[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/01: hydra: berlin: Add nginx-configuration.
From: |
Ricardo Wurmus |
Subject: |
01/01: hydra: berlin: Add nginx-configuration. |
Date: |
Fri, 28 Dec 2018 16:50:06 -0500 (EST) |
rekado pushed a commit to branch master
in repository maintenance.
commit 777e9e1012c4c6bfda9a811ec41b06ca30a3cca6
Author: Ricardo Wurmus <address@hidden>
Date: Fri Dec 28 22:49:19 2018 +0100
hydra: berlin: Add nginx-configuration.
* hydra/nginx/berlin.scm: New file.
---
hydra/nginx/berlin.scm | 375 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 375 insertions(+)
diff --git a/hydra/nginx/berlin.scm b/hydra/nginx/berlin.scm
new file mode 100644
index 0000000..1a1ac26
--- /dev/null
+++ b/hydra/nginx/berlin.scm
@@ -0,0 +1,375 @@
+;; Nginx configuration for ci.guix.info
+
+;; TODO: these settings cannot currently expressed with Guix:
+
+;; # This is a 72-core machine, but let's not use all of them for nginx.
+;; worker_processes 32;
+;;
+;; error_log /var/log/nginx/error.log error;
+;; pcre_jit on;
+;;
+;; events {
+;; worker_connections 1024;
+;; }
+
+
+
+(define* (le host #:optional privkey)
+ (string-append "/etc/letsencrypt/live/"
+ host "/"
+ (if privkey "privkey" "fullchain")
+ ".pem;"))
+
+;; TODO
+(define %wwwroot "WWWROOT")
+
+(define %publish-url "http://localhost:3000")
+
+(define %tls-settings
+ (list
+ ;; Make sure SSL is disabled.
+ "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;"
+ ;; Disable weak cipher suites.
+ "ssl_ciphers HIGH:!aNULL:!MD5;"
+ "ssl_prefer_server_ciphers on;"
+
+ ;; Use our own DH parameters created with:
+ ;; openssl dhparam -out dhparams.pem 2048
+ ;; as suggested at <https://weakdh.org/sysadmin.html>.
+ "ssl_dhparam /etc/dhparams.pem;"))
+
+(define %berlin-locations
+ (list
+ ;; Cuirass.
+ (nginx-location-configuration
+ (uri "/")
+ (body (list "proxy_pass http://localhost:8081;")))
+
+ (nginx-location-configuration
+ (uri "/static")
+ (body
+ (list
+ "proxy_pass http://localhost:8081;"
+ ;; Let browsers cache this for a while.
+ "expires 10d;"
+ ;; Cache quite aggressively.
+ "proxy_cache static;"
+ "proxy_cache_valid 200 5d;"
+ "proxy_cache_valid any 10m;"
+ "proxy_ignore_client_abort on;")))
+
+ (nginx-location-configuration
+ (uri "/berlin.guixsd.org-export.pub")
+ (body
+ (list (string-append "root " %wwwroot ";"))))
+
+ (nginx-location-configuration
+ (uri "/nix-cache-info")
+ (body
+ (list
+ (string-append
+ "proxy_pass " %publish-url "/nix-cache-info;")
+ ;; Cache this file since that's always the first thing we ask
+ ;; for.
+ "proxy_cache static;"
+ "proxy_cache_valid 200 100d;" ; cache hits for a looong time.
+ "proxy_cache_valid any 5m;" ; cache misses/others for 5 min.
+ "proxy_ignore_client_abort on;"
+
+ ;; We need to hide and ignore the Set-Cookie header to enable
+ ;; caching.
+ "proxy_hide_header Set-Cookie;"
+ "proxy_ignore_headers Set-Cookie;")))
+
+ (nginx-location-configuration
+ (uri "/nar/")
+ (body
+ (list
+ (string-append "proxy_pass " %publish-url ";")
+ "client_body_buffer_size 256k;"
+
+ ;; Be more tolerant of delays when fetching a nar.
+ "proxy_read_timeout 60s;"
+ "proxy_send_timeout 60s;"
+
+ ;; Enable caching for nar files, to avoid reconstructing and
+ ;; recompressing archives.
+ "proxy_cache nar;"
+ "proxy_cache_valid 200 30d;" ; cache hits for 1 month
+ "proxy_cache_valid 504 3m;" ; timeout, when hydra.gnu.org is overloaded
+ "proxy_cache_valid any 1h;" ; cache misses/others for 1h.
+
+ "proxy_ignore_client_abort on;"
+
+ ;; Nars are already compressed.
+ "gzip off;"
+
+ ;; We need to hide and ignore the Set-Cookie header to enable
+ ;; caching.
+ "proxy_hide_header Set-Cookie;"
+ "proxy_ignore_headers Set-Cookie;"
+
+ ;; Provide a 'content-length' header so that 'guix
+ ;; substitute-binary' knows upfront how much it is downloading.
