danwin1210/hosting
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Replace debian stock nginx with custom optimized nginx

Browse Source
This commit is contained in:
Daniel Winzen
2019-09-02 19:45:09 +02:00
parent df4c4275c7
commit 0b61a38c26
6 changed files with 41 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@ -33,7 +33,7 @@ echo "deb https://deb.nodesource.com/node_11.x sid main" >> /etc/apt/sources.lis
The following command will install all required packages: The following command will install all required packages:
``` ```
apt-get --no-install-recommends install apt-transport-tor aspell bzip2 clamav-daemon clamav-freshclam clamav-milter composer curl dovecot-imapd dovecot-pop3d git dnsmasq haveged hunspell iptables libsasl2-modules locales-all logrotate mariadb-server nano nginx-full nodejs postfix postfix-mysql \ apt-get --no-install-recommends install apt-transport-tor aspell bzip2 clamav-daemon clamav-freshclam clamav-milter composer curl dovecot-imapd dovecot-pop3d git dnsmasq haveged hunspell iptables libsasl2-modules locales-all logrotate mariadb-server nano nodejs postfix postfix-mysql \
php7.3-bcmath php7.3-bz2 php7.3-cli php7.3-curl php7.3-dba php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-intl php7.3-json php7.3-mbstring php7.3-mysql php7.3-opcache php7.3-pspell php7.3-readline php7.3-recode php7.3-soap php7.3-sqlite3 php7.3-tidy php7.3-xml php7.3-xmlrpc php7.3-xsl php7.3-zip \ php7.3-bcmath php7.3-bz2 php7.3-cli php7.3-curl php7.3-dba php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-intl php7.3-json php7.3-mbstring php7.3-mysql php7.3-opcache php7.3-pspell php7.3-readline php7.3-recode php7.3-soap php7.3-sqlite3 php7.3-tidy php7.3-xml php7.3-xmlrpc php7.3-xsl php7.3-zip \
php-apcu php-gnupg php-imagick quota quotatool rsync sasl2-bin ssh subversion tor unzip vim vsftpd wget yarn zip php-apcu php-gnupg php-imagick quota quotatool rsync sasl2-bin ssh subversion tor unzip vim vsftpd wget yarn zip
``` ```
@ -159,6 +159,15 @@ Install sodium_compat for v3 hidden_service support
cd /var/www && composer install cd /var/www && composer install
``` ```
Custom optimized nginx
```
apt-get --no-install-recommends install libbrotli-dev libpcre3-dev zlib1g-dev
git clone https://github.com/nginx/nginx && cd nginx
git clone https://github.com/eustas/ngx_brotli
./auto/configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/tmp/body --http-fastcgi-temp-path=/tmp/fastcgi --http-proxy-temp-path=/tmp/proxy --with-threads --with-pcre-jit --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --without-http_ssi_module --without-http_userid_module --without-http_access_module --without-http_mirror_module --without-http_geo_module --without-http_split_clients_module --without-http_uwsgi_module --without-http_scgi_module --without-http_grpc_module --without-http_memcached_module --without-http_limit_conn_module --without-http_limit_req_module --without-http_empty_gif_module --without-http_browser_module --without-http_upstream_hash_module --without-http_upstream_ip_hash_module --without-http_upstream_least_conn_module --without-http_upstream_keepalive_module --without-http_upstream_zone_module --with-stream --with-stream_ssl_module --without-stream_limit_conn_module --without-stream_access_module --without-stream_geo_module --without-stream_map_module --without-stream_split_clients_module --without-stream_return_module --without-stream_upstream_hash_module --without-stream_upstream_least_conn_module --without-stream_upstream_zone_module --with-cc-opt='-O3 -march=native -mtune=native -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --add-module=ngx_brotli
make -j $(nproc) install
```
Last but not least setup the database by running Last but not least setup the database by running
``` ```
php /var/www/setup.php php /var/www/setup.php

3
etc/nginx/fastcgi.conf
View File

@ -28,4 +28,5 @@ fastcgi_param REDIRECT_STATUS 200;
fastcgi_param HTTP_PROXY ""; fastcgi_param HTTP_PROXY "";
#running in chroots #running in chroots
fastcgi_param SCRIPT_FILENAME /www/$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT /www;
fastcgi_param SCRIPT_FILENAME /www$fastcgi_script_name;

