mirror of https://git.envs.net/envs/ops.git
update some config from server
This commit is contained in:
parent
f53e5e2300
commit
df0e9573dc
|
@ -14,5 +14,4 @@
|
||||||
SHELL=/bin/sh
|
SHELL=/bin/sh
|
||||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
|
||||||
#1 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/envs.sh --renew-hook "systemctl reload nginx"
|
1 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/envs.sh --renew-hook "systemctl reload nginx"
|
||||||
1 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --renew-hook "systemctl reload nginx"
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
user www-data;
|
user www-data;
|
||||||
worker_processes auto;
|
worker_processes 4;
|
||||||
worker_rlimit_nofile 262144;
|
worker_rlimit_nofile 262144;
|
||||||
pid /run/nginx.pid;
|
pid /run/nginx.pid;
|
||||||
include /etc/nginx/modules-enabled/*.conf;
|
include /etc/nginx/modules-enabled/*.conf;
|
||||||
|
@ -7,7 +7,7 @@ include /etc/nginx/modules-enabled/*.conf;
|
||||||
error_log /var/log/nginx/error.log crit;
|
error_log /var/log/nginx/error.log crit;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 24576;
|
worker_connections 10240;
|
||||||
use epoll;
|
use epoll;
|
||||||
multi_accept on;
|
multi_accept on;
|
||||||
}
|
}
|
||||||
|
@ -16,6 +16,8 @@ http {
|
||||||
##
|
##
|
||||||
# Basic Settings
|
# Basic Settings
|
||||||
##
|
##
|
||||||
|
proxy_ignore_client_abort on;
|
||||||
|
|
||||||
charset utf-8;
|
charset utf-8;
|
||||||
|
|
||||||
client_max_body_size 32M;
|
client_max_body_size 32M;
|
||||||
|
@ -30,6 +32,7 @@ http {
|
||||||
variables_hash_bucket_size 128;
|
variables_hash_bucket_size 128;
|
||||||
|
|
||||||
sendfile on;
|
sendfile on;
|
||||||
|
sendfile_max_chunk 512k;
|
||||||
tcp_nopush on;
|
tcp_nopush on;
|
||||||
tcp_nodelay on;
|
tcp_nodelay on;
|
||||||
|
|
||||||
|
@ -42,14 +45,16 @@ http {
|
||||||
reset_timedout_connection on;
|
reset_timedout_connection on;
|
||||||
|
|
||||||
# request timed out -- default 60
|
# request timed out -- default 60
|
||||||
client_body_timeout 60;
|
client_body_timeout 360;
|
||||||
client_header_timeout 60;
|
client_header_timeout 360;
|
||||||
|
|
||||||
# if client stop responding, free up memory -- default 60
|
# if client stop responding, free up memory -- default 60
|
||||||
send_timeout 60;
|
send_timeout 360;
|
||||||
|
|
||||||
|
lingering_timeout 360;
|
||||||
|
|
||||||
# server will close connection after this time -- default 75
|
# server will close connection after this time -- default 75
|
||||||
keepalive_timeout 75;
|
keepalive_timeout 360;
|
||||||
|
|
||||||
include /etc/nginx/mime.types;
|
include /etc/nginx/mime.types;
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
|
|
|
@ -5,9 +5,10 @@ proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
port_in_redirect off;
|
port_in_redirect off;
|
||||||
proxy_redirect off;
|
proxy_redirect off;
|
||||||
proxy_connect_timeout 360;
|
proxy_connect_timeout 3600;
|
||||||
proxy_send_timeout 600;
|
proxy_read_timeout 3600;
|
||||||
|
proxy_send_timeout 3600;
|
||||||
|
|
||||||
#proxy_buffering off;
|
proxy_buffering off;
|
||||||
proxy_buffers 8 16k;
|
proxy_buffers 8 16k;
|
||||||
proxy_buffer_size 32k;
|
proxy_buffer_size 32k;
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
### ENVS.NET - local ###
|
### ENVS.NET - local ###
|
||||||
server {
|
server {
|
||||||
listen 89.163.145.170:80 default_server;
|
listen 89.163.145.170:80 default_server;
|
||||||
|
listen [2001:4ba0:ffa4:180::2]:80 default_server;
|
||||||
include snippets/listen_local.conf;
|
include snippets/listen_local.conf;
|
||||||
# include snippets/listen.conf;
|
# include snippets/listen.conf;
|
||||||
# include snippets/ddos_def.conf;
|
