projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
20690: Sets nginx snippets on its own pillar sls file.
[arvados.git] / tools / salt-install / config_examples / multi_host / aws / pillars / nginx_passenger.sls
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_passenger.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_passenger.sls
index ce8f0ff407a2a5819d98f27c1b238291df5be578..82f1b91bb5ba4efb997f9f7da2c14b4a58f13e81 100644 (file)
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_passenger.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_passenger.sls
@@ -12,7 +12,8 @@
 {%- set passenger_ruby = '/usr/local/rvm/wrappers/default/ruby'
                            if grains.osfinger in ('CentOS Linux-7', 'Ubuntu-18.04', 'Debian-10') else
                          '/usr/bin/ruby' %}
-{%- set max_workers = ("__CONTROLLER_MAX_WORKERS__" or grains['num_cpus'])|int %}
+{%- set _workers = ("__CONTROLLER_MAX_WORKERS__" or grains['num_cpus']*2)|int %}
+{%- set max_workers = [_workers, 8]|max %}
 {%- set max_reqs = ("__CONTROLLER_MAX_QUEUED_REQUESTS__" or 128)|int %}
 
 ### NGINX
@@ -28,7 +29,7 @@ nginx:
     # Make the passenger queue small (twice the concurrency, so
     # there's at most one pending request for each busy worker)
     # because controller reorders requests based on priority, and
-    # won't send more than API.MaxConcurrentRequests to passenger
+    # won't send more than API.MaxConcurrentRailsRequests to passenger
     # (which is max_workers * 2), so things that are moved to the head
     # of the line get processed quickly.
     passenger_max_request_queue_size: {{ max_workers * 2 + 1 }}
@@ -57,35 +58,6 @@ nginx:
       events:
         worker_connections: {{ max_reqs * 3 + 1 }}
 
-  ### SNIPPETS
-  snippets:
-    # Based on https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4
-    ssl_hardening_default.conf:
-      - ssl_session_timeout: 1d
-      - ssl_session_cache: 'shared:arvadosSSL:10m'
-      - ssl_session_tickets: 'off'
-
-      # intermediate configuration
-      - ssl_protocols: TLSv1.2 TLSv1.3
-      - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-      - ssl_prefer_server_ciphers: 'off'
-
-      # HSTS (ngx_http_headers_module is required) (63072000 seconds)
-      - add_header: 'Strict-Transport-Security "max-age=63072000" always'
-
-      # OCSP stapling
-      - ssl_stapling: 'on'
-      - ssl_stapling_verify: 'on'
-
-      # verify chain of trust of OCSP response using Root CA and Intermediate certs
-      # - ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates
-
-      # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
-      # - ssl_dhparam: /path/to/dhparam
-
-      # replace with the IP address of your resolver
-      # - resolver: 127.0.0.1
-
   ### SITES
   servers:
     managed: