From 076786f48234f15c2b7c3d2207cc7b7d4aac89ce Mon Sep 17 00:00:00 2001 From: Disassembler Date: Fri, 7 Feb 2020 18:27:15 +0100 Subject: [PATCH] Bump nginx configs (tcp_nodelay, TLSv1.3) --- lxc-apps/cts/lxc/etc/nginx/nginx.conf | 1 + lxc-apps/decidim/lxc/etc/nginx/nginx.conf | 1 + lxc-apps/ecogis/lxc/etc/nginx/nginx.conf | 2 ++ lxc-apps/kanboard/lxc/etc/nginx/nginx.conf | 2 ++ lxc-apps/pandora/lxc/etc/nginx/nginx.conf | 1 + lxc-apps/seeddms/lxc/etc/nginx/nginx.conf | 2 ++ lxc-apps/ushahidi/lxc/etc/nginx/nginx.conf | 2 ++ vm.sh | 2 +- vm/etc/iptables/rules-save | 2 +- vm/etc/nginx/nginx.conf | 8 +++++--- 10 files changed, 18 insertions(+), 5 deletions(-) diff --git a/lxc-apps/cts/lxc/etc/nginx/nginx.conf b/lxc-apps/cts/lxc/etc/nginx/nginx.conf index 5333aad..c188871 100644 --- a/lxc-apps/cts/lxc/etc/nginx/nginx.conf +++ b/lxc-apps/cts/lxc/etc/nginx/nginx.conf @@ -15,6 +15,7 @@ http { server_tokens off; client_max_body_size 100m; sendfile on; + tcp_nodelay on; send_timeout 300; server { diff --git a/lxc-apps/decidim/lxc/etc/nginx/nginx.conf b/lxc-apps/decidim/lxc/etc/nginx/nginx.conf index 323bc72..83fe181 100644 --- a/lxc-apps/decidim/lxc/etc/nginx/nginx.conf +++ b/lxc-apps/decidim/lxc/etc/nginx/nginx.conf @@ -15,6 +15,7 @@ http { server_tokens off; client_max_body_size 100m; sendfile on; + tcp_nodelay on; send_timeout 300; passenger_root /usr/local/lib/ruby/gems/2.6.0/gems/passenger-6.0.4; diff --git a/lxc-apps/ecogis/lxc/etc/nginx/nginx.conf b/lxc-apps/ecogis/lxc/etc/nginx/nginx.conf index 639b804..4fa43b4 100644 --- a/lxc-apps/ecogis/lxc/etc/nginx/nginx.conf +++ b/lxc-apps/ecogis/lxc/etc/nginx/nginx.conf @@ -15,6 +15,8 @@ http { server_tokens off; client_max_body_size 100m; sendfile on; + tcp_nodelay on; + send_timeout 300; server { listen 8080; diff --git a/lxc-apps/kanboard/lxc/etc/nginx/nginx.conf b/lxc-apps/kanboard/lxc/etc/nginx/nginx.conf index 72ed728..421172d 100644 --- a/lxc-apps/kanboard/lxc/etc/nginx/nginx.conf +++ b/lxc-apps/kanboard/lxc/etc/nginx/nginx.conf @@ -15,6 +15,8 @@ http { server_tokens off; client_max_body_size 100m; sendfile on; + tcp_nodelay on; + send_timeout 300; server { listen 8080; diff --git a/lxc-apps/pandora/lxc/etc/nginx/nginx.conf b/lxc-apps/pandora/lxc/etc/nginx/nginx.conf index 6157ffb..84c1e4c 100644 --- a/lxc-apps/pandora/lxc/etc/nginx/nginx.conf +++ b/lxc-apps/pandora/lxc/etc/nginx/nginx.conf @@ -15,6 +15,7 @@ http { server_tokens off; client_max_body_size 100m; sendfile on; + tcp_nodelay on; send_timeout 300; server { diff --git a/lxc-apps/seeddms/lxc/etc/nginx/nginx.conf b/lxc-apps/seeddms/lxc/etc/nginx/nginx.conf index f25ed03..293c310 100644 --- a/lxc-apps/seeddms/lxc/etc/nginx/nginx.conf +++ b/lxc-apps/seeddms/lxc/etc/nginx/nginx.conf @@ -15,6 +15,8 @@ http { server_tokens off; client_max_body_size 100m; sendfile on; + tcp_nodelay on; + send_timeout 300; server { listen 8080; diff --git a/lxc-apps/ushahidi/lxc/etc/nginx/nginx.conf b/lxc-apps/ushahidi/lxc/etc/nginx/nginx.conf index 0af1ae6..2c4d5df 100644 --- a/lxc-apps/ushahidi/lxc/etc/nginx/nginx.conf +++ b/lxc-apps/ushahidi/lxc/etc/nginx/nginx.conf @@ -15,6 +15,8 @@ http { server_tokens off; client_max_body_size 100m; sendfile on; + tcp_nodelay on; + send_timeout 300; server { listen 8080; diff --git a/vm.sh b/vm.sh index 2a09266..e3b2bad 100755 --- a/vm.sh +++ b/vm.sh @@ -88,7 +88,7 @@ chroot /mnt setup-timezone -z Europe/Prague apk --no-cache add apache2-utils gettext wget https://repo.spotter.cz/vm.tar -O - | tar xf - -C /mnt envsubst /mnt/boot/extlinux.conf -chroot /mnt apk --no-cache add bridge ca-certificates curl e2fsprogs-extra gettext iptables kbd-misc libressl logrotate postfix nginx openssh-server openssh-sftp-server util-linux wireguard-virt wireguard-tools-wg acme-sh@vm spoc@vm vmmgr@vm +chroot /mnt apk --no-cache add bridge ca-certificates curl e2fsprogs-extra gettext iptables kbd-misc logrotate postfix nginx openssh-server openssh-sftp-server util-linux wireguard-virt wireguard-tools-wg acme-sh@vm spoc@vm vmmgr@vm chroot /mnt newaliases for SERVICE in consolefont crond iptables networking nginx ntpd postfix spoc swap urandom vmmgr; do ln -s /etc/init.d/${SERVICE} /mnt/etc/runlevels/boot diff --git a/vm/etc/iptables/rules-save b/vm/etc/iptables/rules-save index 2cc9795..8d489a6 100644 --- a/vm/etc/iptables/rules-save +++ b/vm/etc/iptables/rules-save @@ -3,5 +3,5 @@ :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -[0:0] -A POSTROUTING -o spocbr0 -j MASQUERADE +[0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT diff --git a/vm/etc/nginx/nginx.conf b/vm/etc/nginx/nginx.conf index c9d0a41..b60d847 100644 --- a/vm/etc/nginx/nginx.conf +++ b/vm/etc/nginx/nginx.conf @@ -15,15 +15,17 @@ http { server_tokens off; client_max_body_size 100m; sendfile on; + tcp_nodelay on; gzip_vary on; charset utf-8; - ssl_protocols TLSv1.2; - ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; ssl_certificate /etc/ssl/services.pem; ssl_certificate_key /etc/ssl/services.key; + ssl_session_timeout 1d; ssl_session_cache shared:SSL:1m; + ssl_session_tickets off; log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main;