# include snippets/ddos_def.conf;
|
||||||
|
@ -23,20 +24,10 @@ server {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
map $http_origin $DO_CORS {
|
|
||||||
# indicates all map values are hostnames and should be parsed as such
|
|
||||||
hostnames;
|
|
||||||
# default value
|
|
||||||
default 'true';
|
|
||||||
# blocked domains
|
|
||||||
renaissance.eu.org 'false';
|
|
||||||
element.renaissance.eu.org 'false';
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 89.163.145.170:443 ssl http2 default_server;
|
listen 89.163.145.170:443 ssl http2 default_server;
|
||||||
|
listen [2001:4ba0:ffa4:180::2]:443 ssl http2 default_server;
|
||||||
include snippets/listen_local_ssl.conf;
|
include snippets/listen_local_ssl.conf;
|
||||||
# include snippets/listen_ssl.conf;
|
|
||||||
# include snippets/ddos_def.conf;
|
# include snippets/ddos_def.conf;
|
||||||
server_name envs.net www.envs.net 89.163.145.170 127.0.0.1 localhost _;
|
server_name envs.net www.envs.net 89.163.145.170 127.0.0.1 localhost _;
|
||||||
|
|
||||||
|
@ -68,7 +59,7 @@ server {
|
||||||
fastcgi_pass unix:/var/run/fcgiwrap.socket;
|
fastcgi_pass unix:/var/run/fcgiwrap.socket;
|
||||||
}
|
}
|
||||||
|
|
||||||
# pleroma
|
## pleroma
|
||||||
# location /.well-known/webfinger {
|
# location /.well-known/webfinger {
|
||||||
# if ( $query_string ~ resource=acct:(?<username>[^@]+)@envs\.net ) {
|
# if ( $query_string ~ resource=acct:(?<username>[^@]+)@envs\.net ) {
|
||||||
# return 302 https://pleroma.envs.net/.well-known/webfinger?resource=acct:$username@pleroma.envs.net;
|
# return 302 https://pleroma.envs.net/.well-known/webfinger?resource=acct:$username@pleroma.envs.net;
|
||||||
|
@ -77,21 +68,24 @@ server {
|
||||||
|
|
||||||
## matrix
|
## matrix
|
||||||
location /.well-known/matrix/support {
|
location /.well-known/matrix/support {
|
||||||
# add_header Access-Control-Allow-Origin "$DO_CORS";
|
|
||||||
add_header Access-Control-Allow-Origin "*";
|
add_header Access-Control-Allow-Origin "*";
|
||||||
add_header Content-Type application/json;
|
add_header Content-Type application/json;
|
||||||
return 200 '{"admins": [{"matrix_id": "@creme:envs.net", "email_address": "hostmaster@envs.net", "role": "admin"}], "support_page": "https://matrix.to/#/#envs:envs.net"}';
|
return 200 '{"admins": [{"matrix_id": "@creme:envs.net", "email_address": "hostmaster@envs.net", "role": "admin"}], "support_page": "https://matrix.to/#/#envs:envs.net"}';
|
||||||
}
|
}
|
||||||
|
|
||||||
location /.well-known/matrix/ {
|
location /.well-known/matrix/server {
|
||||||
# add_header Access-Control-Allow-Origin "$DO_CORS";
|
|
||||||
add_header Access-Control-Allow-Origin "*";
|
add_header Access-Control-Allow-Origin "*";
|
||||||
add_header Content-Type application/json;
|
add_header Content-Type application/json;
|
||||||
return 200 '{"m.server": "matrix.envs.net:443", "m.homeserver": {"base_url": "https://matrix.envs.net"}, "m.integrations": {"managers": [{"ui_url": "https://dimension.envs.net/riot", "api_url": "https://dimension.envs.net/api/v1/scalar"}, {"ui_url": "https://scalar.vector.im/", "api_url": "https://scalar.vector.im/api"}]}, "m.integrations_widget": {"url": "https://dimension.envs.net/riot", "data": {"api_url": "https://dimension.envs.net/api/v1/scalar"}}}';
|
return 200 '{"m.server": "matrix.envs.net:443"}';
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~* ^(\/_matrix|\/_synapse) {
|
location /.well-known/matrix {
|
||||||
proxy_read_timeout 3600s;
|
add_header Access-Control-Allow-Origin "*";
|
||||||
|
add_header Content-Type application/json;
|
||||||
|