+ ;; "add_header Content-Length $body_bytes_sent;"
+ )))
+
+ (nginx-location-configuration
+ (uri "~ \.narinfo$")
+ (body
+ (list
+ ;; Since 'guix publish' has its own caching, and since it relies
+ ;; on the atime of cached narinfos to determine whether a
+ ;; narinfo can be removed from the cache, don't do any caching
+ ;; here.
+ (string-append "proxy_pass " %publish-url ";")
+
+ ;; For HTTP pipelining. This has a dramatic impact on
+ ;; performance.
+ "client_body_buffer_size 128k;"
+
+ ;; Narinfos requests are short, serve many of them on a
+ ;; connection.
+ "keepalive_requests 600;"
+
+ ;; Do not tolerate slowness of hydra.gnu.org when fetching
+ ;; narinfos: better return 504 quickly than wait forever.
+ "proxy_connect_timeout 2s;"
+ "proxy_read_timeout 2s;"
+ "proxy_send_timeout 2s;"
+
+ ;; 'guix publish --ttl' produces a 'Cache-Control' header for
+ ;; use by 'guix substitute'. Let it through rather than use
+ ;; nginx's "expire" directive since the expiration time defined
+ ;; by 'guix publish' is the right one.
+ "proxy_pass_header Cache-Control;"
+
+ "proxy_ignore_client_abort on;"
+
+ ;; We need to hide and ignore the Set-Cookie header to enable
+ ;; caching.
+ "proxy_hide_header Set-Cookie;"
+ "proxy_ignore_headers Set-Cookie;")))
+
+ (nginx-location-configuration
+ (uri "/log/")
+ (body
+ (list
+ (string-append "proxy_pass " %publish-url ";")
+
+ ;; Enable caching for build logs.
+ "proxy_cache logs;"
+ "proxy_cache_valid 200 60d;" ; cache hits.
+ "proxy_cache_valid 504 3m;" ; timeout, when hydra.gnu.org is overloaded
+ "proxy_cache_valid any 1h;" ; cache misses/others.
+
+ "proxy_ignore_client_abort on;"
+
+ ;; We need to hide and ignore the Set-Cookie header to enable
+ ;; caching.
+ "proxy_hide_header Set-Cookie;"
+ "proxy_ignore_headers Set-Cookie;")))
+
+ ;; Content-addressed files served by 'guix publish'.
+ (nginx-location-configuration
+ (uri "/file/")
+ (body
+ (list
+ (string-append "proxy_pass " %publish-url ";")
+
+ "proxy_cache cas;"
+ "proxy_cache_valid 200 200d;" ; cache hits
+ "proxy_cache_valid any 5m;" ; cache misses/others
+
+ "proxy_ignore_client_abort on;")))
+
+ ;; For use by Certbot.
+ (nginx-location-configuration
+ (uri "/.well-known")
+ (body (list "root /var/www;")))))
+
+(define %berlin-servers
+ (list
+
+ ;; Plain HTTP
+ (nginx-server-configuration
+ (listen '("80"))
+ (server-name '("berlin.guixsd.org"
+ "ci.guix.info"))
+ (locations %berlin-locations)
+ (raw-content
+ (list
+ "access_log /var/log/nginx/http.access.log;"
+ "proxy_set_header X-Forwarded-Host $host;"
+ "proxy_set_header X-Forwarded-Port $server_port;"
+ "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;")))
+
+ (nginx-server-configuration
+ (listen '("80"))
+ (server-name '("bootstrappable.org"
+ "www.bootstrappable.org"))
+ (root "/home/rekado/bootstrappable.org")
+ ;;(locations TODO) ; TODO
+ ;; location = / {
+ ;; root /home/rekado/bootstrappable.org;
+ ;; }
+ (raw-content
+ (list
+ "access_log /var/log/nginx/bootstrappable.access.log;")))
+
+ (nginx-server-configuration
+ (listen '("80"))
+ (server-name '("guix.info"
+ "www.guix.info"))
+ (root "/home/rekado/guix.info")
+ ;;(locations TODO) ; TODO
+ ;; location = / {
+ ;; root /home/rekado/guix.info;
+ ;; }
+ (raw-content
+ (list
+ "access_log /var/log/nginx/guix-info.access.log;")))
+
+ (nginx-server-configuration
+ (listen '("80"))
+ (server-name '("issues.guix.info"))
+ (root "/home/rekado/mumi/")
+ (locations
+ (list (nginx-location-configuration
+ (uri "/")
+ (body '("proxy_pass http://localhost:1234;")))))
+ (raw-content
+ (list
+ "access_log /var/log/nginx/issues-guix-info.access.log;")))
+
+ ;; HTTPS servers
+ (nginx-server-configuration
+ (listen '("443 ssl"))
+ (server-name '("berlin.guixsd.org"
+ "ci.guix.info"))
+ (ssl-certificate (le "berlin.guixsd.org"))
+ (ssl-certificate-key (le "berlin.guixsd.org" 'key))
+ (locations %berlin-locations)
+ (raw-content
+ (append
