diff --git a/confs/global/nginx.conf b/confs/global/nginx.conf index a397c26..b1127e6 100644 --- a/confs/global/nginx.conf +++ b/confs/global/nginx.conf @@ -25,9 +25,12 @@ pcre_jit on; # config files for dynamic modules include /etc/nginx/modules/*.conf; +# max open files for each worker +worker_rlimit_nofile %WORKER_RLIMIT_NOFILE%; + events { # max connections per worker - worker_connections 1024; + worker_connections %WORKER_CONNECTIONS%; # epoll seems to be the best on Linux use epoll; @@ -50,7 +53,7 @@ http { # write logs to local syslog log_format logf '%LOG_FORMAT%'; access_log syslog:server=unix:/tmp/log,nohostname,facility=local0,severity=notice logf; - error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 notice; + error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 info; # temp paths proxy_temp_path /tmp/proxy_temp; @@ -63,8 +66,8 @@ http { reset_timedout_connection on; # timeouts - client_body_timeout 12; - client_header_timeout 12; + client_body_timeout 10; + client_header_timeout 10; keepalive_timeout 15; send_timeout 10; diff --git a/confs/site/modsecurity-rules.conf b/confs/site/modsecurity-rules.conf index 279cf47..9efdcf5 100644 --- a/confs/site/modsecurity-rules.conf +++ b/confs/site/modsecurity-rules.conf @@ -49,7 +49,7 @@ SecResponseBodyLimit 524288 SecResponseBodyLimitAction ProcessPartial # log usefull stuff -SecAuditEngine RelevantOnly +SecAuditEngine %MODSECURITY_SEC_AUDIT_ENGINE% SecAuditLogType Serial SecAuditLog /var/log/nginx/modsec_audit.log diff --git a/entrypoint/defaults.sh b/entrypoint/defaults.sh index 801e76b..f141434 100644 --- a/entrypoint/defaults.sh +++ b/entrypoint/defaults.sh @@ -6,6 +6,8 @@ HTTP_PORT="${HTTP_PORT-8080}" HTTPS_PORT="${HTTPS_PORT-8443}" MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}" SERVER_TOKENS="${SERVER_TOKENS-off}" +WORKER_CONNECTIONS="${WORKER_CONNECTIONS-1024}" +WORKER_RLIMIT_NOFILE="${WORKER_RLIMIT_NOFILE-2048}" USE_CLIENT_CACHE="${USE_CLIENT_CACHE-no}" CLIENT_CACHE_EXTENSIONS="${CLIENT_CACHE_EXTENSIONS-jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2}" CLIENT_CACHE_CONTROL="${CLIENT_CACHE_CONTROL-public, max-age=15552000}" @@ -62,6 +64,7 @@ HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}" STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}" USE_MODSECURITY="${USE_MODSECURITY-yes}" USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}" +MODSECURITY_SEC_AUDIT_ENGINE="${MODSECURITY_SEC_AUDIT_ENGINE-RelevantOnly}" CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';}" COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}" COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}" @@ -131,3 +134,4 @@ USE_API="${USE_API-no}" API_URI="${API_URI-random}" API_WHITELIST_IP="${API_WHITELIST_IP-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}" SWARM_MODE="${SWARM_MODE-no}" + diff --git a/entrypoint/global-config.sh b/entrypoint/global-config.sh index fa7c3a8..64bdc6d 100644 --- a/entrypoint/global-config.sh +++ b/entrypoint/global-config.sh @@ -224,3 +224,7 @@ if [ "$USE_API" = "yes" ] ; then else replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" "" fi + +# performance tuning +replace_in_file "/etc/nginx/nginx.conf" "%WORKER_CONNECTIONS%" "$WORKER_CONNECTIONS" +replace_in_file "/etc/nginx/nginx.conf" "%WORKER_RLIMIT_NOFILE%" "$WORKER_RLIMIT_NOFILE" diff --git a/entrypoint/site-config.sh b/entrypoint/site-config.sh index 6c45921..ab417ef 100644 --- a/entrypoint/site-config.sh +++ b/entrypoint/site-config.sh @@ -394,6 +394,7 @@ fi if [ "$USE_MODSECURITY" = "yes" ] ; then replace_in_file "${NGINX_PREFIX}modsecurity.conf" "%MODSEC_RULES_FILE%" "${NGINX_PREFIX}modsecurity-rules.conf" replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" "include ${NGINX_PREFIX}modsecurity.conf;" + replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_SEC_AUDIT_ENGINE%" "$MODSECURITY_SEC_AUDIT_ENGINE" if [ "$MULTISITE" != "yes" ] ; then modsec_custom="" if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then