Merge pull request #10 from Intellection/update-configs

Configure timeouts & some improvements

Author: zacblazic

CHANGELOG.md

@@ -1,5 +1,29 @@
 # Changelog
 
+## 1.19.5-7
+
+* Set `daemon` to `off`.
+* Set `multi_accept` to `on`.
+* Set `use` to `epoll`.
+* Set `aio` to `threads`.
+* Set `aio_write` to `on`.
+* Set `tcp_nodelay` to `on`.
+* Set `reset_timedout_connection` to `on`.
+* Set `port_in_redirect` to `off`.
+* Add `http_upgrade` and `proxy_connection` to log format.
+* Remove setting of `sendfile` (turns it off).
+* Remove setting of `client_max_body_size` (defaults to `1m`).
+* Remove setting of `client_body_buffer_size` (defaults to `16k`).
+* Reduce `client_body_timeout` to `60s` (same as default).
+* Reduce `client_header_timeout` to `60s` (same as default).
+* Reduce `keepalive_timeout` to `75s` (same as default).
+* Reduce `proxy_connect_timeout` to `5s`.
+* Reduce `proxy_read_timeout` to `60s` (same as default).
+* Reduce `worker_shutdown_timeout` to `240s`.
+* Set `Proxy` header to `""` to mitigate httpoxy vulnerability.
+* Disable keep-alive on healthcheck server.
+* Enable support for websockets.
+
 ## 1.19.5-6
 
 * Set `client_body_buffer_size` to `128k`.

Dockerfile

@@ -58,3 +58,5 @@ COPY ./config/ /etc/nginx/
 STOPSIGNAL SIGQUIT
 EXPOSE 8080
 USER nginx:nginx
+
+CMD ["nginx"]

config/http.conf

@@ -2,19 +2,24 @@ http {
   include /etc/nginx/mime.types;
   include /etc/nginx/log.conf;
 
-  server_tokens           off;
-  sendfile                on;
-  tcp_nopush              on;
+  aio                       threads;
+  aio_write                 on;
+  
+  tcp_nopush                on;
+  tcp_nodelay               on;
 
-  client_max_body_size    500m;
-  client_body_buffer_size 128k;
-  client_body_timeout     300s;
-  client_header_timeout   605s;
-  keepalive_timeout       605s;
-  proxy_connect_timeout   60s;
-  proxy_read_timeout      600s;
-  proxy_send_timeout      60s;
-  send_timeout            60s;
+  client_body_timeout       60s;
+  client_header_timeout     60s;
+  keepalive_timeout         75s;
+  proxy_connect_timeout     5s;
+  proxy_read_timeout        60s;
+  proxy_send_timeout        60s;
+  send_timeout              60s;
+
+  reset_timedout_connection on;
+  
+  port_in_redirect          off;
+  server_tokens             off;
 
   # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
   # scheme used to connect to this server
@@ -44,9 +49,19 @@ http {
     ''      $request_id;
   }
 
+  # See https://www.nginx.com/blog/websocket-nginx
+  map $http_upgrade $proxy_connection {
+    default Upgrade;
+    ''      '';
+  }
+
   proxy_http_version  1.1;
-  proxy_set_header    Connection          "";
   proxy_set_header    Host                $host;
+  proxy_set_header    Connection          $proxy_connection;
+  proxy_set_header    Upgrade             $http_upgrade;
+
+  # Mitigate httpoxy vulnerability
+  proxy_set_header    Proxy               "";
 
   proxy_set_header    X-Real-IP           $remote_addr;
   proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
@@ -59,11 +74,13 @@ http {
   include /etc/nginx/app.conf;
 
   server {
-      listen 18081 default_server;
+    listen 18081 default_server;
+
+    access_log off;
+    keepalive_timeout 0;
 
-      location /healthz {
-          access_log off;
-          return 200;
-      }
+    location /healthz {
+      return 200;
+    }
   }
 }

config/log.conf

@@ -9,9 +9,11 @@ log_format main_json escape=json
     '"host":"$host",'
     '"http_connection":"$http_connection",'
     '"http_referer":"$http_referer",'
+    '"http_upgrade":"$http_upgrade",'
     '"http_user_agent":"$http_user_agent",'
     '"http_x_amzn_trace_id":"$http_x_amzn_trace_id",'
     '"http_x_forwarded_for":"$http_x_forwarded_for",'
+    '"proxy_connection":"$proxy_connection",'
     '"proxy_x_forwarded_port":"$proxy_x_forwarded_port",'
     '"proxy_x_forwarded_proto":"$proxy_x_forwarded_proto",'
     '"proxy_x_forwarded_ssl":"$proxy_x_forwarded_ssl",'

config/main.conf

@@ -1,7 +1,11 @@
+daemon off;
+
 worker_processes        auto;
 worker_rlimit_nofile    8192;
-worker_shutdown_timeout 630s;
+worker_shutdown_timeout 240s;
 
 events {
-    worker_connections 8000;
+  multi_accept       on;
+  worker_connections 8000;
+  use                epoll;
 }