return 200 '{"m.homeserver": {"base_url": "https://matrix.envs.net"}, "m.integrations": {"managers": [{"ui_url": "https://dimension.envs.net/riot", "api_url": "https://dimension.envs.net/api/v1/scalar"}, {"ui_url": "https://scalar.vector.im/", "api_url": "https://scalar.vector.im/api"}]}, "m.integrations_widget": {"url": "https://dimension.envs.net/riot", "data": {"api_url": "https://dimension.envs.net/api/v1/scalar"}}}';
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ ^(/_matrix|/_synapse/client) {
|
||||||
include proxy_params;
|
include proxy_params;
|
||||||
proxy_ssl_name $http_host;
|
proxy_ssl_name $http_host;
|
||||||
proxy_ssl_server_name on;
|
proxy_ssl_server_name on;
|
||||||
|
@ -101,7 +95,6 @@ server {
|
||||||
|
|
||||||
# maubot
|
# maubot
|
||||||
location ^~ /_matrix/maubot/v1/logs {
|
location ^~ /_matrix/maubot/v1/logs {
|
||||||
# location /_matrix/maubot {
|
|
||||||
include proxy_params;
|
include proxy_params;
|
||||||
proxy_ssl_name $http_host;
|
proxy_ssl_name $http_host;
|
||||||
proxy_ssl_server_name on;
|
proxy_ssl_server_name on;
|
||||||
|
@ -110,11 +103,9 @@ server {
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "Upgrade";
|
proxy_set_header Connection "Upgrade";
|
||||||
proxy_pass https://matrix.envs.net;
|
proxy_pass https://matrix.envs.net;
|
||||||
|
|
||||||
# return 302 https://matrix.envs.net$request_uri;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# users
|
## users
|
||||||
location ~ ^/(~|u/)(?<user>[\w-]+)(?<user_uri>/.*)?$ {
|
location ~ ^/(~|u/)(?<user>[\w-]+)(?<user_uri>/.*)?$ {
|
||||||
alias /home/$user/public_html$user_uri;
|
alias /home/$user/public_html$user_uri;
|
||||||
index index.html index.php index.cgi index.py index.sh index.pl index.lua;
|
index index.html index.php index.cgi index.py index.sh index.pl index.lua;
|
||||||
|
|
|
@ -1 +1,2 @@
|
||||||
listen 89.163.145.170:80;
|
listen 89.163.145.170:80;
|
||||||
|
listen [2001:4ba0:ffa4:180::2]:80;
|
||||||
|
|
|
@ -1 +1,2 @@
|
||||||
listen 89.163.145.170:443 ssl http2;
|
listen 89.163.145.170:443 ssl http2;
|
||||||
|
listen [2001:4ba0:ffa4:180::2]:443 ssl http2;
|
||||||
|
|
|
@ -1,18 +1,20 @@
|
||||||
# allow that much active connections
|
# allow that much active connections
|
||||||
net.unix.max_dgram_qlen = 1024
|
net.unix.max_dgram_qlen = 1024
|
||||||
|
|
||||||
net.ipv4.ip_forward=1
|
|
||||||
|
|
||||||
net.netfilter.nf_conntrack_max=262144
|
net.netfilter.nf_conntrack_max=262144
|
||||||
net.netfilter.nf_conntrack_buckets=65536
|
net.netfilter.nf_conntrack_buckets=65536
|
||||||
|
|
||||||
# IPv6
|
## IPv6
|
||||||
#net.ipv6.conf.all.forwarding=1
|
net.ipv6.conf.all.forwarding=1
|
||||||
|
|
||||||
net.ipv6.conf.default.disable_ipv6=1
|
net.ipv6.conf.default.disable_ipv6=0
|
||||||
net.ipv6.conf.all.disable_ipv6=1
|
net.ipv6.conf.all.disable_ipv6=0
|
||||||
|
|
||||||
net.ipv6.conf.enp2s0.disable_ipv6=1
|
net.ipv6.conf.enp2s0.disable_ipv6=0
|
||||||
|
|
||||||
|
|
||||||
|
## IPv4
|
||||||
|
net.ipv4.ip_forward=1
|
||||||
|
|
||||||
# Turn on Source Address Verification in all interfaces to
|
# Turn on Source Address Verification in all interfaces to
|
||||||
# prevent some spoofing attacks.
|
# prevent some spoofing attacks.
|
||||||
|
@ -88,7 +90,7 @@ net.ipv4.tcp_max_syn_backlog = 3240000
|
||||||
#net.ipv4.tcp_sack = 0
|
#net.ipv4.tcp_sack = 0
|
||||||
#net.ipv4.tcp_dsack = 0
|
#net.ipv4.tcp_dsack = 0
|
||||||
#net.ipv4.tcp_fack = 0
|
#net.ipv4.tcp_fack = 0
|
||||||
|
|
||||||
# Disable TCP timestamps
|
# Disable TCP timestamps
|
||||||
# Can have a performance overhead and is only advised in cases where sack is needed (see tcp_sack)
|
# Can have a performance overhead and is only advised in cases where sack is needed (see tcp_sack)
|
||||||
#net.ipv4.tcp_timestamps=0
|
#net.ipv4.tcp_timestamps=0
|
||||||
|
|
Loading…
Reference in New Issue