machankura/mempool
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update production nginx.conf with performance tuning and rate limiting

Browse Source
This commit is contained in:
wiz 2020-09-10 14:38:11 +09:00
parent 04351e843d
commit 9234d23da2
No known key found for this signature in database
GPG Key ID: A394E332255A6173
1 changed files with 84 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

204
production/nginx.conf
View File

@ -1,9 +1,9 @@
user nobody;
pid /var/run/nginx.pid;
include /usr/local/etc/nginx/modules-enabled/*.conf;
worker_processes auto;
worker_rlimit_nofile 9999;
worker_rlimit_nofile 100000;
events {
worker_connections 9000;
@ -14,134 +14,79 @@ http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 300s;
types_hash_max_size 2048;
server_tokens off;
server_name_in_redirect off;
include /usr/local/etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# reset timed out connections freeing ram
reset_timedout_connection on;
# maximum time between packets the client can pause when sending nginx any data
client_body_timeout 10s;
# maximum time the client has to send the entire header to nginx
client_header_timeout 10s;
# timeout which a single keep-alive client connection will stay open
keepalive_timeout 69s;
# maximum time between packets nginx is allowed to pause when sending the client data
send_timeout 10s;
# number of requests per connection, does not affect SPDY
keepalive_requests 100;
types_hash_max_size 2048;
proxy_cache off;
# enable gzip compression
gzip on;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_vary on;
gzip_comp_level 6;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
# text/html is always compressed by gzip module
gzip_types application/javascript application/json application/ld+json application/manifest+json application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # text/html is always compressed by gzip module
# limit request body size
client_max_body_size 10m;
# rate limit requests
limit_req_zone $binary_remote_addr zone=api:5m rate=50r/m;
limit_req_zone $binary_remote_addr zone=electrs:5m rate=1000r/m;
limit_req_status 429;
# rate limit connections
limit_conn_zone $binary_remote_addr zone=websocket:10m;
limit_conn_status 429;
server {
listen 80;
listen [::]:80;
listen 80 backlog=1024;
listen [::]:80 backlog=1024;
server_name mempool.space;
return 301 https://$host$request_uri;
}
server {
listen 127.0.0.1:81 backlog=1024;
listen [::]:443 ssl default http2 backlog=1024;
listen 443 ssl default http2 backlog=1024;
server_name mempool.space;
if ($host = mempool.space) {
return 301 https://$host$request_uri;
} # managed by Certbot
return 404; # managed by Certbot
}
server {
listen 80;
listen [::]:80;
server_name mempool.ninja;
if ($host = mempool.ninja) {
return 301 https://mempool.space$request_uri;
} # managed by Certbot
return 404; # managed by Certbot
}
server {
listen [::]:443 ssl http2; # managed by Certbot
listen 443 ssl http2; # managed by Certbot
ssl_certificate /usr/local/etc/letsencrypt/live/mempool.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /usr/local/etc/letsencrypt/live/mempool.ninja/privkey.pem; # managed by Certbot
include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server_name mempool.ninja; # managed by Certbot
return 301 https://mempool.space$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name liquid.mempool.ninja;
if ($host = liquid.mempool.ninja) {
return 301 https://mempool.space/liquid$request_uri;
} # managed by Certbot
return 404; # managed by Certbot
}
server {
listen [::]:443 ssl http2; # managed by Certbot
listen 443 ssl http2; # managed by Certbot
ssl_certificate /usr/local/etc/letsencrypt/live/liquid.mempool.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /usr/local/etc/letsencrypt/live/liquid.mempool.ninja/privkey.pem; # managed by Certbot
include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server_name liquid.mempool.ninja; # managed by Certbot
