mirror of https://git.envs.net/envs/ops.git
update some config from server
This commit is contained in:
parent
f53e5e2300
commit
df0e9573dc
|
@ -14,5 +14,4 @@
|
|||
SHELL=/bin/sh
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
||||
#1 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/envs.sh --renew-hook "systemctl reload nginx"
|
||||
1 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --renew-hook "systemctl reload nginx"
|
||||
1 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/envs.sh --renew-hook "systemctl reload nginx"
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
user www-data;
|
||||
worker_processes auto;
|
||||
worker_processes 4;
|
||||
worker_rlimit_nofile 262144;
|
||||
pid /run/nginx.pid;
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
|
@ -7,7 +7,7 @@ include /etc/nginx/modules-enabled/*.conf;
|
|||
error_log /var/log/nginx/error.log crit;
|
||||
|
||||
events {
|
||||
worker_connections 24576;
|
||||
worker_connections 10240;
|
||||
use epoll;
|
||||
multi_accept on;
|
||||
}
|
||||
|
@ -16,6 +16,8 @@ http {
|
|||
##
|
||||
# Basic Settings
|
||||
##
|
||||
proxy_ignore_client_abort on;
|
||||
|
||||
charset utf-8;
|
||||
|
||||
client_max_body_size 32M;
|
||||
|
@ -30,6 +32,7 @@ http {
|
|||
variables_hash_bucket_size 128;
|
||||
|
||||
sendfile on;
|
||||
sendfile_max_chunk 512k;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
|
||||
|
@ -42,14 +45,16 @@ http {
|
|||
reset_timedout_connection on;
|
||||
|
||||
# request timed out -- default 60
|
||||
client_body_timeout 60;
|
||||
client_header_timeout 60;
|
||||
client_body_timeout 360;
|
||||
client_header_timeout 360;
|
||||
|
||||
# if client stop responding, free up memory -- default 60
|
||||
send_timeout 60;
|
||||
send_timeout 360;
|
||||
|
||||
lingering_timeout 360;
|
||||
|
||||
# server will close connection after this time -- default 75
|
||||
keepalive_timeout 75;
|
||||
keepalive_timeout 360;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
|
|
@ -5,9 +5,10 @@ proxy_set_header X-Forwarded-Proto $scheme;
|
|||
|
||||
port_in_redirect off;
|
||||
proxy_redirect off;
|
||||
proxy_connect_timeout 360;
|
||||
proxy_send_timeout 600;
|
||||
proxy_connect_timeout 3600;
|
||||
proxy_read_timeout 3600;
|
||||
proxy_send_timeout 3600;
|
||||
|
||||
#proxy_buffering off;
|
||||
proxy_buffering off;
|
||||
proxy_buffers 8 16k;
|
||||
proxy_buffer_size 32k;
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
### ENVS.NET - local ###
|
||||
server {
|
||||
listen 89.163.145.170:80 default_server;
|
||||
listen [2001:4ba0:ffa4:180::2]:80 default_server;
|
||||
include snippets/listen_local.conf;
|
||||
# include snippets/listen.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
|
@ -23,20 +24,10 @@ server {
|
|||
}
|
||||
}
|
||||
|
||||
map $http_origin $DO_CORS {
|
||||
# indicates all map values are hostnames and should be parsed as such
|
||||
hostnames;
|
||||
# default value
|
||||
default 'true';
|
||||
# blocked domains
|
||||
renaissance.eu.org 'false';
|
||||
element.renaissance.eu.org 'false';
|
||||
}
|
||||
|
||||
server {
|
||||
listen 89.163.145.170:443 ssl http2 default_server;
|
||||
listen [2001:4ba0:ffa4:180::2]:443 ssl http2 default_server;
|
||||
include snippets/listen_local_ssl.conf;
|
||||
# include snippets/listen_ssl.conf;
|
||||
# include snippets/ddos_def.conf;
|
||||
server_name envs.net www.envs.net 89.163.145.170 127.0.0.1 localhost _;
|
||||
|
||||
|
@ -68,7 +59,7 @@ server {
|
|||
fastcgi_pass unix:/var/run/fcgiwrap.socket;
|
||||
}
|
||||
|
||||
# pleroma
|
||||
## pleroma
|
||||
# location /.well-known/webfinger {
|
||||
# if ( $query_string ~ resource=acct:(?<username>[^@]+)@envs\.net ) {
|
||||
# return 302 https://pleroma.envs.net/.well-known/webfinger?resource=acct:$username@pleroma.envs.net;
|
||||
|
@ -77,21 +68,24 @@ server {
|
|||
|
||||
## matrix
|
||||
location /.well-known/matrix/support {
|
||||
# add_header Access-Control-Allow-Origin "$DO_CORS";
|