+ %tls-settings
+ (list
+ "access_log /var/log/nginx/https.access.log;"
+ "proxy_set_header X-Forwarded-Host $host;"
+ "proxy_set_header X-Forwarded-Port $server_port;"
+ "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"))))
+
+ (nginx-server-configuration
+ (listen '("443 ssl"))
+ (server-name '("bootstrappable.org"
+ "www.bootstrappable.org"))
+ (ssl-certificate (le "bootstrappable.org"))
+ (ssl-certificate-key (le "bootstrappable.org" 'key))
+ (root "/home/rekado/bootstrappable.org")
+ (raw-content
+ (append
+ %tls-settings
+ (list
+ "access_log /var/log/nginx/bootstrappable.https.access.log;"))))
+
+ (nginx-server-configuration
+ (listen '("443 ssl"))
+ (server-name '("guix.info"
+ "www.guix.info"))
+ (ssl-certificate (le "guix.info"))
+ (ssl-certificate-key (le "guix.info" 'key))
+ (root "/home/rekado/guix.info")
+ (raw-content
+ (append
+ %tls-settings
+ (list
+ "access_log /var/log/nginx/guix-info.https.access.log;"))))
+
+ (nginx-server-configuration
+ (listen '("443 ssl"))
+ (server-name '("issues.guix.info"))
+ (ssl-certificate (le "issues.guix.info"))
+ (ssl-certificate-key (le "issues.guix.info" 'key))
+ (root "/home/rekado/mumi/")
+ (locations
+ (list (nginx-location-configuration
+ (uri "/")
+ (body '("proxy_pass http://localhost:1234;")))))
+ (raw-content
+ (append
+ %tls-settings
+ (list
+ "proxy_set_header X-Forwarded-Host $host;"
+ "proxy_set_header X-Forwarded-Port $server_port;"
+ "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
+ "proxy_connect_timeout 600;"
+ "proxy_send_timeout 600;"
+ "proxy_read_timeout 600;"
+ "send_timeout 600;"
+ "access_log /var/log/nginx/issues-guix-info.https.access.log;"))))))
+
+(define %extra-content
+ (list
+ "default_type application/octet-stream;"
+ "sendfile on;"
+
+ ;; Maximum chunk size to send. Partly this is a workaround for
+ ;; <http://bugs.gnu.org/19939>, but also the nginx docs mention that
+ ;; "Without the limit, one fast connection may seize the worker
+ ;; process entirely."
+ ;; <http://nginx.org/en/docs/http/ngx_http_core_module#sendfile_max_chunk>
+ "sendfile_max_chunk 1m;"
+
+ "keepalive_timeout 65;"
+
+ ;; Use HTTP 1.1 to talk to the backend so we benefit from keep-alive
+ ;; connections and chunked transfer encoding. The latter allows us to
+ ;; make sure we do not cache partial downloads.
+ "proxy_http_version 1.1;"
+
+ ;; The 'inactive' parameter for caching is not very useful in our
+ ;; case: all that matters is that LRU sweeping happens when 'max_size'
+ ;; is hit.
+
+ ;; cache for nar files
+ "proxy_cache_path /var/cache/nginx/nar"
+ " levels=2"
+ " inactive=8d" ; inactive keys removed after 8d
+ " keys_zone=nar:4m" ; nar cache meta data: ~32K keys
+ " max_size=10g;" ; total cache data size max
+
+ ;; cache for content-addressed files
+ "proxy_cache_path /var/cache/nginx/cas"
+ " levels=2"
+ " inactive=180d" ; inactive keys removed after 180d
+ " keys_zone=cas:8m" ; nar cache meta data: ~64K keys
+ " max_size=50g;" ; total cache data size max
+
+ ;; cache for build logs
+ "proxy_cache_path /var/cache/nginx/logs"
+ " levels=2"
+ " inactive=60d" ; inactive keys removed after 60d
+ " keys_zone=logs:8m" ; narinfo meta data: ~64K keys
+ " max_size=4g;" ; total cache data size max
+
+ ;; cache for static data
+ "proxy_cache_path /var/cache/nginx/static"
+ " levels=1"
+ " inactive=10d" ; inactive keys removed after 10d
+ " keys_zone=static:1m" ; nar cache meta data: ~8K keys
+ " max_size=200m;" ; total cache data size max
+
+ ;; If Hydra cannot honor these delays, then something is wrong and
+ ;; we'd better drop the connection and return 504.
+ "proxy_connect_timeout 7s;"
+ "proxy_read_timeout 10s;"
+ "proxy_send_timeout 10s;"
+
+ ;; Cache timeouts for a little while to avoid increasing pressure.
+ "proxy_cache_valid 504 30s;"))
+
+(define %nginx-configuration
+ (nginx-configuration
+ (server-blocks %berlin-servers)
+ (extra-content
+ (string-join %extra-content "\n"))))