diff --git a/etc/cron.d/certbot b/etc/cron.d/certbot index 95984b3..7fecfe7 100644 --- a/etc/cron.d/certbot +++ b/etc/cron.d/certbot @@ -14,5 +14,4 @@ SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -#1 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/envs.sh --renew-hook "systemctl reload nginx" -1 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --renew-hook "systemctl reload nginx" +1 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/envs.sh --renew-hook "systemctl reload nginx" diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index 2eaf88c..0ecf829 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -1,5 +1,5 @@ user www-data; -worker_processes auto; +worker_processes 4; worker_rlimit_nofile 262144; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; @@ -7,7 +7,7 @@ include /etc/nginx/modules-enabled/*.conf; error_log /var/log/nginx/error.log crit; events { - worker_connections 24576; + worker_connections 10240; use epoll; multi_accept on; } @@ -16,6 +16,8 @@ http { ## # Basic Settings ## + proxy_ignore_client_abort on; + charset utf-8; client_max_body_size 32M; @@ -30,6 +32,7 @@ http { variables_hash_bucket_size 128; sendfile on; + sendfile_max_chunk 512k; tcp_nopush on; tcp_nodelay on; @@ -42,14 +45,16 @@ http { reset_timedout_connection on; # request timed out -- default 60 - client_body_timeout 60; - client_header_timeout 60; + client_body_timeout 360; + client_header_timeout 360; # if client stop responding, free up memory -- default 60 - send_timeout 60; + send_timeout 360; + + lingering_timeout 360; # server will close connection after this time -- default 75 - keepalive_timeout 75; + keepalive_timeout 360; include /etc/nginx/mime.types; default_type application/octet-stream; diff --git a/etc/nginx/proxy_params b/etc/nginx/proxy_params index 9fea408..f85dc8f 100644 --- a/etc/nginx/proxy_params +++ b/etc/nginx/proxy_params @@ -5,9 +5,10 @@ proxy_set_header X-Forwarded-Proto $scheme; port_in_redirect off; proxy_redirect off; -proxy_connect_timeout 360; -proxy_send_timeout 600; +proxy_connect_timeout 3600; +proxy_read_timeout 3600; +proxy_send_timeout 3600; -#proxy_buffering off; +proxy_buffering off; proxy_buffers 8 16k; proxy_buffer_size 32k; diff --git a/etc/nginx/sites-available/envs.net.conf b/etc/nginx/sites-available/envs.net.conf index 3ed26fb..d2d739c 100644 --- a/etc/nginx/sites-available/envs.net.conf +++ b/etc/nginx/sites-available/envs.net.conf @@ -1,6 +1,7 @@ ### ENVS.NET - local ### server { listen 89.163.145.170:80 default_server; + listen [2001:4ba0:ffa4:180::2]:80 default_server; include snippets/listen_local.conf; # include snippets/listen.conf; # include snippets/ddos_def.conf; @@ -23,20 +24,10 @@ server { } } -map $http_origin $DO_CORS { - # indicates all map values are hostnames and should be parsed as such - hostnames; - # default value - default 'true'; - # blocked domains - renaissance.eu.org 'false'; - element.renaissance.eu.org 'false'; -} - server { listen 89.163.145.170:443 ssl http2 default_server; + listen [2001:4ba0:ffa4:180::2]:443 ssl http2 default_server; include snippets/listen_local_ssl.conf; -# include snippets/listen_ssl.conf; # include snippets/ddos_def.conf; server_name envs.net www.envs.net 89.163.145.170 127.0.0.1 localhost _; @@ -68,7 +59,7 @@ server { fastcgi_pass unix:/var/run/fcgiwrap.socket; } - # pleroma + ## pleroma # location /.well-known/webfinger { # if ( $query_string ~ resource=acct:(?[^@]+)@envs\.net ) { # return 302 https://pleroma.envs.net/.well-known/webfinger?resource=acct:$username@pleroma.envs.net; @@ -77,21 +68,24 @@ server { ## matrix location /.well-known/matrix/support { -# add_header Access-Control-Allow-Origin "$DO_CORS"; add_header Access-Control-Allow-Origin "*"; add_header Content-Type application/json; return 200 '{"admins": [{"matrix_id": "@creme:envs.net", "email_address": "hostmaster@envs.net", "role": "admin"}], "support_page": "https://matrix.to/#/#envs:envs.net"}'; } - location /.well-known/matrix/ { -# add_header Access-Control-Allow-Origin "$DO_CORS"; + location /.well-known/matrix/server { add_header Access-Control-Allow-Origin "*"; add_header Content-Type application/json; - return 200 '{"m.server": "matrix.envs.net:443", "m.homeserver": {"base_url": "https://matrix.envs.net"}, "m.integrations": {"managers": [{"ui_url": "https://dimension.envs.net/riot", "api_url": "https://dimension.envs.net/api/v1/scalar"}, {"ui_url": "https://scalar.vector.im/", "api_url": "https://scalar.vector.im/api"}]}, "m.integrations_widget": {"url": "https://dimension.envs.net/riot", "data": {"api_url": "https://dimension.envs.net/api/v1/scalar"}}}'; + return 200 '{"m.server": "matrix.envs.net:443"}'; } - location ~* ^(\/_matrix|\/_synapse) { - proxy_read_timeout 3600s; + location /.well-known/matrix { + add_header Access-Control-Allow-Origin "*"; + add_header Content-Type application/json; + return 200 '{"m.homeserver": {"base_url": "https://matrix.envs.net"}, "m.integrations": {"managers": [{"ui_url": "https://dimension.envs.net/riot", "api_url": "https://dimension.envs.net/api/v1/scalar"}, {"ui_url": "https://scalar.vector.im/", "api_url": "https://scalar.vector.im/api"}]}, "m.integrations_widget": {"url": "https://dimension.envs.net/riot", "data": {"api_url": "https://dimension.envs.net/api/v1/scalar"}}}'; + } + + location ~ ^(/_matrix|/_synapse/client) { include proxy_params; proxy_ssl_name $http_host; proxy_ssl_server_name on; @@ -101,7 +95,6 @@ server { # maubot location ^~ /_matrix/maubot/v1/logs { -# location /_matrix/maubot { include proxy_params; proxy_ssl_name $http_host; proxy_ssl_server_name on; @@ -110,11 +103,9 @@ server { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_pass https://matrix.envs.net; - -# return 302 https://matrix.envs.net$request_uri; } - # users + ## users location ~ ^/(~|u/)(?[\w-]+)(?/.*)?$ { alias /home/$user/public_html$user_uri; index index.html index.php index.cgi index.py index.sh index.pl index.lua; diff --git a/etc/nginx/snippets/listen.conf b/etc/nginx/snippets/listen.conf index 453d949..a99410e 100644 --- a/etc/nginx/snippets/listen.conf +++ b/etc/nginx/snippets/listen.conf @@ -1 +1,2 @@ listen 89.163.145.170:80; +listen [2001:4ba0:ffa4:180::2]:80; diff --git a/etc/nginx/snippets/listen_ssl.conf b/etc/nginx/snippets/listen_ssl.conf index 71e49ab..6c67fe2 100644 --- a/etc/nginx/snippets/listen_ssl.conf +++ b/etc/nginx/snippets/listen_ssl.conf @@ -1 +1,2 @@ listen 89.163.145.170:443 ssl http2; +listen [2001:4ba0:ffa4:180::2]:443 ssl http2; diff --git a/etc/sysctl.d/net.conf b/etc/sysctl.d/net.conf index c235226..ebd5001 100644 --- a/etc/sysctl.d/net.conf +++ b/etc/sysctl.d/net.conf @@ -1,18 +1,20 @@ # allow that much active connections net.unix.max_dgram_qlen = 1024 -net.ipv4.ip_forward=1 - net.netfilter.nf_conntrack_max=262144 net.netfilter.nf_conntrack_buckets=65536 -# IPv6 -#net.ipv6.conf.all.forwarding=1 +## IPv6 +net.ipv6.conf.all.forwarding=1 -net.ipv6.conf.default.disable_ipv6=1 -net.ipv6.conf.all.disable_ipv6=1 +net.ipv6.conf.default.disable_ipv6=0 +net.ipv6.conf.all.disable_ipv6=0 -net.ipv6.conf.enp2s0.disable_ipv6=1 +net.ipv6.conf.enp2s0.disable_ipv6=0 + + +## IPv4 +net.ipv4.ip_forward=1 # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks. @@ -88,7 +90,7 @@ net.ipv4.tcp_max_syn_backlog = 3240000 #net.ipv4.tcp_sack = 0 #net.ipv4.tcp_dsack = 0 #net.ipv4.tcp_fack = 0 - + # Disable TCP timestamps # Can have a performance overhead and is only advised in cases where sack is needed (see tcp_sack) #net.ipv4.tcp_timestamps=0