tuning

conf.avail/core-worker-rlimit-nofile.conf

@@ -1 +1 @@
-worker_rlimit_nofile 1048576;
+worker_rlimit_nofile 262144;

conf.avail/core_events-worker-connections.conf

@@ -1 +1 @@
-worker_connections 16384;
+worker_connections 65536;

conf.avail/http-brotli.conf

@@ -2,9 +2,11 @@ brotli on;
 
 ## default is 6
 brotli_comp_level  5;
-brotli_min_length  1024;
+## default is 512k
+brotli_window 64k;
 
-brotli_buffers  32  16k;
+brotli_min_length  1024;
+brotli_buffers     32  16k;
 
 brotli_types
     application/atom+xml

conf.avail/http-gzip.conf

@@ -2,14 +2,14 @@ gzip on;
 
 ## default is 1
 gzip_comp_level  2;
+
 gzip_min_length  1024;
+gzip_buffers     32  16k;
+gunzip_buffers   32  16k;
 
 gzip_vary     on;
 gzip_proxied  any;
 
-gzip_buffers    32  16k;
-gunzip_buffers  32  16k;
-
 gzip_types
     application/atom+xml
     application/javascript

conf.avail/http-zstd.conf

@@ -0,0 +1,24 @@
+zstd on;
+
+## default is 1
+zstd_comp_level  2;
+
+zstd_min_length  1024;
+zstd_buffers     32  16k;
+
+zstd_types
+    application/atom+xml
+    application/javascript
+    application/json
+    application/vnd.api+json
+    application/rss+xml
+    application/x-javascript
+    application/xhtml+xml
+    application/xml
+    image/svg+xml
+    image/x-icon
+    text/css
+    text/javascript
+    text/plain
+    text/xml
+;

conf.d/http-zstd.conf

@@ -0,0 +1 @@
+../conf.avail/http-zstd.conf

mod.avail/http-zstd.conf

@@ -0,0 +1,2 @@
+load_module modules/ngx_http_zstd_filter_module.so;
+load_module modules/ngx_http_zstd_static_module.so;

mod.d/http-zstd.conf

@@ -0,0 +1 @@
+../mod.avail/http-zstd.conf

site.avail/http-git.krd.sh.conf

@@ -1,3 +1,23 @@
+upstream krdsh_git {
+    server 127.0.0.1:3000;
+}
+upstream krdsh_ci {
+    server 127.0.0.1:8000;
+}
+upstream krdsh_ci_grpc {
+    server 127.0.0.1:9000;
+}
+
+proxy_cache_path
+    /var/cache/angie/proxy/krdsh-git
+    keys_zone=krdsh_cache_git:10m
+    levels=1:2 inactive=1h;
+
+proxy_cache_path
+    /var/cache/angie/proxy/krdsh-ci
+    keys_zone=krdsh_cache_ci:10m
+    levels=1:2 inactive=1h;
+
 server {
     server_name git.krd.sh ci.krd.sh;
 
@@ -20,11 +40,6 @@ server {
     }
 }
 
-proxy_cache_path
-    /var/cache/angie/proxy/krdsh-git
-    keys_zone=krdsh_git:10m
-    levels=1:2 inactive=1h;
-
 server {
     server_name git.krd.sh;
 
@@ -46,16 +61,16 @@ server {
     proxy_redirect  ~*^http://(ci|git)\.krd\.sh(?:|:[0-9]+)/(.*)$  https://$1.krd.sh/$2;
 
     location / {
-        proxy_pass http://127.0.0.1:3000;
+        proxy_pass http://krdsh_git;
         ## quirks
         client_max_body_size 512M;
         chunked_transfer_encoding off;
     }
 
     location @precache {
-        proxy_pass http://127.0.0.1:3000;
+        proxy_pass http://krdsh_git;
 
-        proxy_cache krdsh_git;
+        proxy_cache krdsh_cache_git;
         proxy_cache_key $uri;
         proxy_cache_valid 200 1h;
         proxy_cache_valid 30s;
@@ -74,15 +89,10 @@ server {
 
     location /assets/ {
         try_files /.non-existent-uri @precache;
-        # proxy_pass http://127.0.0.1:3000;
+        # proxy_pass http://krdsh_git;
     }
 }
 
-proxy_cache_path
-    /var/cache/angie/proxy/krdsh-ci
-    keys_zone=krdsh_ci:10m
-    levels=1:2 inactive=1h;
-
 server {
     server_name ci.krd.sh;
 
@@ -104,7 +114,7 @@ server {
     proxy_redirect  ~*^http://(ci|git)\.krd\.sh(?:|:[0-9]+)/(.*)$  https://$1.krd.sh/$2;
 
     location / {
-        proxy_pass http://127.0.0.1:8000;
+        proxy_pass http://krdsh_ci;
         ## quirks
         chunked_transfer_encoding off;
         client_max_body_size 16M;
@@ -112,9 +122,9 @@ server {
     }
 
     location @precache {
-        proxy_pass http://127.0.0.1:8000;
+        proxy_pass http://krdsh_ci;
 
