Commit Graph

94 Commits

Author SHA1 Message Date
Daniel Micay
39711a6085 move mta-sts.matrix.grapheneos.org to mail server 2023-06-21 14:32:40 -04:00
Daniel Micay
e66a204ca7 avoid configuration warning with nginx 1.24.0 2023-05-23 18:22:29 -04:00
Daniel Micay
12e5ad3a7e add mta-sts configuration 2023-05-22 17:57:49 -04:00
Daniel Micay
9550aa0fc7 consistent whitespace style 2023-05-05 14:46:11 -04:00
Daniel Micay
837d4f0c5c disable failure tracking for backend 2023-04-17 10:01:00 -04:00
Daniel Micay
32a33ba94f improve HTTP request logging
* add $upstream_cache_status
* add '-$connection_requests' after $connection
* enable subrequest logging

$connection_requests makes it much easier to see connection reuse in the
logs and also helps to understand subrequests.
2023-03-09 11:02:03 -05:00
Daniel Micay
937be19e46 add upstream timing to http log format 2023-03-07 14:18:27 -05:00
Daniel Micay
73cca1dbfb enable minimal stderr logging 2023-03-07 11:00:08 -05:00
Daniel Micay
139b0ed376 ssl_reject_handshake is working as intended 2023-03-07 10:36:12 -05:00
Daniel Micay
12b5478585 work around unreliable ssl_reject_handshake 2023-03-06 11:01:29 -05:00
Daniel Micay
697f926f63 avoid double logging for nginx error log 2023-03-06 00:55:32 -05:00
Daniel Micay
648ca1f657 disable keepalive for stub HTTP service 2023-02-27 02:38:35 -05:00
Daniel Micay
babdb283ad use consistent configuration style 2023-02-26 10:50:11 -05:00
Daniel Micay
ddcf7a2a36 add back request method to log format 2023-02-19 22:42:58 -05:00
Daniel Micay
d3c60a104b set baseline nginx root directory in http block 2023-02-19 11:51:37 -05:00
Daniel Micay
7725a8617d work around nginx keepalive configuration bug
https://trac.nginx.org/nginx/ticket/2012
2023-02-18 12:38:10 -05:00
Daniel Micay
74228f0fdc entirely disable access log for status socket 2023-02-18 08:18:07 -05:00
Daniel Micay
deb985e065 reject connections to invalid names 2023-02-17 23:16:01 -05:00
Daniel Micay
843e57b45f disable multipart range requests 2023-02-14 10:33:25 -05:00
Daniel Micay
d142058ade improve naming for http limit conn zone 2023-02-11 04:26:52 -05:00
Daniel Micay
8f673908ef move error_log configuration to top level 2023-02-11 04:07:55 -05:00
Daniel Micay
4540f10175 add request time to log format 2023-02-10 08:28:49 -05:00
Daniel Micay
7f61787026 switch to improved custom log format
This switches to a fully custom log format instead of using a variant of
the standard combined format since we don't use any tools requiring the
logs to be a standard format. This provides a cleaner format, allows us
to freely add new fields and gets rid of legacy/redundant fields.

The redundant timestamp already provided as the syslog timestamp is
dropped along with the legacy identd field always set to a dash.

This adds the connection serial number for identifying requests coming
from the same connection. TLS version is added as a replacement for our
previous addition of the URI scheme. This also adds the total request
length and total bytes sent to the client instead of only the body bytes
sent.
2023-02-10 08:04:30 -05:00
Daniel Micay
38f344595f reduce client body / header timeouts to 15s 2023-02-09 18:42:51 -05:00
Daniel Micay
270cd2ba3f avoid unnecessary redirects for ACME challenge 2023-02-09 09:53:16 -05:00
Daniel Micay
b85be6c2bb use default HTTP/2 input buffer size 2023-02-09 05:14:25 -05:00
Daniel Micay
ff4984b21c simplify nginx status path 2023-01-31 21:51:25 -05:00
Daniel Micay
cd5d78c485 rebase onto current nginx mime.types 2023-01-17 14:00:48 -05:00
Daniel Micay
d5ed786d2a add minimal Permissions Policy as a starting point 2022-10-17 22:27:09 -04:00
Daniel Micay
4f1aa5bceb increase resolver timeout 2022-10-12 16:30:25 -04:00
Daniel Micay
a1997d89c4 rename conn limit memory zone 2022-10-01 12:56:03 -04:00
Daniel Micay
06cd80873f use custom format for access log again 2022-09-27 10:27:36 -04:00
Daniel Micay
0e16b5798b reduce HTTP/2 chunk size to match TLS record size 2022-09-26 13:14:40 -04:00
Daniel Micay
9ed069073c use syslog (journald) for nginx access log 2022-09-25 14:18:13 -04:00
Daniel Micay
7b8a505d17 reduce keepalive requests 2022-09-24 11:53:02 -04:00
Daniel Micay
9cdf30c08c reduce connection limit to 128 2022-09-24 11:27:15 -04:00
Daniel Micay
0bcd3cdca3 reduce HTTP/2 concurrent streams to 16 2022-09-24 11:22:11 -04:00
Daniel Micay
46ca28258f reduce max client header buffer size 2022-09-24 11:11:01 -04:00
Daniel Micay
913cde9ff2 send X-Robots-Tag on errors too 2022-08-18 18:11:08 -04:00
Daniel Micay
a5c257d8a5 remove legacy Expect-CT header 2022-08-11 17:29:34 -04:00
Daniel Micay
fa61606984 add Origin-Agent-Cluster header 2022-07-30 20:13:28 -04:00
Daniel Micay
90d542e2f4 stop setting CORP header for synapse API for now 2022-07-13 13:04:46 -04:00
Daniel Micay
69b0ff7bb3 move nginx status API to socket 2022-07-02 12:38:33 -04:00
Daniel Micay
11579e87ca reduce proxy send timeout 2022-06-27 23:58:50 -04:00
Daniel Micay
12d81c7885 use standard GrapheneOS mime.types 2022-06-26 17:51:01 -04:00
Daniel Micay
30209020a7 raise expected nginx version 2022-06-10 19:40:32 -04:00
Daniel Micay
316a5c696b enable sendfile support again
There's a remaining issue fixed in mainline that's not fixed in the
current stable branch yet, but it doesn't apply unless HTTP/2 is being
used without encryption. Currently sendfile is only really used for the
backend proxy connections in practice due to TLS, and those are never
HTTP/2.
2022-05-03 19:10:31 -04:00
Daniel Micay
21059f1360 add resolver setup to baseline configuration 2022-05-02 04:10:42 -04:00
Daniel Micay
087c1a6349 disable traditional stateful TLS session cache
This is useless for TLSv1.3 since there's no longer any distinction in
the protocol based on whether the server is using stateless or stateful
session resumption. OpenSSL has a non-standard anti-replay mechanism for
0-RTT based on stateful session resumption but 0-RTT still ends up being
a downgrade for the TLS security properties. nginx disables that feature
since otherwise 0-RTT wouldn't work with the default stateless approach.

Since this cache is only used for TLSv1.2 when stateless resumption
isn't disabled and nearly all TLSv1.2 clients support tickets, it isn't
getting any significant use. It provides worse forward secrecy than
tickets because we implement ticket key rotation based on the expiry
time and sessions aren't actively purged from the stateful cache when
they expire. Cached session state varies in size and nginx ends up
writing errors to the log when clearing out a session fails to make room
for a new one due to it being larger. It's best to finally get rid of
this flawed approach to session resumption.

TLSv1.3 provides the option of forward secrecy for resumed sessions and
it's the only approach that's normally enabled so we don't need to worry
about this anymore once TLSv1.2 is disabled as long as we never enable
0-RTT which weakens forward secrecy and other security properties.
2022-04-30 22:53:43 -04:00
Daniel Micay
a703ab5d8c reduce proxy connect timeout 2022-04-18 10:26:47 -04:00