webserver: add performance tweaking options

0d99391c · Lars Beckers · e57de8c8 · 0d99391c · 0d99391c · 0d99391c
Commit 0d99391c authored Jun 3, 2020 by Lars Beckers
--- a/webserver/defaults/main.yml
+++ b/webserver/defaults/main.yml
@@ -10,3 +10,34 @@ webservers: []

 # If you use the Zabbix integration, define this variable.
 # zabbix_password: "{{ lookup('passwordstore', zabbix_user) }}"
+
+# The following settings may be used to tweak performance.
+# Take with a grain of salt. Measure actual performance.
+webserver_workers: 4  # may also be auto
+# webserver_worker_rlimit_nofile: 100000
+# webserver_worker_connections: 2048
+# webserver_worker_aio_requests: 128
+# webserver_sendfile_max_chunk: '1m'
+# webserver_keepalive_timeout: 75
+# webserver_keepalive_requests: 200
+# webserver_reset_timedout_connection: true
+# webserver_enable_aio: false
+# webserver_aio_threads: false
+# webserver_buffer_access_log: true  # may also be set on a per server basis
+# webserver_enable_gzip: true
+# webserver_gzip_comp_level: 3
+# webserver_gzip_min_length: 100
+# may also be off or any
+# webserver_gzip_proxied: "expired no-cache no-store private auth"
+# webserver_enable_open_file_cache: true
+# webserver_open_file_cache_max: 10000
+# webserver_open_file_cache_inactive: 30
+# webserver_open_file_cache_valid: 60
+# webserver_open_file_cache_min_uses: 2
+# webserver_enable_reuseport: true
+# this and following may also be set on a per location basis
+# webserver_proxy_connect_timeout: 120
+# webserver_send_timeout: 120
+# webserver_proxy_send_timeout: 120
+# webserver_proxy_read_timeout: 120
+# webserver_fastcgi_read_timeout: 120
--- a/webserver/templates/locations/fastcgi.conf
+++ b/webserver/templates/locations/fastcgi.conf
@@ -24,6 +24,12 @@
        {% endif %}
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_connect_timeout {{ location.proxy_connect_timeout|default(webserver_proxy_connect_timeout|default(60)) }};
+        proxy_send_timeout {{ location.proxy_send_timeout|default(webserver_proxy_send_timeout|default(60)) }};
+        proxy_read_timeout {{ location.proxy_read_timeout|default(webserver_proxy_read_timeout|default(60)) }};
+        send_timeout {{ location.send_timeout|default(webserver_send_timeout|default(60)) }};
+        fastcgi_read_timeout {{ location.fastcgi_read_timeout|default(webserver_fastcgi_read_timeout|default(60)) }};
+        fastcgi_keep_conn on;
        fastcgi_pass {{location.socket}};
    {% include "location-nested" %}
    }
--- a/webserver/templates/locations/proxy.conf
+++ b/webserver/templates/locations/proxy.conf
@@ -35,14 +35,18 @@
        proxy_cookie_path / "/; Secure; HttpOnly; SameSite=Lax";
        {% endif %}
        {% endif %}
-        {% if location.proxy_http_version is defined %}
-        proxy_http_version {{location.proxy_http_version}};
-        {% endif %}
+        {# 1.1 and empty Connection to enable keepalive #}
+        proxy_http_version "{{location.proxy_http_version|default('1.1')}}";
+        proxy_set_header Connection "";
        {% if location.proxy_headers is defined %}

        {% for key, value in location.proxy_headers.items() %}
        proxy_set_header {{key}} {{value}};
        {% endfor %}
        {% endif %}
+        proxy_connect_timeout {{ location.proxy_connect_timeout|default(webserver_proxy_connect_timeout|default(60)) }};
+        proxy_send_timeout {{ location.proxy_send_timeout|default(webserver_proxy_send_timeout|default(60)) }};
+        proxy_read_timeout {{ location.proxy_read_timeout|default(webserver_proxy_read_timeout|default(60)) }};
+        send_timeout {{ location.send_timeout|default(webserver_send_timeout|default(60)) }};
    {% include "location-nested" %}
    }
--- a/webserver/templates/locations/uwsgi.conf
+++ b/webserver/templates/locations/uwsgi.conf
@@ -18,6 +18,13 @@
        {% endif %}
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        {# 1.1 and empty Connection to enable keepalive #}
+        proxy_http_version {{location.proxy_http_version|default('1.1')}};
+        proxy_set_header Connection "";
+        proxy_connect_timeout {{ location.proxy_connect_timeout|default(webserver_proxy_connect_timeout|default(60)) }};
+        proxy_send_timeout {{ location.proxy_send_timeout|default(webserver_proxy_send_timeout|default(60)) }};
+        proxy_read_timeout {{ location.proxy_read_timeout|default(webserver_proxy_read_timeout|default(60)) }};
+        send_timeout {{ location.send_timeout|default(webserver_send_timeout|default(60)) }};
        uwsgi_pass {{location.socket}};
    {% include "location-nested" %}
    }
--- a/webserver/templates/nginx-proxy.conf
+++ b/webserver/templates/nginx-proxy.conf
 user nginx-proxy;
-worker_processes 4;
+worker_processes {{ webserver_workers }};
+worker_rlimit_nofile {{ webserver_worker_rlimit_nofile|default(100000) }};
 pid /run/nginx-proxy.pid;
 {% if debian_version == "stretch" %}
 include /etc/nginx/modules-enabled/*.conf;
 {% endif %}
+pcre_jit on;

 events {
-    worker_connections 768;
+    worker_connections {{ webserver_worker_connections|default(768) }};
+    worker_aio_requests {{ webserver_worker_aio_requests|default(32) }};
    # multi_accept on;
 }

@@ -26,16 +29,29 @@ http {
    ##

    sendfile on;
+    sendfile_max_chunk {{ webserver_sendfile_max_chunk|default('1m') }};
    tcp_nopush on;
    tcp_nodelay on;
-    keepalive_timeout 65;
+    keepalive_timeout {{ webserver_keepalive_timeout|default(65) }};
+    keepalive_requests {{ webserver_keepalive_requests|default(100) }};
    types_hash_max_size 2048;
    # server_tokens off;
+    reset_timedout_connection {{ 'on' if webserver_reset_timedout_connection|default(False) else 'off' }};
+    client_max_body_size 2m;
+
+    {% if webserver_enable_aio|default(False) %}
+    aio            {{ 'on' if webserver_aio_threads|default(False) else 'off' }};
+    directio       {{ webserver_aio_directio|default('512') }};
+    output_buffers 1 128k;
+    {% endif %}

    server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
+    types {
+        application/wasm wasm;
+    }
    default_type application/octet-stream;

    resolver {{ webserver_resolver|join(" ") }} ipv6={% if webserver_enable_ipv6 %}on{% else %}off{% endif %};
@@ -46,33 +62,41 @@ http {
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
-
    ssl_stapling on;
    ssl_stapling_verify on;
-
    ssl_dhparam /etc/ssl/dhparam.pem;

-
    ##
    # Logging Settings
    ##

+    {% if webserver_buffer_access_log|default(False) %}
+    access_log /var/log/nginx/proxy-access.log combined buffer=16k flush=1m;
+    {% else %}
    access_log /var/log/nginx/proxy-access.log;
+    {% endif %}
    error_log /var/log/nginx/proxy-error.log;

    ##
    # Gzip Settings
    ##

+    {% if webserver_enable_gzip|default(True) %}
    gzip on;
    gzip_disable "msie6";
+    gzip_comp_level {{ webserver_gzip_comp_level|default(1) }};
+    gzip_min_length {{ webserver_gzip_min_length|default(20) }};
+    gzip_proxied {{ webserver_gzip_proxied|default('off') }};
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+    {% endif %}

