work

2026-05-21 14:02:15 +00:00 · 2023-12-27 02:01:24 +01:00
parent d26e31b377
commit 3f55c69e02
16 changed files with 294 additions and 283 deletions
--- a/ssh_lib/assets/kernel/60-ofm.conf
+++ b/ssh_lib/assets/kernel/60-ofm.conf
@@ -0,0 +1 @@
+net.core.somaxconn = 65535
--- a/ssh_lib/assets/kernel/limits-ofm.conf
+++ b/ssh_lib/assets/kernel/limits-ofm.conf
@@ -0,0 +1,4 @@
+* soft nofile 1048576
+* hard nofile 1048576
+root soft nofile 1048576
+root hard nofile 1048576
--- a/ssh_lib/assets/nginx/cloudflare.conf
+++ b/ssh_lib/assets/nginx/cloudflare.conf
@@ -0,0 +1,29 @@
+# https://www.cloudflare.com/ips/
+
+set_real_ip_from 103.21.244.0/22;
+set_real_ip_from 103.22.200.0/22;
+set_real_ip_from 103.31.4.0/22;
+set_real_ip_from 104.16.0.0/13;
+set_real_ip_from 104.24.0.0/14;
+set_real_ip_from 108.162.192.0/18;
+set_real_ip_from 131.0.72.0/22;
+set_real_ip_from 141.101.64.0/18;
+set_real_ip_from 162.158.0.0/15;
+set_real_ip_from 172.64.0.0/13;
+set_real_ip_from 173.245.48.0/20;
+set_real_ip_from 188.114.96.0/20;
+set_real_ip_from 190.93.240.0/20;
+set_real_ip_from 197.234.240.0/22;
+set_real_ip_from 198.41.128.0/17;
+
+set_real_ip_from 2400:cb00::/32;
+set_real_ip_from 2405:8100::/32;
+set_real_ip_from 2405:b500::/32;
+set_real_ip_from 2606:4700::/32;
+set_real_ip_from 2803:f800::/32;
+set_real_ip_from 2a06:98c0::/29;
+set_real_ip_from 2c0f:f248::/32;
+
+# use any of the following two
+real_ip_header CF-Connecting-IP;
+#real_ip_header X-Forwarded-For;
--- a/ssh_lib/assets/nginx/default_disable.conf
+++ b/ssh_lib/assets/nginx/default_disable.conf
@@ -0,0 +1,20 @@
+map "" $empty {
+    default "";
+}
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    http2 on;
+
+    server_name _;
+
+    ssl_ciphers aNULL;
+    ssl_certificate /etc/nginx/ssl/dummy.crt;
+    ssl_certificate_key /etc/nginx/ssl/dummy.key;
+
+    return 444;
+}
--- a/ssh_lib/assets/nginx/nginx.conf
+++ b/ssh_lib/assets/nginx/nginx.conf
@@ -0,0 +1,69 @@
+user nginx;
+pid /var/run/nginx.pid;
+
+
+worker_processes auto;
+worker_rlimit_nofile 300000; # needs to be < ulimit -n
+
+error_log /data/nginx/logs/nginx-error.log warn;
+
+events {
+    worker_connections 40000;
+    multi_accept on;
+}
+
+http {
+    # aggressive caching for read-only sources
+    open_file_cache max=1000000 inactive=60m;
+    open_file_cache_valid 60m;
+    open_file_cache_min_uses 1;
+    open_file_cache_errors on;
+
+    server_tokens off;
+
+    # TODO add application/vnd.mapbox-vector-tile
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    charset utf-8;
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+
+    reset_timedout_connection on;
+    send_timeout 20;
+
+    max_ranges 0;
+
+    gzip on;
+    gzip_comp_level 1;
+    gzip_types application/json;
+
+    log_format access_json '{'
+    '"time": "$time_iso8601", '
+    '"msec": "$msec", '
+    '"status": $status, '
+    '"request": "$request", '
+    '"request_method": "$request_method", '
+    '"request_time": $request_time, '
+    '"body_bytes_sent": $body_bytes_sent, '
+    '"remote_addr": "$remote_addr", '
+    '"remote_user": "$remote_user", '
+    '"http_referrer": "$http_referer", '
+    '"http_x_forwarded_for": "$http_x_forwarded_for", '
+    '"http_user_agent": "$http_user_agent", '
+    '"host": "$host", '
+    '"uri": "$uri", '
+    '"http_cf_connecting_ip": "$http_cf_connecting_ip", '
+    '"http_cf_ray": "$http_cf_ray", '
+    '"http_cf_ipcountry": "$http_cf_ipcountry", '
+    '"scheme": "$scheme", '
+    '"http_host": "$http_host"'
+    '}';
+
+    access_log /data/nginx/logs/nginx-access.log access_json buffer=32k;
+
+    include /data/nginx/config/*;
+    include /data/nginx/sites/*;
+}
--- a/ssh_lib/benchmark.py
+++ b/ssh_lib/benchmark.py
@@ -1,5 +1,5 @@
-from ssh_lib.config import scripts
-from ssh_lib.utils import apt_get_install, apt_get_update, put, put_str, sudo_cmd
+from ssh_lib.config import scripts_dir
+from ssh_lib.utils import apt_get_install, put