17
etc/nginx/nginx.conf
View File

@ -1,7 +1,6 @@
user www-data; user www-data;
worker_processes auto; worker_processes auto;
pid /run/nginx.pid; pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
pcre_jit on; pcre_jit on;
worker_rlimit_nofile 30000; worker_rlimit_nofile 30000;
@ -76,8 +75,6 @@ http {
## ##
gzip on; gzip on;
gzip_disable "msie6";
gzip_vary on; gzip_vary on;
gzip_proxied any; gzip_proxied any;
gzip_comp_level 6; gzip_comp_level 6;
@ -85,6 +82,9 @@ http {
# gzip_http_version 1.1; # gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
brotli on;
brotli_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
fastcgi_index index.php; fastcgi_index index.php;
fastcgi_read_timeout 30m; fastcgi_read_timeout 30m;
fastcgi_max_temp_file_size 0; fastcgi_max_temp_file_size 0;
@ -94,6 +94,17 @@ http {
fastcgi_cache_path /tmp/nginx/ levels=2 keys_zone=fcache:5m inactive=1h max_size=1G; fastcgi_cache_path /tmp/nginx/ levels=2 keys_zone=fcache:5m inactive=1h max_size=1G;
fastcgi_cache_key $host$request_uri; fastcgi_cache_key $host$request_uri;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve X448:X25519:secp521r1:secp384r1:prime256v1;
ssl_ciphers HIGH:!PSK:!RSA:!aNULL:!MD5:!SHA:!CAMELLIA:!AES+SHA256:!AES+SHA384;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
# ssl_certificate /etc/acme.sh/hosting.danwin1210.me_ecc/fullchain.cer;
# ssl_certificate_key /etc/acme.sh/hosting.danwin1210.me_ecc/hosting.danwin1210.me.key;
# ssl_dhparam /etc/nginx/dh4096.pem;
## ##
# Virtual Host Configs # Virtual Host Configs
## ##

2
etc/nginx/snippets/fastcgi-php.conf
View File

@ -1,5 +1,5 @@
# regex to split $uri to $fastcgi_script_name and $fastcgi_path # regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.*)$;
# Check that the PHP script exists before passing it # Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404; try_files $fastcgi_script_name =404;

18
etc/systemd/system/nginx.service.d/custom.conf → etc/systemd/system/nginx.service
View File

@ -1,11 +1,19 @@
[Unit]
Description=A high performance web server and a reverse proxy server
After=network.target nss-lookup.target
[Service] [Service]
Type=forking
PIDFile=/run/nginx.pid
LimitNOFILE=100000 LimitNOFILE=100000
TimeoutStartSec=600 TimeoutStartSec=600
ExecStop= TimeoutStopSec=5
KillMode=mixed
ExecStop=-/sbin/start-stop-daemon --quiet --stop --pidfile /run/nginx.pid ExecStop=-/sbin/start-stop-daemon --quiet --stop --pidfile /run/nginx.pid
ExecStartPre= ExecStartPre=/usr/bin/install -Z -m 02755 -o www-data -g www-data -d /run/nginx
ExecStartPre=/usr/bin/install -Z -m 02755 -o www-data -g www-data -d /var/run/nginx
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ProtectSystem=strict ProtectSystem=strict
PrivateTmp=true PrivateTmp=true
NoNewPrivileges=true NoNewPrivileges=true
@ -17,7 +25,9 @@ LockPersonality=true
SystemCallArchitectures=native SystemCallArchitectures=native
BindPaths=/var/log/nginx/ BindPaths=/var/log/nginx/
BindPaths=/var/lib/nginx/ BindPaths=/var/lib/nginx/
BindPaths=/var/run/
BindPaths=/var/www/var/run/ BindPaths=/var/www/var/run/
BindPaths=/run/ BindPaths=/run/
InaccessiblePaths=/root/ InaccessiblePaths=/root/
[Install]
WantedBy=multi-user.target

4
var/www/common.php
View File

@ -440,8 +440,6 @@ function rewrite_nginx_config(PDO $db){
$php_location=" $php_location="
location ~ [^/]\.php(/|\$) { location ~ [^/]\.php(/|\$) {
include snippets/fastcgi-php.conf; include snippets/fastcgi-php.conf;
fastcgi_param DOCUMENT_ROOT /www;
fastcgi_param SCRIPT_FILENAME /www\$fastcgi_script_name;
fastcgi_pass unix:/run/php/$tmp[system_account]; fastcgi_pass unix:/run/php/$tmp[system_account];
}"; }";
}else{ }else{
@ -472,8 +470,6 @@ function rewrite_nginx_config(PDO $db){
$php_location=" $php_location="
location ~ [^/]\.php(/|\$) { location ~ [^/]\.php(/|\$) {
include snippets/fastcgi-php.conf; include snippets/fastcgi-php.conf;
fastcgi_param DOCUMENT_ROOT /www;
fastcgi_param SCRIPT_FILENAME /www\$fastcgi_script_name;
fastcgi_pass unix:/run/php/$tmp[system_account]; fastcgi_pass unix:/run/php/$tmp[system_account];
}"; }";
}else{ }else{