X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/0f5b0542513b572959e39400bae42e69aeb1a7b6..01ca27ba0a1ef84c53e223004249505435a788b6:/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_passenger.sls diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_passenger.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_passenger.sls index 4c0aea25fe..0c9ef1c36e 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_passenger.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_passenger.sls @@ -15,6 +15,7 @@ {%- set _workers = ("__CONTROLLER_MAX_WORKERS__" or grains['num_cpus']*2)|int %} {%- set max_workers = [_workers, 8]|max %} {%- set max_reqs = ("__CONTROLLER_MAX_QUEUED_REQUESTS__" or 128)|int %} +{%- set max_tunnels = ("__CONTROLLER_MAX_GATEWAY_TUNNELS__" or 1000)|int %} ### NGINX nginx: @@ -29,7 +30,7 @@ nginx: # Make the passenger queue small (twice the concurrency, so # there's at most one pending request for each busy worker) # because controller reorders requests based on priority, and - # won't send more than API.MaxConcurrentRequests to passenger + # won't send more than API.MaxConcurrentRailsRequests to passenger # (which is max_workers * 2), so things that are moved to the head # of the line get processed quickly. passenger_max_request_queue_size: {{ max_workers * 2 + 1 }} @@ -50,42 +51,14 @@ nginx: {% endif %} worker_processes: {{ max_workers }} - # each request is up to 3 connections (1 with client, 1 proxy to + # Each client request is up to 3 connections (1 with client, 1 proxy to # controller, then potentially 1 from controller back to # passenger). Each connection consumes a file descriptor. # That's how we get these calculations - worker_rlimit_nofile: {{ max_reqs * 3 + 1 }} + # (we're multiplying by 5 instead to be on the safe side) + worker_rlimit_nofile: {{ (max_reqs + max_tunnels) * 5 + 1 }} events: - worker_connections: {{ max_reqs * 3 + 1 }} - - ### SNIPPETS - snippets: - # Based on https://ssl-config.mozilla.org/#server=nginx&version=1.14.2&config=intermediate&openssl=1.1.1d&guideline=5.4 - ssl_hardening_default.conf: - - ssl_session_timeout: 1d - - ssl_session_cache: 'shared:arvadosSSL:10m' - - ssl_session_tickets: 'off' - - # intermediate configuration - - ssl_protocols: TLSv1.2 TLSv1.3 - - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - - ssl_prefer_server_ciphers: 'off' - - # HSTS (ngx_http_headers_module is required) (63072000 seconds) - - add_header: 'Strict-Transport-Security "max-age=63072000" always' - - # OCSP stapling - - ssl_stapling: 'on' - - ssl_stapling_verify: 'on' - - # verify chain of trust of OCSP response using Root CA and Intermediate certs - # - ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates - - # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam - # - ssl_dhparam: /path/to/dhparam - - # replace with the IP address of your resolver - # - resolver: 127.0.0.1 + worker_connections: {{ (max_reqs + max_tunnels) * 5 + 1 }} ### SITES servers: