update some config from server

2022-01-08 13:31:49 +00:00 · 2022-01-08 13:31:49 +00:00 · df0e9573dc
parent f53e5e2300
commit df0e9573dc
7 changed files with 41 additions and 41 deletions
--- a/etc/cron.d/certbot
+++ b/etc/cron.d/certbot
@ -14,5 +14,4 @@
 SHELL=/bin/sh
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-#1 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/envs.sh --renew-hook "systemctl reload nginx"
+1 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/envs.sh --renew-hook "systemctl reload nginx"
 1 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --renew-hook "systemctl reload nginx"
--- a/etc/nginx/nginx.conf
+++ b/etc/nginx/nginx.conf
@ -1,5 +1,5 @@
 user www-data;
-worker_processes auto;
+worker_processes 4;
 worker_rlimit_nofile 262144;
 pid /run/nginx.pid;
 include /etc/nginx/modules-enabled/*.conf;
@ -7,7 +7,7 @@ include /etc/nginx/modules-enabled/*.conf;
 error_log /var/log/nginx/error.log crit;
 events {
-	worker_connections 24576;
+	worker_connections 10240;
 	use epoll;
 	multi_accept on;
 }
@ -16,6 +16,8 @@ http {
 	##
 	# Basic Settings
 	##
 	proxy_ignore_client_abort on;
 	charset utf-8;
 	client_max_body_size 32M;
@ -30,6 +32,7 @@ http {
 	variables_hash_bucket_size 128;
 	sendfile on;
 	sendfile_max_chunk 512k;
 	tcp_nopush on;
 	tcp_nodelay on;
@ -42,14 +45,16 @@ http {
 	reset_timedout_connection on;
 	# request timed out -- default 60
-	client_body_timeout 60;
+	client_body_timeout 360;
-	client_header_timeout 60;
+	client_header_timeout 360;
 	# if client stop responding, free up memory -- default 60
-	send_timeout 60;
+	send_timeout 360;
 	lingering_timeout 360;
 	# server will close connection after this time -- default 75
-	keepalive_timeout 75;
+	keepalive_timeout 360;
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
--- a/etc/nginx/proxy_params
+++ b/etc/nginx/proxy_params
@ -5,9 +5,10 @@ proxy_set_header X-Forwarded-Proto $scheme;
 port_in_redirect    off;
 proxy_redirect      off;
-proxy_connect_timeout 360;
+proxy_connect_timeout 3600;
-proxy_send_timeout 600;
+proxy_read_timeout 3600;
 proxy_send_timeout 3600;
-#proxy_buffering    off;
+proxy_buffering    off;
 proxy_buffers 8 16k;                                                                                                                                                                                                                          
 proxy_buffer_size 32k;
--- a/etc/nginx/sites-available/envs.net.conf
+++ b/etc/nginx/sites-available/envs.net.conf
@ -1,6 +1,7 @@
 ### ENVS.NET - local ###
 server {
 	listen 89.163.145.170:80 default_server;
 	listen [2001:4ba0:ffa4:180::2]:80 default_server;
 	include snippets/listen_local.conf;
 #	include snippets/listen.conf;
 #	include snippets/ddos_def.conf;
@ -23,20 +24,10 @@ server {
 	}
 }
 map $http_origin $DO_CORS {
 	# indicates all map values are hostnames and should be parsed as such
 	hostnames;
 	# default value
 	default 'true';
 	# blocked domains
 	renaissance.eu.org 'false';
 	element.renaissance.eu.org 'false';
 }
 server {
 	listen 89.163.145.170:443 ssl http2 default_server;
    listen [2001:4ba0:ffa4:180::2]:443 ssl http2 default_server;
 	include snippets/listen_local_ssl.conf;
 #	include snippets/listen_ssl.conf;
 #	include snippets/ddos_def.conf;
 	server_name envs.net www.envs.net 89.163.145.170 127.0.0.1 localhost _;
@ -68,7 +59,7 @@ server {
 		fastcgi_pass unix:/var/run/fcgiwrap.socket;
 	}
-	# pleroma
+	## pleroma
 #	location /.well-known/webfinger {
 #		if ( $query_string ~ resource=acct:(?<username>[^@]+)@envs\.net ) {
 #			return 302 https://pleroma.envs.net/.well-known/webfinger?resource=acct:$username@pleroma.envs.net;
@ -77,21 +68,24 @@ server {
 	## matrix
 	location /.well-known/matrix/support {
 #		add_header Access-Control-Allow-Origin "$DO_CORS";
 		add_header Access-Control-Allow-Origin "*";
 		add_header Content-Type application/json;
 		return 200 '{"admins": [{"matrix_id": "@creme:envs.net", "email_address": "hostmaster@envs.net", "role": "admin"}], "support_page": "https://matrix.to/#/#envs:envs.net"}';
 	}
-	location /.well-known/matrix/ {
+	location /.well-known/matrix/server {
 #		add_header Access-Control-Allow-Origin "$DO_CORS";
 		add_header Access-Control-Allow-Origin "*";
 		add_header Content-Type application/json;
-		return 200 '{"m.server": "matrix.envs.net:443", "m.homeserver": {"base_url": "https://matrix.envs.net"}, "m.integrations": {"managers": [{"ui_url": "https://dimension.envs.net/riot", "api_url": "https://dimension.envs.net/api/v1/scalar"}, {"ui_url": "https://scalar.vector.im/", "api_url": "https://scalar.vector.im/api"}]}, "m.integrations_widget": {"url": "https://dimension.envs.net/riot", "data": {"api_url": "https://dimension.envs.net/api/v1/scalar"}}}';
+		return 200 '{"m.server": "matrix.envs.net:443"}';
 	}
-	location ~* ^(\/_matrix|\/_synapse) {
+	location /.well-known/matrix {
-		proxy_read_timeout 3600s;
+		add_header Access-Control-Allow-Origin "*";
 		add_header Content-Type application/json;
 		return 200 '{"m.homeserver": {"base_url": "https://matrix.envs.net"}, "m.integrations": {"managers": [{"ui_url": "https://dimension.envs.net/riot", "api_url": "https://dimension.envs.net/api/v1/scalar"}, {"ui_url": "https://scalar.vector.im/", "api_url": "https://scalar.vector.im/api"}]}, "m.integrations_widget": {"url": "https://dimension.envs.net/riot", "data": {"api_url": "https://dimension.envs.net/api/v1/scalar"}}}';
 	}
 	location ~ ^(/_matrix|/_synapse/client) {
 		include proxy_params;
 		proxy_ssl_name $http_host;
 		proxy_ssl_server_name on;
@ -101,7 +95,6 @@ server {
 	# maubot
 	location ^~ /_matrix/maubot/v1/logs {
 #	location /_matrix/maubot {
 		include proxy_params;
 		proxy_ssl_name $http_host;
 		proxy_ssl_server_name on;
@ -110,11 +103,9 @@ server {
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection "Upgrade";
 		proxy_pass https://matrix.envs.net;
 #		return 302 https://matrix.envs.net$request_uri;
 	}
-	# users
+	## users
 	location ~ ^/(~|u/)(?<user>[\w-]+)(?<user_uri>/.*)?$ {
 		alias /home/$user/public_html$user_uri;
 		index index.html index.php index.cgi index.py index.sh index.pl index.lua;
--- a/etc/nginx/snippets/listen.conf
+++ b/etc/nginx/snippets/listen.conf
@ -1 +1,2 @@
 listen 89.163.145.170:80;
 listen [2001:4ba0:ffa4:180::2]:80;
--- a/etc/nginx/snippets/listen_ssl.conf
+++ b/etc/nginx/snippets/listen_ssl.conf
@ -1 +1,2 @@
 listen 89.163.145.170:443 ssl http2;
 listen [2001:4ba0:ffa4:180::2]:443 ssl http2;
--- a/etc/sysctl.d/net.conf
+++ b/etc/sysctl.d/net.conf
@ -1,18 +1,20 @@
 # allow that much active connections
 net.unix.max_dgram_qlen = 1024
 net.ipv4.ip_forward=1
 net.netfilter.nf_conntrack_max=262144
 net.netfilter.nf_conntrack_buckets=65536
-# IPv6
+## IPv6
-#net.ipv6.conf.all.forwarding=1
+net.ipv6.conf.all.forwarding=1
-net.ipv6.conf.default.disable_ipv6=1
+net.ipv6.conf.default.disable_ipv6=0
-net.ipv6.conf.all.disable_ipv6=1
+net.ipv6.conf.all.disable_ipv6=0
-net.ipv6.conf.enp2s0.disable_ipv6=1
+net.ipv6.conf.enp2s0.disable_ipv6=0
 ## IPv4
 net.ipv4.ip_forward=1
 # Turn on Source Address Verification in all interfaces to
 # prevent some spoofing attacks.
@ -88,7 +90,7 @@ net.ipv4.tcp_max_syn_backlog = 3240000
 #net.ipv4.tcp_sack = 0
 #net.ipv4.tcp_dsack = 0
 #net.ipv4.tcp_fack = 0
- 
+
 # Disable TCP timestamps
 # Can have a performance overhead and is only advised in cases where sack is needed (see tcp_sack)
 #net.ipv4.tcp_timestamps=0
`@ -1 +1,2 @@`
	`listen 89.163.145.170:80;`	`listen 89.163.145.170:80;`
		`listen [2001:4ba0:ffa4:180::2]:80;`
`@ -1 +1,2 @@`
	`listen 89.163.145.170:443 ssl http2;`	`listen 89.163.145.170:443 ssl http2;`
		`listen [2001:4ba0:ffa4:180::2]:443 ssl http2;`