-        proxy_cache krdsh_ci;
+        proxy_cache krdsh_cache_ci;
         proxy_cache_key $uri;
         proxy_cache_valid 200 1h;
         proxy_cache_valid 30s;
@@ -133,7 +143,7 @@ server {
 
     location /assets/ {
         try_files /.non-existent-uri @precache;
-        # proxy_pass http://127.0.0.1:8000;
+        # proxy_pass http://krdsh_ci;
     }
 }
 
@@ -153,6 +163,6 @@ server {
     include snip.d/grpc-accept-encoding;
 
     location / {
-        grpc_pass grpc://127.0.0.1:9000;
+        grpc_pass grpc://krdsh_ci_grpc;
     }
 }

site.avail/http-nexus.krd.sh.conf

@@ -1,3 +1,12 @@
+upstream krdsh_nexus {
+    server 127.0.0.1:8081;
+}
+
+proxy_cache_path
+    /var/cache/angie/proxy/krdsh-nexus
+    keys_zone=krdsh_cache_nexus:10m
+    levels=1:2 inactive=1h;
+
 server {
     server_name nexus.krd.sh;
 
@@ -28,7 +37,7 @@ server {
         gzip off;
         brotli off;
 
-        proxy_pass http://127.0.0.1:8081;
+        proxy_pass http://krdsh_nexus;
         proxy_method GET;
     }
 
@@ -41,7 +50,7 @@ server {
         allow 240.0.0.0/4;
         deny  all;
 
-        proxy_pass http://127.0.0.1:8081;
+        proxy_pass http://krdsh_nexus;
         proxy_method GET;
     }
 
@@ -70,7 +79,7 @@ server {
     proxy_redirect  ~*^http://$host(?:|:[0-9]+)/(.*)$  https://$host/$1;
 
     location / {
-        proxy_pass http://127.0.0.1:8081;
+        proxy_pass http://krdsh_nexus;
         ## quirks
         client_max_body_size 1024M;
     }
@@ -84,7 +93,7 @@ server {
         allow 240.0.0.0/4;
         deny  all;
 
-        proxy_pass http://127.0.0.1:8081;
+        proxy_pass http://krdsh_nexus;
     }
 
     ## quirks
@@ -112,7 +121,7 @@ server {
     proxy_redirect  ~*^http://$host(?:|:[0-9]+)/(.*)$  https://$host/$1;
 
     location / {
-        proxy_pass http://127.0.0.1:8081;
+        proxy_pass http://krdsh_nexus;
         ## quirks
         client_max_body_size 1024M;
     }
@@ -126,7 +135,7 @@ server {
         allow 240.0.0.0/4;
         deny  all;
 
-        proxy_pass http://127.0.0.1:8081;
+        proxy_pass http://krdsh_nexus;
     }
 
     js_import njs/nexus.js;
@@ -139,11 +148,6 @@ server {
     chunked_transfer_encoding off;
 }
 
-proxy_cache_path
-    /var/cache/angie/proxy/krdsh-nexus
-    keys_zone=krdsh_nexus:10m
-    levels=1:2 inactive=1h;
-
 server {
     ## PITA
     server_name
@@ -196,9 +200,9 @@ server {
     }
 
     location @precache {
-        proxy_pass http://127.0.0.1:8081;
+        proxy_pass http://krdsh_nexus;
 
-        proxy_cache krdsh_nexus;
+        proxy_cache krdsh_cache_nexus;
         proxy_cache_key $uri$is_args$args;
         proxy_cache_valid 200 1h;
         proxy_cache_valid 30s;

snip.d/tls-intermediate

@@ -3,7 +3,7 @@
 include snip.d/tls-common;
 
 ssl_protocols              TLSv1.2 TLSv1.3;
-ssl_session_cache          shared:tls-intermediate:10m;
+ssl_session_cache          shared:tls-intermediate:20m;
 ssl_prefer_server_ciphers  off;
 ssl_ciphers                ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 

snip.d/tls-modern

@@ -1,6 +1,6 @@
 include snip.d/tls-common;
 
 ssl_protocols              TLSv1.3;
-ssl_session_cache          shared:ssl-modern:10m;
+ssl_session_cache          shared:ssl-modern:20m;
 ssl_prefer_server_ciphers  off;
 ssl_early_data             on;

snip.d/tls-old

@@ -1,7 +1,7 @@
 include snip.d/tls-common;
 
 ssl_protocols              TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-ssl_session_cache          shared:tls-old:10m;
+ssl_session_cache          shared:tls-old:20m;
 ssl_prefer_server_ciphers  on;
 ssl_ciphers                ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;