
Details
implementation of nginx 1.30 + AWS-LC + 5k-vhost perf tuning 
- nginx 1.30.0, ModSecurity v3.0.12, AWS-LC 1.72.0 (replaces
  quictls/openssl 3.1.5-quic1; OpenSSL 3.1 is EOL upstream)
- AWS-LC build via cmake+ninja, installed to /usr/local/aws-lc;
  nginx links via -I/-L and rpath
- lua-nginx-module: sed-broaden the existing OPENSSL_IS_BORINGSSL
  guards to also recognise OPENSSL_IS_AWSLC (covers #ifdef,
  #ifndef, #elif defined). without this the missing-API stubs
  never fire on AWS-LC and the build breaks on
  SSL_get1_supported_ciphers / SSL_export_keying_material_early
- lua-resty-core / lrucache: switched from `git clone master`
  to wget tarball pinned via LUA_SCRIPTS_RESTYCORE/LRUCACHE.
  master drifted to wanting ngx_lua 0.10.30 while the pin was
  0.10.29 — silent CI breakage waiting to happen
- ModSec rewritten for v3 build flow (./build.sh && ./configure
  --without-pcre --with-pcre2). v2's standalone.so isn't what
  ModSecurity-nginx connector links against; it wants
  libmodsecurity.so
- PCRE2: switched to /releases/download/ tarball (bundles the
  sljit submodule needed for --with-pcre-jit); /archive/refs/tags/
  is a raw snapshot and omits submodules
- LuaJIT version pin had a stray leading 'v' that produced
  /tags/vv2.1-... → 404
- drop -L/lib/x86_64-linux-gnu -lpcre from --with-ld-opt;
  PCRE1 is gone from debian 13
- drop libpcre3-dev from apt install for the same reason
- fix latent bug in build/run.sh build(): make && make install
  && make clean swallows make failures from set -e because of
  &&-chain semantics. now separate statements
- static/nginx/nginx.conf rewrite for shared hosting at 5k+
  vhosts: server_names_hash_max_size 32768, shared SSL session
  cache 200m, OCSP stapling, open_file_cache, brotli+gzip
  enabled in http{}, worker_cpu_affinity auto, max_headers 100,
  keepalive_requests 10000. client_header_buffer_size dropped
  from 2M to 4k (was a memory amplification surface)
- README: performance section comparing twiy vs vanilla nginx,
  OpenResty, Apache; expected yield breakdown
2026-04-26 01:09:28 +00:00

112 lines
5.0 KiB
Nginx Configuration File
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Suggestions? => https://github.com/theraw/The-World-Is-Yours/issues
# Problems? => https://github.com/theraw/The-World-Is-Yours/issues
#
# Tuned for shared hosting at 5,000+ vhost scale.
# Per-vhost listen/ssl_certificate directives live in /nginx/live/* — this
# file only contains the global event/http settings.
user nginx;
pid /var/run/nginx.pid;
worker_processes auto;
worker_cpu_affinity auto; # Pin workers to cores for L1/L2 locality.
worker_rlimit_nofile 65535;
events {
multi_accept on;
use epoll;
worker_connections 65535;
}
http {
# =================== LOAD LUA ========================= #
lua_package_path "/usr/nginx_lua/lib/lua/?.lua;;";
lua_package_cpath "/usr/nginx_lua/lib/lua/5.1/?.so;;";
# =================== END LUA ========================== #
# =================== LOAD L7 ========================== #
include modsec/l7.conf;
# =================== END L7 =========================== #
# ===================== LOGS =========================== #
log_format main 'DATE: $time_local FROM: $remote_addr | STATUS: $status | TO: $request | CACHE: $upstream_cache_status | A: $http_user_agent';
# =================== END LOGS ========================= #
# ==================== GENERAL ========================= #
# Header buffers — keep small. The previous 2M default was a memory
# amplification target (per-conn × worker_connections = absurd worst case).
client_header_buffer_size 4k;
large_client_header_buffers 4 16k;
client_body_buffer_size 16k;
client_max_body_size 2M;
client_body_timeout 30s;
client_header_timeout 30s;
send_timeout 30s;
reset_timedout_connection on; # Free sockets fast under churn.
keepalive_timeout 65s; # Amortise TCP setup across requests.
keepalive_requests 10000; # Default 1000 too low for HTTP/2.
max_headers 100; # nginx 1.29.8 — slowloris defence.
port_in_redirect off;
sendfile on;
sendfile_max_chunk 1m;
tcp_nodelay on;
tcp_nopush on;
server_tokens off;
server_name_in_redirect off;
# 5,000+ vhost hash sizing. _max_size must exceed total server names;
# _bucket_size must be a CPU-cache-line multiple (32/64/128/256/512/1024).
server_names_hash_bucket_size 128;
server_names_hash_max_size 32768;
types_hash_max_size 4096;
# File metadata cache — biggest single win for static-heavy shared hosting.
open_file_cache max=200000 inactive=30s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# ===================== TLS ============================ #
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off; # TLS 1.3 ciphers, client picks.
ssl_session_cache shared:SSL:200m; # ~800k sessions shared across workers
ssl_session_timeout 1d;
ssl_session_tickets off; # Off unless you have ticket-key rotation.
ssl_stapling on; # OCSP stapling — avoid per-handshake OCSP lookups.
ssl_stapling_verify on;
# ===================== END TLS ======================== #
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
default_type application/octet-stream;
include /nginx/mime.types;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# ==================== COMPRESSION ===================== #
# Compiled in, now actually enabled. Bandwidth saving on text responses
# is typically 60-80% for HTML/JSON/CSS/JS/SVG. Comp level 4 is the
# sweet spot for CPU vs ratio on shared hosting.
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 4;
gzip_min_length 256;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
brotli on;
brotli_comp_level 4;
brotli_min_length 256;
brotli_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2;
# =================== END COMPRESSION ================== #
# =================== END GENERAL ====================== #
# ================ LOAD VHOST +CONFIGS ================= #
include live/*;
include conf.d/*;
include modsec/naxi.core;
# =================== END CONFIGS ====================== #
}
Reference in New Issue View Git Blame Copy Permalink