-    # gzip_vary on;
-    # gzip_proxied any;
-    # gzip_comp_level 6;
-    # gzip_buffers 16 8k;
-    # gzip_http_version 1.1;
-    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+    {% if webserver_enable_open_file_cache|default(False) %}
+    open_file_cache          max={{ webserver_open_file_cache_max|default(1000) }} inactive={{ webserver_open_file_cache_inactive|default(20) }}s; # 10000, 30
+    open_file_cache_valid    {{ webserver_open_file_cache_valid|default(30) }}s; # 60
+    open_file_cache_min_uses {{ webserver_open_file_cache_min_uses|default(2) }};
+    open_file_cache_errors   on;
+    open_log_file_cache max=1000 inactive=30s valid=1m min_uses=2;
+    {% endif %}

    ##
    # Virtual Host Configs
@@ -83,7 +107,7 @@ http {

    {% if webserver_enable_acme_default %}
    server {
-        listen 80;
+        listen 80 {{ 'reuseport' if webserver_enable_reuseport else '' }};
        server_name _;
        include /etc/nginx/snippets/acmetool.conf;
        location / {

--- a/webserver/templates/nginx.conf
+++ b/webserver/templates/nginx.conf
 user www-data;
-worker_processes 4;
+worker_processes {{ webserver_workers }};
+worker_rlimit_nofile {{ webserver_worker_rlimit_nofile|default(100000) }};
 pid /run/nginx.pid;
 include /etc/nginx/modules-enabled/*.conf;
-
+pcre_jit on;

 events {
-    worker_connections 768;
+    worker_connections {{ webserver_worker_connections|default(768) }};
+    worker_aio_requests {{ webserver_worker_aio_requests|default(32) }};
    # multi_accept on;
 }

@@ -19,11 +21,21 @@ http {
    ##

    sendfile on;
+    sendfile_max_chunk {{ webserver_sendfile_max_chunk|default('1m') }};
    tcp_nopush on;
    tcp_nodelay on;
-    keepalive_timeout 65;
+    keepalive_timeout {{ webserver_keepalive_timeout|default(65) }};
+    keepalive_requests {{ webserver_keepalive_requests|default(100) }};
    types_hash_max_size 2048;
    # server_tokens off;
+    reset_timedout_connection {{ 'on' if webserver_reset_timedout_connection|default(False) else 'off' }};
+    client_max_body_size 2m;
+
+    {% if webserver_enable_aio|default(False) %}
+    aio            {{ 'on' if webserver_aio_threads|default(False) else 'off' }};
+    directio       {{ webserver_aio_directio|default('512') }};
+    output_buffers 1 128k;
+    {% endif %}

    server_names_hash_bucket_size 64;
    # server_name_in_redirect off;
@@ -42,34 +54,41 @@ http {
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
-
-    #add_header Strict-Transport-Security max-age=15768000; # Only in proxy
-
    ssl_stapling on;
    ssl_stapling_verify on;
-
    ssl_dhparam /etc/ssl/dhparam.pem;

    ##
    # Logging Settings
    ##

+    {% if webserver_buffer_access_log|default(False) %}
+    access_log /var/log/nginx/access.log combined buffer=16k flush=1m;
+    {% else %}
    access_log /var/log/nginx/access.log;
+    {% endif %}
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

+    {% if webserver_enable_gzip|default(True) %}
    gzip on;
    gzip_disable "msie6";
-
-    # gzip_vary on;
-    # gzip_proxied any;
-    # gzip_comp_level 6;
-    # gzip_buffers 16 8k;
-    # gzip_http_version 1.1;
-    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+    gzip_comp_level {{ webserver_gzip_comp_level|default(1) }};
+    gzip_min_length {{ webserver_gzip_min_length|default(20) }};
+    gzip_proxied {{ webserver_gzip_proxied|default('off') }};
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+    {% endif %}
+
+    {% if webserver_enable_open_file_cache|default(False) %}
+    open_file_cache          max={{ webserver_open_file_cache_max|default(1000) }} inactive={{ webserver_open_file_cache_inactive|default(20) }}s; # 10000, 30
+    open_file_cache_valid    {{ webserver_open_file_cache_valid|default(30) }}s; # 60
+    open_file_cache_min_uses {{ webserver_open_file_cache_min_uses|default(2) }};
+    open_file_cache_errors   on;
+    open_log_file_cache max=1000 inactive=30s valid=1m min_uses=2;
+    {% endif %}

    ##
    # Virtual Host Configs
@@ -79,4 +98,3 @@ http {
    include /etc/nginx/sites-enabled/*.conf;

 }
-
--- a/webserver/templates/sites/hostnamerewrite.conf
+++ b/webserver/templates/sites/hostnamerewrite.conf
@@ -3,7 +3,11 @@ server {
    listen 443 ssl;
    server_name {{server.forward_hostnames.hostnames|default(server.forward_hostnames)|join(" ")}};
    error_log /var/log/nginx/rewrite-error-{{server.forward_hostnames.hostnames|default(server.forward_hostnames)|first}}.log;
+    {% if server.buffer_access_log|default(webserver_buffer_access_log|default(False)) %}
+    access_log /var/log/nginx/rewrite-access-{{server.forward_hostnames.hostnames|default(server.forward_hostnames)|first}}.log combined buffer=16k flush=1m;
+    {% else %}
    access_log /var/log/nginx/rewrite-access-{{server.forward_hostnames.hostnames|default(server.forward_hostnames)|first}}.log;
+    {% endif %}

    {% include "ssl-certificate" %}


--- a/webserver/templates/sites/httprewrite.conf
+++ b/webserver/templates/sites/httprewrite.conf
@@ -2,7 +2,11 @@ server {
    listen 80;
    server_name {{server.server_names|default([server.server_name])|join(" ")}};
    error_log /var/log/nginx/rewrite-error-{{server.server_names|default([server.server_name])|first}}.log;
+    {% if server.buffer_access_log|default(webserver_buffer_access_log|default(False)) %}
+    access_log /var/log/nginx/rewrite-access-{{server.server_names|default([server.server_name])|first}}.log combined buffer=16k flush=1m;
+    {% else %}
    access_log /var/log/nginx/rewrite-access-{{server.server_names|default([server.server_name])|first}}.log;
+    {% endif %}

    {% include "site-security" %}


--- a/webserver/templates/sites/iprewrite.conf
+++ b/webserver/templates/sites/iprewrite.conf
 server {
-    listen 80;
-    listen 443 ssl;
+    listen 80 {{ 'reuseport' if webserver_enable_reuseport and not webserver_enable_acme_default else '' }};
+    listen 443 ssl {{ 'reuseport' if webserver_enable_reuseport else '' }};
    server_name {{ansible_all_ipv4_addresses|join(" ")}};
    error_log /var/log/nginx/rewrite-error-{{ansible_all_ipv4_addresses|first}}.log;
+    {% if server.buffer_access_log|default(webserver_buffer_access_log|default(False)) %}
+    access_log /var/log/nginx/rewrite-access-{{ansible_all_ipv4_addresses|first}}.log combined buffer=16k flush=1m;
+    {% else %}
    access_log /var/log/nginx/rewrite-access-{{ansible_all_ipv4_addresses|first}}.log;
+    {% endif %}

    {% include "ssl-certificate" %}


--- a/webserver/templates/sites/mediawiki.conf
+++ b/webserver/templates/sites/mediawiki.conf
 server {
    {% if server.port is defined %}

