work

2026-05-21 14:02:15 +00:00 · 2023-12-07 22:36:27 +01:00
parent 1479dfaf8b
commit 20529a8be4
10 changed files with 43 additions and 10 deletions
--- a/config/nginx/cloudflare.conf
+++ b/config/nginx/cloudflare.conf
@@ -0,0 +1,30 @@
+# https://www.cloudflare.com/ips/
+
+set_real_ip_from 103.21.244.0/22;
+set_real_ip_from 103.22.200.0/22;
+set_real_ip_from 103.31.4.0/22;
+set_real_ip_from 104.16.0.0/13;
+set_real_ip_from 104.24.0.0/14;
+set_real_ip_from 108.162.192.0/18;
+set_real_ip_from 131.0.72.0/22;
+set_real_ip_from 141.101.64.0/18;
+set_real_ip_from 162.158.0.0/15;
+set_real_ip_from 172.64.0.0/13;
+set_real_ip_from 173.245.48.0/20;
+set_real_ip_from 188.114.96.0/20;
+set_real_ip_from 190.93.240.0/20;
+set_real_ip_from 197.234.240.0/22;
+set_real_ip_from 198.41.128.0/17;
+
+set_real_ip_from 2400:cb00::/32;
+set_real_ip_from 2405:8100::/32;
+set_real_ip_from 2405:b500::/32;
+set_real_ip_from 2606:4700::/32;
+set_real_ip_from 2803:f800::/32;
+set_real_ip_from 2a06:98c0::/29;
+set_real_ip_from 2c0f:f248::/32;
+
+# use any of the following two
+real_ip_header CF-Connecting-IP;
+#real_ip_header X-Forwarded-For;
+
--- a/config/nginx/default_disable.conf
+++ b/config/nginx/default_disable.conf
@@ -0,0 +1,20 @@
+map "" $empty {
+        default "";
+}
+
+server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        listen 443 ssl default_server;
+        listen [::]:443 ssl default_server;
+        http2 on;
+
+        server_name _;
+
+        ssl_ciphers aNULL;
+        ssl_certificate /etc/nginx/ssl/dummy.crt;
+        ssl_certificate_key /etc/nginx/ssl/dummy.key;
+
+        return 444;
+}
--- a/config/nginx/nginx.conf
+++ b/config/nginx/nginx.conf
@@ -0,0 +1,79 @@
+# ubuntu specific
+user nginx;
+pid /var/run/nginx.pid;
+
+# universal
+
+worker_processes auto;
+worker_rlimit_nofile 100000;
+
+error_log /data/nginx/logs/nginx-error.log warn;
+
+events {
+    worker_connections 8000;
+}
+
+http {
+    open_file_cache max=200000 inactive=20s;
+    open_file_cache_valid 30s;
+    open_file_cache_min_uses 2;
+    open_file_cache_errors on;
+
+    server_tokens off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    charset utf-8;
+
+    sendfile on;
+    tcp_nopush on;
+
+    reset_timedout_connection on;
+    client_body_timeout 10;
+    send_timeout 2;
+    keepalive_timeout 30;
+    keepalive_requests 100000;
+
+    max_ranges 0;
+
+    gzip on;
+    gzip_comp_level 1;
+    gzip_min_length 256;
+    gzip_proxied any;
+    gzip_vary on;
+
+    gzip_types
+        text/plain;
+
+    log_format access_json '{'
+        '"time": "$time_iso8601", '
+        '"msec": "$msec", '
+        '"status": $status, '
+        '"request": "$request", '
+        '"request_method": "$request_method", '
+        '"request_time": $request_time, '
+        '"body_bytes_sent": $body_bytes_sent, '
+        '"remote_addr": "$remote_addr", '
+        '"remote_user": "$remote_user", '
+        '"http_referrer": "$http_referer", '
+        '"http_x_forwarded_for": "$http_x_forwarded_for", '
+        '"http_user_agent": "$http_user_agent", '
+        '"upstream_response_time": "$upstream_response_time", '
+       # '"upstream_connect_time": "$upstream_connect_time", '
+        '"upstream_header_time": "$upstream_header_time", '
+        '"upstream_cache_status": "$upstream_cache_status", '
+        '"host": "$host", '
+        '"uri": "$uri", '
+        '"http_cf_connecting_ip": "$http_cf_connecting_ip", '
+        '"http_cf_ray": "$http_cf_ray", '
+        '"http_cf_ipcountry": "$http_cf_ipcountry", '
+        '"scheme": "$scheme", '
+        '"http_host": "$http_host"'
+    '}';
+
+    access_log /data/nginx/logs/nginx-access.log access_json;
+
+    include /data/nginx/config/*;
+    include /data/nginx/sites/*;
+}
--- a/config/sysctl/60-optim.conf
+++ b/config/sysctl/60-optim.conf
@@ -0,0 +1,4 @@
+vm.swappiness = 1
+
+net.core.somaxconn = 65535
+