Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure timeouts & some improvements #10

Merged
merged 33 commits into from
Mar 3, 2021
Merged
Show file tree
Hide file tree
Changes from 30 commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
72e63e0
Align client_body_timeout with client_header_timeout
zacblazic Feb 25, 2021
6464697
Reduce client_body_buffer_size to 16k
zacblazic Feb 25, 2021
6a36f8e
Disable daemon mode explicitly
zacblazic Mar 1, 2021
ae60679
Automatically detect optimal number of worker processes
zacblazic Mar 1, 2021
5b1404c
Set worker_shutdown_timeout to 240 seconds
zacblazic Mar 1, 2021
ac4ec4a
Use optimal events configuration
zacblazic Mar 1, 2021
0eb3e27
Enable asynchronous file i/o
zacblazic Mar 1, 2021
775a5a4
Enable tcp nodelay
zacblazic Mar 1, 2021
3018617
Reduce client timeouts to 60 seconds
zacblazic Mar 1, 2021
b4c66cb
Reduce keepalive_timeout to 75 seconds
zacblazic Mar 1, 2021
c8556f2
Reduce proxy_connect_timeout to 5 seconds
zacblazic Mar 1, 2021
541d2ae
Reduce proxy_read_timeout to 60 seconds
zacblazic Mar 1, 2021
5bcf72b
Mitigate httpoxy vulnerability
zacblazic Mar 1, 2021
4a58a23
Move access_log to server block for healthcheck server
zacblazic Mar 1, 2021
26fa61c
Fix indentation for healtcheck server block
zacblazic Mar 1, 2021
b02d004
Disable keep-alive for healtcheck server
zacblazic Mar 1, 2021
94db3ab
Move events & worker config to main.conf
zacblazic Mar 1, 2021
dec3208
Update changelog
zacblazic Mar 1, 2021
5f0adb4
Disable sendfile
zacblazic Mar 2, 2021
c9015b5
Enable reset_timedout_connection
zacblazic Mar 2, 2021
7e9c1b5
Separate client/proxy/keepalive sections
zacblazic Mar 2, 2021
d927ddb
Remove setting of client_body_buffer_size
zacblazic Mar 2, 2021
02552d4
Support websocket connections
zacblazic Mar 2, 2021
bf39c19
Disable port_in_redirect
zacblazic Mar 2, 2021
7509a19
Prefer to let app.conf set client_max_body_size
zacblazic Mar 2, 2021
38fafe9
Format http.conf
zacblazic Mar 2, 2021
eb79517
Update changelog
zacblazic Mar 2, 2021
4de0f86
Rename connection_upgrade to proxy_connection
zacblazic Mar 3, 2021
57f3c85
Capitalise upgrade
zacblazic Mar 3, 2021
f0ad4db
Add http_upgrade and proxy_connection to log format
zacblazic Mar 3, 2021
05cd0bd
Update changelog
zacblazic Mar 3, 2021
d3db663
Sort log format fields alphabetically
zacblazic Mar 3, 2021
ac09a63
Set command in dockerfile explicitly
zacblazic Mar 3, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,28 @@
# Changelog

## 1.19.5-7

* Set `daemon` to `off`.
* Set `multi_accept` to `on`.
* Set `use` to `epoll`.
* Set `aio` to `threads`.
* Set `aio_write` to `on`.
* Set `tcp_nodelay` to `on`.
* Set `reset_timedout_connection` to `on`.
* Set `port_in_redirect` to `off`.
zacblazic marked this conversation as resolved.
Show resolved Hide resolved
* Remove setting of `sendfile` (turns it off).
* Remove setting of `client_max_body_size` (defaults to `1m`).
* Remove setting of `client_body_buffer_size` (defaults to `16k`).
* Reduce `client_body_timeout` to `60s` (same as default).
* Reduce `client_header_timeout` to `60s` (same as default).
* Reduce `keepalive_timeout` to `75s` (same as default).
* Reduce `proxy_connect_timeout` to `5s`.
* Reduce `proxy_read_timeout` to `60s` (same as default).
* Reduce `worker_shutdown_timeout` to `240s`.
* Set `Proxy` header to `""` to mitigate httpoxy vulnerability.
* Disable keep-alive on healthcheck server.
* Enable support for websockets.

## 1.19.5-6

* Set `client_body_buffer_size` to `128k`.
Expand Down
53 changes: 35 additions & 18 deletions config/http.conf
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,24 @@ http {
include /etc/nginx/mime.types;
include /etc/nginx/log.conf;

server_tokens off;
sendfile on;
tcp_nopush on;
aio threads;
aio_write on;

tcp_nopush on;
tcp_nodelay on;

client_max_body_size 500m;
client_body_buffer_size 128k;
client_body_timeout 300s;
client_header_timeout 605s;
keepalive_timeout 605s;
proxy_connect_timeout 60s;
proxy_read_timeout 600s;
proxy_send_timeout 60s;
send_timeout 60s;
client_body_timeout 60s;
client_header_timeout 60s;
keepalive_timeout 75s;
proxy_connect_timeout 5s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
send_timeout 60s;

reset_timedout_connection on;

port_in_redirect off;
server_tokens off;

# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
Expand Down Expand Up @@ -44,9 +49,19 @@ http {
'' $request_id;
}

# See https://www.nginx.com/blog/websocket-nginx
map $http_upgrade $proxy_connection {
default Upgrade;
'' '';
}

proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header Connection $proxy_connection;
proxy_set_header Upgrade $http_upgrade;
zacblazic marked this conversation as resolved.
Show resolved Hide resolved

# Mitigate httpoxy vulnerability
proxy_set_header Proxy "";
itskingori marked this conversation as resolved.
Show resolved Hide resolved

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Expand All @@ -59,11 +74,13 @@ http {
include /etc/nginx/app.conf;

server {
listen 18081 default_server;
listen 18081 default_server;

access_log off;
keepalive_timeout 0;
itskingori marked this conversation as resolved.
Show resolved Hide resolved

location /healthz {
access_log off;
return 200;
}
location /healthz {
return 200;
}
}
}
2 changes: 2 additions & 0 deletions config/log.conf
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,12 @@ log_format main_json escape=json
'"body_bytes_sent":"$body_bytes_sent",'
'"host":"$host",'
'"http_connection":"$http_connection",'
'"http_upgrade":"$http_upgrade",'
Copy link
Member

@itskingori itskingori Mar 3, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops. Not alphabetical. 😅 Nit-pick.

'"http_referer":"$http_referer",'
'"http_user_agent":"$http_user_agent",'
'"http_x_amzn_trace_id":"$http_x_amzn_trace_id",'
'"http_x_forwarded_for":"$http_x_forwarded_for",'
'"proxy_connection":"$proxy_connection",'
'"proxy_x_forwarded_port":"$proxy_x_forwarded_port",'
'"proxy_x_forwarded_proto":"$proxy_x_forwarded_proto",'
'"proxy_x_forwarded_ssl":"$proxy_x_forwarded_ssl",'
Expand Down
8 changes: 6 additions & 2 deletions config/main.conf
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
daemon off;

worker_processes auto;
worker_rlimit_nofile 8192;
worker_shutdown_timeout 630s;
worker_shutdown_timeout 240s;

events {
worker_connections 8000;
multi_accept on;
worker_connections 8000;
use epoll;
}