-    listen localhost:{{server.port}};
+    listen localhost:{{server.port}} {{ 'reuseport' if webserver_enable_reuseport else '' }};
    {% else %}

    listen unix:{{server.socket|default('/run/nginx/' ~ server.server_name ~ '.sock')}};
@@ -9,7 +9,11 @@ server {

    server_name {{server.server_names|default([server.server_name])|join(" ")}};
    error_log /var/log/nginx/error-{{server.server_names|default([server.server_name])|first}}.log;
+    {% if server.buffer_access_log|default(webserver_buffer_access_log|default(False)) %}
+    access_log /var/log/nginx/access-{{server.server_names|default([server.server_name])|first}}.log combined buffer=16k flush=1m;
+    {% else %}
    access_log /var/log/nginx/access-{{server.server_names|default([server.server_name])|first}}.log;
+    {% endif %}

    root {{server.root}};
    {% if server.indices is defined %}

--- a/webserver/templates/sites/open-xchange.conf
+++ b/webserver/templates/sites/open-xchange.conf
@@ -8,7 +8,11 @@ server {
    {% include "site-server_name" %}

    error_log /var/log/nginx/error-{{server.server_names|default([server.server_name])|first}}.log;
+    {% if server.buffer_access_log|default(webserver_buffer_access_log|default(False)) %}
+    access_log /var/log/nginx/access-{{server.server_names|default([server.server_name])|first}}.log combined buffer=16k flush=1m;
+    {% else %}
    access_log /var/log/nginx/access-{{server.server_names|default([server.server_name])|first}}.log;
+    {% endif %}

    root {{server.root}};
    index index.html;
@@ -165,7 +169,11 @@ server {
        error_page 418 = @eas:oxcluster; return 418;
    }
    location /Microsoft-Server-ActiveSync {
+        {% if server.buffer_access_log|default(webserver_buffer_access_log|default(False)) %}
+            access_log /var/log/nginx/active_sync.log combined buffer=16k flush=1m;
+        {% else %}
            access_log /var/log/nginx/active_sync.log;
+        {% endif %}
        error_page 418 = @eas_oxcluster; return 418;
    }


--- a/webserver/templates/sites/tlsproxy.conf
+++ b/webserver/templates/sites/tlsproxy.conf
@@ -2,7 +2,11 @@ server {
    listen {% if server.no_ssl is undefined or not server.no_ssl %}443 ssl{% else %}80{% endif %};
    server_name {{server.server_names|default([server.server_name])|join(" ")}};
    error_log /var/log/nginx/proxy-error-{{server.server_names|default([server.server_name])|first}}.log;
+    {% if server.buffer_access_log|default(webserver_buffer_access_log|default(False)) %}
+    access_log /var/log/nginx/proxy-access-{{server.server_names|default([server.server_name])|first}}.log combined buffer=16k flush=1m;
+    {% else %}
    access_log /var/log/nginx/proxy-access-{{server.server_names|default([server.server_name])|first}}.log;
+    {% endif %}

    {% if server.include_acme|default(true) %}
    include /etc/nginx/snippets/acmetool.conf;

--- a/webserver/templates/sites/webapp.conf
+++ b/webserver/templates/sites/webapp.conf
 server {
    {% if server.port is defined %}
-    listen localhost:{{server.port}};
+    listen localhost:{{server.port}} {{ 'reuseport' if webserver_enable_reuseport else '' }};
    {% else %}
    listen unix:{{server.socket|default('/run/nginx/' ~ server.server_name ~ '.sock')}};
    {% endif %}
@@ -8,7 +8,11 @@ server {
    {% include "site-server_name" %}

    error_log /var/log/nginx/error-{{server.server_names|default([server.server_name])|first}}.log;
+    {% if server.buffer_access_log|default(webserver_buffer_access_log|default(False)) %}
+    access_log /var/log/nginx/access-{{server.server_names|default([server.server_name])|first}}.log combined buffer=16k flush=1m;
+    {% else %}
    access_log /var/log/nginx/access-{{server.server_names|default([server.server_name])|first}}.log;
+    {% endif %}

    root {{server.root}};
    {% if server.indices is defined %}