mirror of
git://git.savannah.gnu.org/guix/maintenance.git
synced 2023-12-14 03:33:04 +01:00
7db2489880
This works around ENOSPC on hydra.gnunet.org. * hydra/nginx/mirror.conf (/var/cache/nginx/nar): Limit to 95G.
123 lines
3.7 KiB
Plaintext
123 lines
3.7 KiB
Plaintext
# This is the /etc/nginx/nginx.conf file for mirrors.
|
|
|
|
user www-data;
|
|
worker_processes auto;
|
|
|
|
error_log /var/log/nginx/error.log error;
|
|
pid /var/run/nginx.pid;
|
|
|
|
lock_file /var/lock/nginx.lock;
|
|
|
|
pcre_jit on;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
default_type application/octet-stream;
|
|
|
|
client_body_temp_path /var/lib/nginx/body;
|
|
proxy_temp_path /var/lib/nginx/proxy;
|
|
|
|
access_log /var/log/nginx/access.log;
|
|
|
|
sendfile on;
|
|
|
|
# Maximum chunk size to send. Partly this is a workaround
|
|
# for <http://bugs.gnu.org/19939>, but also the nginx docs
|
|
# mention that "Without the limit, one fast connection may
|
|
# seize the worker process entirely."
|
|
# <http://nginx.org/en/docs/http/ngx_http_core_module#sendfile_max_chunk>
|
|
sendfile_max_chunk 1m;
|
|
|
|
keepalive_timeout 65;
|
|
|
|
# Use HTTP 1.1 to talk to the backend so we benefit from
|
|
# keep-alive connections and chunked transfer encoding. The
|
|
# latter allows us to make sure we do not cache partial downloads.
|
|
proxy_http_version 1.1;
|
|
|
|
# The 'inactive' parameter for caching is not very useful in our
|
|
# case: all that matters is that LRU sweeping happens when
|
|
# 'max_size' is hit.
|
|
|
|
# cache for narinfo files
|
|
proxy_cache_path /var/cache/nginx/narinfo
|
|
levels=2
|
|
inactive=10d # inactive keys removed after 10d
|
|
keys_zone=narinfo:8m # narinfo meta data: ~64K keys
|
|
max_size=4g; # total cache data size max
|
|
|
|
# cache for nar files
|
|
proxy_cache_path /var/cache/nginx/nar
|
|
levels=2
|
|
inactive=90d # inactive keys removed after 90d
|
|
keys_zone=nar:8m # nar cache meta data: ~64K keys
|
|
max_size=95g; # total cache data size max
|
|
|
|
# cache for content-addressed files
|
|
proxy_cache_path /var/cache/nginx/cas
|
|
levels=2
|
|
inactive=180d # inactive keys removed after 180d
|
|
keys_zone=cas:8m # nar cache meta data: ~64K keys
|
|
max_size=30g; # total cache data size max
|
|
|
|
# cache for static data
|
|
proxy_cache_path /var/cache/nginx/static
|
|
levels=1
|
|
inactive=90d # inactive keys removed after 90d
|
|
keys_zone=static:1m # nar cache meta data: ~8K keys
|
|
max_size=2m; # total cache data size max
|
|
|
|
# cache for build logs
|
|
proxy_cache_path /var/cache/nginx/logs
|
|
levels=2
|
|
inactive=60d # inactive keys removed after 60d
|
|
keys_zone=logs:8m # narinfo meta data: ~64K keys
|
|
max_size=4g; # total cache data size max
|
|
|
|
# We'd rather fail early than wait forever for hydra.gnu.org.
|
|
proxy_connect_timeout 5s;
|
|
proxy_read_timeout 10s;
|
|
proxy_send_timeout 10s;
|
|
|
|
server {
|
|
listen 80;
|
|
server_name hydra.gnunet.org;
|
|
|
|
access_log /var/log/nginx/hydra.access.log;
|
|
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
include mirror-locations.conf;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
server_name hydra.gnunet.org;
|
|
keepalive_timeout 70;
|
|
|
|
# Make sure SSL is disabled.
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
|
|
# Disable weak cipher suites.
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Use our own DH parameters created with:
|
|
# openssl dhparam -out dhparams.pem 2048
|
|
# as suggested at <https://weakdh.org/sysadmin.html>.
|
|
ssl_dhparam /etc/dhparams.pem;
|
|
|
|
access_log /var/log/nginx/hydra.https.access.log;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/hydra.gnunet.org/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/hydra.gnunet.org/privkey.pem;
|
|
|
|
include mirror-locations.conf;
|
|
}
|
|
}
|