guix/maintenance
2
0
Fork 0
mirror of git://git.savannah.gnu.org/guix/maintenance.git synced 2023-12-14 03:33:04 +01:00
Code Issues Releases Wiki Activity
maintenance/hydra/nginx/bayfront.conf
Ludovic Courtès 59b2807ab0
nginx: bayfront: Allocate less space for the nar/narinfo caches. 
* hydra/nginx/bayfront.conf: Allocate less space for the nar/narinfo
caches, and more space for the CAS cache.
2017-10-14 14:44:31 +02:00

145 lines
4.6 KiB
Text
Raw Blame History

# This is the nginx config file for bayfront.guixsd.conf.
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log error;
pid /var/run/nginx.pid;
pcre_jit on;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# We need to specify all these or nginx picks its own directory to
# store them, which doesn't work because the store is read-only.
client_body_temp_path /var/run/nginx/body;
proxy_temp_path /var/run/nginx/proxy;
fastcgi_temp_path /var/run/nginx/fastcgi;
uwsgi_temp_path /var/run/nginx/uwsgi;
scgi_temp_path /var/run/nginx/scgi;
access_log /var/log/nginx/access.log;
sendfile on;
# Maximum chunk size to send. Partly this is a workaround
# for <http://bugs.gnu.org/19939>, but also the nginx docs
# mention that "Without the limit, one fast connection may
# seize the worker process entirely."
# <http://nginx.org/en/docs/http/ngx_http_core_module#sendfile_max_chunk>
sendfile_max_chunk 1m;
keepalive_timeout 65;
# Use HTTP 1.1 to talk to the backend so we benefit from
# keep-alive connections and chunked transfer encoding. The
# latter allows us to make sure we do not cache partial downloads.
proxy_http_version 1.1;
# The 'inactive' parameter for caching is not very useful in our
# case: all that matters is that LRU sweeping happens when
# 'max_size' is hit.
# cache for narinfo files
proxy_cache_path /var/cache/nginx/narinfo
levels=2
inactive=7d # inactive keys removed after 7d
keys_zone=narinfo:4m # narinfo meta data: ~32K keys
max_size=1g; # total cache data size max
# cache for nar files
proxy_cache_path /var/cache/nginx/nar
levels=2
inactive=8d # inactive keys removed after 8d
keys_zone=nar:4m # nar cache meta data: ~32K keys
max_size=10g; # total cache data size max
# cache for content-addressed files
proxy_cache_path /var/cache/nginx/cas
levels=2
inactive=180d # inactive keys removed after 180d
keys_zone=cas:8m # nar cache meta data: ~64K keys
max_size=50g; # total cache data size max
# cache for build logs
proxy_cache_path /var/cache/nginx/logs
levels=2
inactive=60d # inactive keys removed after 60d
keys_zone=logs:8m # narinfo meta data: ~64K keys
max_size=4g; # total cache data size max
# cache for static data
proxy_cache_path /var/cache/nginx/static
levels=1
inactive=10d # inactive keys removed after 10d
keys_zone=static:1m # nar cache meta data: ~8K keys
max_size=200m; # total cache data size max
# If Hydra cannot honor these delays, then something is wrong and
# we'd better drop the connection and return 504.
proxy_connect_timeout 7s;
proxy_read_timeout 10s;
proxy_send_timeout 10s;
# Cache timeouts for a little while to avoid increasing pressure.
proxy_cache_valid 504 30s;
server {
listen 80;
server_name bayfront.guixsd.org;
access_log /var/log/nginx/http.access.log;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
include bayfront-locations.conf;
}
server {
listen 80;
server_name bootstrappable.org;
root /home/rekado/bootstrappable.org;
index index.html;
access_log /var/log/nginx/bootstrappable.access.log;
location = / {
root /home/rekado/bootstrappable.org;
}
}
# HTTPS server.
server {
listen 443 ssl;
server_name bayfront.guixsd.org;
ssl_certificate /etc/letsencrypt/live/bayfront.guixsd.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bayfront.guixsd.org/privkey.pem;
# Make sure SSL is disabled.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Disable weak cipher suites.
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Use our own DH parameters created with:
# openssl dhparam -out dhparams.pem 2048
# as suggested at <https://weakdh.org/sysadmin.html>.
ssl_dhparam /etc/dhparams.pem;
access_log /var/log/nginx/https.access.log;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
include bayfront-locations.conf;
}
}
View git blame Copy permalink