return 301 https://mempool.space/liquid$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name testnet.mempool.ninja;
if ($host = testnet.mempool.ninja) {
return 301 https://mempool.space/testnet$request_uri;
} # managed by Certbot
return 404; # managed by Certbot
}
server {
listen [::]:443 ssl http2; # managed by Certbot
listen 443 ssl http2; # managed by Certbot
ssl_certificate /usr/local/etc/letsencrypt/live/testnet.mempool.ninja/fullchain.pem; # managed by Certbot
ssl_certificate_key /usr/local/etc/letsencrypt/live/testnet.mempool.ninja/privkey.pem; # managed by Certbot
include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server_name testnet.mempool.ninja; # managed by Certbot
return 301 https://mempool.space/testnet$request_uri;
}
server {
listen 127.0.0.1:81;
listen [::]:443 ssl default http2; # managed by Certbot
listen 443 ssl default http2; # managed by Certbot
ssl_certificate /usr/local/etc/letsencrypt/live/mempool.space/fullchain.pem; # managed by Certbot
ssl_certificate_key /usr/local/etc/letsencrypt/live/mempool.space/privkey.pem; # managed by Certbot
include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
ssl_certificate /usr/local/etc/letsencrypt/live/mempool.space/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/mempool.space/privkey.pem;
include /usr/local/etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem;
root /mempool/public_html/mainnet/;
index index.html;
index index.html index.htm index.nginx-debian.html;
server_name mempool.space; # managed by Certbot
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
# security headers
set $frameOptions "DENY";
set $contentSecurityPolicy "frame-ancestors 'none'";
@ -155,86 +100,105 @@ http {
set $frameOptions "ALLOW-FROM https://wiz.biz";
set $contentSecurityPolicy "frame-ancestors https://wiz.biz";
}
add_header X-Frame-Options $frameOptions;
add_header Content-Security-Policy $contentSecurityPolicy;
add_header Link "<https://mempool.space$request_uri>; rel=\"canonical\"";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
# /
location / {
try_files $uri $uri/ /index.html =404;
}
location /explorer {
rewrite /explorer/(.*) https://$host/$1 permanent;
}
location /webhook {
proxy_pass http://127.0.0.1:2222/;
}
# /api
location /api/v1/ws {
proxy_pass http://127.0.0.1:8999/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
limit_conn websocket 10;
}
location /api/v1 {
proxy_pass http://127.0.0.1:8999/api/v1;
limit_req burst=50 nodelay zone=api;
}
location /api/ {
proxy_pass http://[::1]:3000/;
limit_req burst=100 nodelay zone=electrs;
}
# /mainnet/api
location /mainnet/api/v1/ws {
proxy_pass http://127.0.0.1:8999/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
limit_conn websocket 10;
}
location /mainnet/api/v1 {
proxy_pass http://127.0.0.1:8999/api/v1;
limit_req burst=50 nodelay zone=api;
}
location /mainnet/api/ {
proxy_pass http://[::1]:3000/;
limit_req burst=100 nodelay zone=electrs;
}
# /liquid/api
location /liquid/api/v1/ws {
proxy_pass http://127.0.0.1:8998/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
limit_conn websocket 10;
}
location /liquid/api/v1 {
proxy_pass http://127.0.0.1:8998/api/v1;
limit_req burst=50 nodelay zone=api;
}
location /liquid/api/ {
proxy_pass http://[::1]:3001/;
limit_req burst=100 nodelay zone=electrs;
}
# /testnet/api
location /testnet/api/v1/ws {
proxy_pass http://127.0.0.1:8997/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
limit_conn websocket 10;
}
location /testnet/api/v1 {
proxy_pass http://127.0.0.1:8997/api/v1;
limit_req burst=50 nodelay zone=api;
}
location /testnet/api/ {
proxy_pass http://[::1]:3002/;
limit_req burst=100 nodelay zone=electrs;
}
# /bisq
location /bisq/api/v1/ws {
proxy_pass http://127.0.0.1:8996/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
limit_conn websocket 10;
}
location /bisq/api/v1 {
proxy_pass http://127.0.0.1:8996/api/v1;
limit_req burst=50 nodelay zone=api;
}
location /bisq/api {
proxy_pass http://127.0.0.1:8996/api/v1/bisq;
limit_req burst=100 nodelay zone=electrs;
}
}
}