 def c1000k(c):
@@ -17,6 +17,6 @@ def c1000k(c):
 def benchmark(c):
    apt_get_install(c, 'wrk')
    c.sudo('mkdir -p /data/ofm/benchmark')
-    put(c, f'{scripts}/benchmark/wrk_custom_list.lua', '/data/ofm/benchmark')
+    put(c, f'{scripts_dir}/http_host/benchmark/wrk_custom_list.lua', '/data/ofm/benchmark')

    # wrk -c10 -d10s -t1 -s /data/ofm/benchmark/wrk_custom_list.lua http://localhost
--- a/ssh_lib/config.py
+++ b/ssh_lib/config.py
@@ -2,5 +2,6 @@ from pathlib import Path


 base = Path(__file__).parent.parent
-config = base / 'config'
-scripts = base / 'scripts'
+config_dir = base / 'config'
+scripts_dir = base / 'scripts'
+assets_dir = Path(__file__).parent / 'assets'
--- a/ssh_lib/kernel.py
+++ b/ssh_lib/kernel.py
@@ -1,10 +1,10 @@
-from ssh_lib.config import config
+from ssh_lib.config import config_dir
 from ssh_lib.utils import apt_get_install, apt_get_purge, put, put_str


 def setup_kernel_settings(c):
-    put(c, f'{config}/kernel/60-ofm.conf', '/etc/sysctl.d/')
-    put(c, f'{config}/kernel/limits-ofm.conf', '/etc/security/limits.d/')
+    put(c, f'{config_dir}/kernel/60-ofm.conf', '/etc/sysctl.d/')
+    put(c, f'{config_dir}/kernel/limits-ofm.conf', '/etc/security/limits.d/')


 def set_cpu_governor(c):
--- a/ssh_lib/nginx.py
+++ b/ssh_lib/nginx.py
@@ -1,4 +1,4 @@
-from ssh_lib.config import config
+from ssh_lib.config import assets_dir
 from ssh_lib.utils import (
    apt_get_install,
    apt_get_purge,
@@ -46,9 +46,9 @@ def nginx(c):
            hide=True,
        )

-    put(c, f'{config}/nginx/nginx.conf', '/etc/nginx/')
-    put(c, f'{config}/nginx/default_disable.conf', '/data/nginx/sites')
-    put(c, f'{config}/nginx/cloudflare.conf', '/data/nginx/config')
+    put(c, f'{assets_dir}/nginx/nginx.conf', '/etc/nginx/')
+    put(c, f'{assets_dir}/nginx/default_disable.conf', '/data/nginx/sites')
+    put(c, f'{assets_dir}/nginx/cloudflare.conf', '/data/nginx/config')

    c.sudo('service nginx restart')