choose connection and nofile numbers, increase error_log level to get modsecurity rules, add MODSECURITY_SEC_AUDIT_ENGINE var

2021-05-05 17:38:22 +02:00 · 2021-05-05 17:38:22 +02:00 · 009d6fb5ae
parent ba4185a42e
commit 009d6fb5ae
5 changed files with 17 additions and 5 deletions
--- a/confs/global/nginx.conf
+++ b/confs/global/nginx.conf
@ -25,9 +25,12 @@ pcre_jit on;
 # config files for dynamic modules
 include /etc/nginx/modules/*.conf;

+# max open files for each worker
+worker_rlimit_nofile %WORKER_RLIMIT_NOFILE%;
+
 events {
 	# max connections per worker
-	worker_connections 1024;
+	worker_connections %WORKER_CONNECTIONS%;

 	# epoll seems to be the best on Linux
 	use epoll;
@ -50,7 +53,7 @@ http {
 	# write logs to local syslog
 	log_format logf '%LOG_FORMAT%';
 	access_log syslog:server=unix:/tmp/log,nohostname,facility=local0,severity=notice logf;
-	error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 notice;
+	error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 info;

 	# temp paths
 	proxy_temp_path /tmp/proxy_temp;
@ -63,8 +66,8 @@ http {
 	reset_timedout_connection on;

 	# timeouts
-	client_body_timeout 12;
-	client_header_timeout 12;
+	client_body_timeout 10;
+	client_header_timeout 10;
 	keepalive_timeout 15;
 	send_timeout 10;

--- a/confs/site/modsecurity-rules.conf
+++ b/confs/site/modsecurity-rules.conf
@ -49,7 +49,7 @@ SecResponseBodyLimit 524288
 SecResponseBodyLimitAction ProcessPartial

 # log usefull stuff
-SecAuditEngine RelevantOnly
+SecAuditEngine %MODSECURITY_SEC_AUDIT_ENGINE%
 SecAuditLogType Serial
 SecAuditLog /var/log/nginx/modsec_audit.log

--- a/entrypoint/defaults.sh
+++ b/entrypoint/defaults.sh
@ -6,6 +6,8 @@ HTTP_PORT="${HTTP_PORT-8080}"
 HTTPS_PORT="${HTTPS_PORT-8443}"
 MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"
 SERVER_TOKENS="${SERVER_TOKENS-off}"
+WORKER_CONNECTIONS="${WORKER_CONNECTIONS-1024}"
+WORKER_RLIMIT_NOFILE="${WORKER_RLIMIT_NOFILE-2048}"
 USE_CLIENT_CACHE="${USE_CLIENT_CACHE-no}"
 CLIENT_CACHE_EXTENSIONS="${CLIENT_CACHE_EXTENSIONS-jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2}"
 CLIENT_CACHE_CONTROL="${CLIENT_CACHE_CONTROL-public, max-age=15552000}"
@ -62,6 +64,7 @@ HTTPS_PROTOCOLS="${HTTPS_PROTOCOLS-TLSv1.2 TLSv1.3}"
 STRICT_TRANSPORT_SECURITY="${STRICT_TRANSPORT_SECURITY-max-age=31536000}"
 USE_MODSECURITY="${USE_MODSECURITY-yes}"
 USE_MODSECURITY_CRS="${USE_MODSECURITY_CRS-yes}"
+MODSECURITY_SEC_AUDIT_ENGINE="${MODSECURITY_SEC_AUDIT_ENGINE-RelevantOnly}"
 CONTENT_SECURITY_POLICY="${CONTENT_SECURITY_POLICY-object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';}"
 COOKIE_FLAGS="${COOKIE_FLAGS-* HttpOnly SameSite=Lax}"
 COOKIE_AUTO_SECURE_FLAG="${COOKIE_AUTO_SECURE_FLAG-yes}"
@ -131,3 +134,4 @@ USE_API="${USE_API-no}"
 API_URI="${API_URI-random}"
 API_WHITELIST_IP="${API_WHITELIST_IP-192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}"
 SWARM_MODE="${SWARM_MODE-no}"
+
--- a/entrypoint/global-config.sh
+++ b/entrypoint/global-config.sh
@ -224,3 +224,7 @@ if [ "$USE_API" = "yes" ] ; then
 else
 	replace_in_file "/etc/nginx/nginx.conf" "%USE_API%" ""
 fi
+
+# performance tuning
+replace_in_file "/etc/nginx/nginx.conf" "%WORKER_CONNECTIONS%" "$WORKER_CONNECTIONS"
+replace_in_file "/etc/nginx/nginx.conf" "%WORKER_RLIMIT_NOFILE%" "$WORKER_RLIMIT_NOFILE"
--- a/entrypoint/site-config.sh
+++ b/entrypoint/site-config.sh
@ -394,6 +394,7 @@ fi
 if [ "$USE_MODSECURITY" = "yes" ] ; then
 	replace_in_file "${NGINX_PREFIX}modsecurity.conf" "%MODSEC_RULES_FILE%" "${NGINX_PREFIX}modsecurity-rules.conf"
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_MODSECURITY%" "include ${NGINX_PREFIX}modsecurity.conf;"
+	replace_in_file "${NGINX_PREFIX}modsecurity-rules.conf" "%MODSECURITY_SEC_AUDIT_ENGINE%" "$MODSECURITY_SEC_AUDIT_ENGINE"
 	if [ "$MULTISITE" != "yes" ] ; then
 		modsec_custom=""
 		if ls /modsec-confs/*.conf > /dev/null 2>&1 ; then