||||
add_header Access-Control-Allow-Origin "*";
|
||||
add_header Content-Type application/json;
|
||||
return 200 '{"admins": [{"matrix_id": "@creme:envs.net", "email_address": "hostmaster@envs.net", "role": "admin"}], "support_page": "https://matrix.to/#/#envs:envs.net"}';
|
||||
}
|
||||
|
||||
location /.well-known/matrix/ {
|
||||
# add_header Access-Control-Allow-Origin "$DO_CORS";
|
||||
location /.well-known/matrix/server {
|
||||
add_header Access-Control-Allow-Origin "*";
|
||||
add_header Content-Type application/json;
|
||||
return 200 '{"m.server": "matrix.envs.net:443", "m.homeserver": {"base_url": "https://matrix.envs.net"}, "m.integrations": {"managers": [{"ui_url": "https://dimension.envs.net/riot", "api_url": "https://dimension.envs.net/api/v1/scalar"}, {"ui_url": "https://scalar.vector.im/", "api_url": "https://scalar.vector.im/api"}]}, "m.integrations_widget": {"url": "https://dimension.envs.net/riot", "data": {"api_url": "https://dimension.envs.net/api/v1/scalar"}}}';
|
||||
return 200 '{"m.server": "matrix.envs.net:443"}';
|
||||
}
|
||||
|
||||
location ~* ^(\/_matrix|\/_synapse) {
|
||||
proxy_read_timeout 3600s;
|
||||
location /.well-known/matrix {
|
||||
add_header Access-Control-Allow-Origin "*";
|
||||
add_header Content-Type application/json;
|
||||
return 200 '{"m.homeserver": {"base_url": "https://matrix.envs.net"}, "m.integrations": {"managers": [{"ui_url": "https://dimension.envs.net/riot", "api_url": "https://dimension.envs.net/api/v1/scalar"}, {"ui_url": "https://scalar.vector.im/", "api_url": "https://scalar.vector.im/api"}]}, "m.integrations_widget": {"url": "https://dimension.envs.net/riot", "data": {"api_url": "https://dimension.envs.net/api/v1/scalar"}}}';
|
||||
}
|
||||
|
||||
location ~ ^(/_matrix|/_synapse/client) {
|
||||
include proxy_params;
|
||||
proxy_ssl_name $http_host;
|
||||
proxy_ssl_server_name on;
|
||||
|
@ -101,7 +95,6 @@ server {
|
|||
|
||||
# maubot
|
||||
location ^~ /_matrix/maubot/v1/logs {
|
||||
# location /_matrix/maubot {
|
||||
include proxy_params;
|
||||
proxy_ssl_name $http_host;
|
||||
proxy_ssl_server_name on;
|
||||
|
@ -110,11 +103,9 @@ server {
|
|||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_pass https://matrix.envs.net;
|
||||
|
||||
# return 302 https://matrix.envs.net$request_uri;
|
||||
}
|
||||
|
||||
# users
|
||||
## users
|
||||
location ~ ^/(~|u/)(?<user>[\w-]+)(?<user_uri>/.*)?$ {
|
||||
alias /home/$user/public_html$user_uri;
|
||||
index index.html index.php index.cgi index.py index.sh index.pl index.lua;
|
||||
|
|
|
@ -1 +1,2 @@
|
|||
listen 89.163.145.170:80;
|
||||
listen [2001:4ba0:ffa4:180::2]:80;
|
||||
|
|
|
@ -1 +1,2 @@
|
|||
listen 89.163.145.170:443 ssl http2;
|
||||
listen [2001:4ba0:ffa4:180::2]:443 ssl http2;
|
||||
|
|
|
@ -1,18 +1,20 @@
|
|||
# allow that much active connections
|
||||
net.unix.max_dgram_qlen = 1024
|
||||
|
||||
net.ipv4.ip_forward=1
|
||||
|
||||
net.netfilter.nf_conntrack_max=262144
|
||||
net.netfilter.nf_conntrack_buckets=65536
|
||||
|
||||
# IPv6
|
||||
#net.ipv6.conf.all.forwarding=1
|
||||
## IPv6
|
||||
net.ipv6.conf.all.forwarding=1
|
||||
|
||||
net.ipv6.conf.default.disable_ipv6=1
|
||||
net.ipv6.conf.all.disable_ipv6=1
|
||||
net.ipv6.conf.default.disable_ipv6=0
|
||||
net.ipv6.conf.all.disable_ipv6=0
|
||||
|
||||
net.ipv6.conf.enp2s0.disable_ipv6=1
|
||||
net.ipv6.conf.enp2s0.disable_ipv6=0
|
||||
|
||||
|
||||
## IPv4
|
||||
net.ipv4.ip_forward=1
|
||||
|
||||
# Turn on Source Address Verification in all interfaces to
|
||||
# prevent some spoofing attacks.
|
||||
|
@ -88,7 +90,7 @@ net.ipv4.tcp_max_syn_backlog = 3240000
|
|||
#net.ipv4.tcp_sack = 0
|
||||
#net.ipv4.tcp_dsack = 0
|
||||
#net.ipv4.tcp_fack = 0
|
||||
|
||||
|
||||
# Disable TCP timestamps
|
||||
# Can have a performance overhead and is only advised in cases where sack is needed (see tcp_sack)
|
||||
#net.ipv4.tcp_timestamps=0
|
||||
|
|
Loading…
Reference in New Issue