Daniel Micay
6b7dff0c64
simplify nginx configuration deployment
2023-07-15 17:58:03 -04:00
Daniel Micay
7f666deeb9
drop legacy block-all-mixed-content
2023-07-11 11:25:36 -04:00
Daniel Micay
01a0e97fdf
use new OCSP cache path
2023-07-09 18:30:25 -04:00
Daniel Micay
39711a6085
move mta-sts.matrix.grapheneos.org to mail server
2023-06-21 14:32:40 -04:00
Daniel Micay
e66a204ca7
avoid configuration warning with nginx 1.24.0
2023-05-23 18:22:29 -04:00
Daniel Micay
12e5ad3a7e
add mta-sts configuration
2023-05-22 17:57:49 -04:00
Daniel Micay
9550aa0fc7
consistent whitespace style
2023-05-05 14:46:11 -04:00
Daniel Micay
837d4f0c5c
disable failure tracking for backend
2023-04-17 10:01:00 -04:00
Daniel Micay
32a33ba94f
improve HTTP request logging
...
* add $upstream_cache_status
* add '-$connection_requests' after $connection
* enable subrequest logging
$connection_requests makes it much easier to see connection reuse in the
logs and also helps to understand subrequests.
2023-03-09 11:02:03 -05:00
Daniel Micay
937be19e46
add upstream timing to http log format
2023-03-07 14:18:27 -05:00
Daniel Micay
73cca1dbfb
enable minimal stderr logging
2023-03-07 11:00:08 -05:00
Daniel Micay
139b0ed376
ssl_reject_handshake is working as intended
2023-03-07 10:36:12 -05:00
Daniel Micay
12b5478585
work around unreliable ssl_reject_handshake
2023-03-06 11:01:29 -05:00
Daniel Micay
697f926f63
avoid double logging for nginx error log
2023-03-06 00:55:32 -05:00
Daniel Micay
648ca1f657
disable keepalive for stub HTTP service
2023-02-27 02:38:35 -05:00
Daniel Micay
babdb283ad
use consistent configuration style
2023-02-26 10:50:11 -05:00
Daniel Micay
ddcf7a2a36
add back request method to log format
2023-02-19 22:42:58 -05:00
Daniel Micay
d3c60a104b
set baseline nginx root directory in http block
2023-02-19 11:51:37 -05:00
Daniel Micay
7725a8617d
work around nginx keepalive configuration bug
...
https://trac.nginx.org/nginx/ticket/2012
2023-02-18 12:38:10 -05:00
Daniel Micay
74228f0fdc
entirely disable access log for status socket
2023-02-18 08:18:07 -05:00
Daniel Micay
deb985e065
reject connections to invalid names
2023-02-17 23:16:01 -05:00
Daniel Micay
843e57b45f
disable multipart range requests
2023-02-14 10:33:25 -05:00
Daniel Micay
d142058ade
improve naming for http limit conn zone
2023-02-11 04:26:52 -05:00
Daniel Micay
8f673908ef
move error_log configuration to top level
2023-02-11 04:07:55 -05:00
Daniel Micay
4540f10175
add request time to log format
2023-02-10 08:28:49 -05:00
Daniel Micay
7f61787026
switch to improved custom log format
...
This switches to a fully custom log format instead of using a variant of
the standard combined format since we don't use any tools requiring the
logs to be a standard format. This provides a cleaner format, allows us
to freely add new fields and gets rid of legacy/redundant fields.
The redundant timestamp already provided as the syslog timestamp is
dropped along with the legacy identd field always set to a dash.
This adds the connection serial number for identifying requests coming
from the same connection. TLS version is added as a replacement for our
previous addition of the URI scheme. This also adds the total request
length and total bytes sent to the client instead of only the body bytes
sent.
2023-02-10 08:04:30 -05:00
Daniel Micay
38f344595f
reduce client body / header timeouts to 15s
2023-02-09 18:42:51 -05:00
Daniel Micay
270cd2ba3f
avoid unnecessary redirects for ACME challenge
2023-02-09 09:53:16 -05:00
Daniel Micay
b85be6c2bb
use default HTTP/2 input buffer size
2023-02-09 05:14:25 -05:00
Daniel Micay
ff4984b21c
simplify nginx status path
2023-01-31 21:51:25 -05:00
Daniel Micay
cd5d78c485
rebase onto current nginx mime.types
2023-01-17 14:00:48 -05:00
Daniel Micay
d5ed786d2a
add minimal Permissions Policy as a starting point
2022-10-17 22:27:09 -04:00
Daniel Micay
4f1aa5bceb
increase resolver timeout
2022-10-12 16:30:25 -04:00
Daniel Micay
a1997d89c4
rename conn limit memory zone
2022-10-01 12:56:03 -04:00
Daniel Micay
06cd80873f
use custom format for access log again
2022-09-27 10:27:36 -04:00
Daniel Micay
0e16b5798b
reduce HTTP/2 chunk size to match TLS record size
2022-09-26 13:14:40 -04:00
Daniel Micay
9ed069073c
use syslog (journald) for nginx access log
2022-09-25 14:18:13 -04:00
Daniel Micay
7b8a505d17
reduce keepalive requests
2022-09-24 11:53:02 -04:00
Daniel Micay
9cdf30c08c
reduce connection limit to 128
2022-09-24 11:27:15 -04:00
Daniel Micay
0bcd3cdca3
reduce HTTP/2 concurrent streams to 16
2022-09-24 11:22:11 -04:00
Daniel Micay
46ca28258f
reduce max client header buffer size
2022-09-24 11:11:01 -04:00
Daniel Micay
913cde9ff2
send X-Robots-Tag on errors too
2022-08-18 18:11:08 -04:00
Daniel Micay
a5c257d8a5
remove legacy Expect-CT header
2022-08-11 17:29:34 -04:00
Daniel Micay
fa61606984
add Origin-Agent-Cluster header
2022-07-30 20:13:28 -04:00
Daniel Micay
90d542e2f4
stop setting CORP header for synapse API for now
2022-07-13 13:04:46 -04:00
Daniel Micay
69b0ff7bb3
move nginx status API to socket
2022-07-02 12:38:33 -04:00
Daniel Micay
11579e87ca
reduce proxy send timeout
2022-06-27 23:58:50 -04:00
Daniel Micay
12d81c7885
use standard GrapheneOS mime.types
2022-06-26 17:51:01 -04:00
Daniel Micay
30209020a7
raise expected nginx version
2022-06-10 19:40:32 -04:00
Daniel Micay
316a5c696b
enable sendfile support again
...
There's a remaining issue fixed in mainline that's not fixed in the
current stable branch yet, but it doesn't apply unless HTTP/2 is being
used without encryption. Currently sendfile is only really used for the
backend proxy connections in practice due to TLS, and those are never
HTTP/2.
2022-05-03 19:10:31 -04:00