#3702 -- Apply nginx performance boost to Ansible installations.

update.sh

@@ -15,7 +15,7 @@ done
 if [[ "$1" == '--' ]]; then shift; fi
 
 APP_ENV="${APP_ENV:-production}"
-UPDATE_REVISION="${UPDATE_REVISION:-59}"
+UPDATE_REVISION="${UPDATE_REVISION:-60}"
 
 PKG_OK=$(dpkg-query -W --showformat='${Status}\n' ansible | grep "install ok installed")
 echo "Checking for Ansible: $PKG_OK"

util/ansible/roles/nginx/templates/default.j2

@@ -28,12 +28,6 @@ server {
     ssl_certificate    /etc/nginx/ssl/server.crt;
     ssl_certificate_key    /etc/nginx/ssl/server.key;
 
-{% if ansible_distribution_release == 'focal' %}
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
-    ssl_prefer_server_ciphers off;
-{% endif %}
-
     root {{ app_base }}/www/web;
     index index.php;
 
@@ -46,8 +40,6 @@ server {
     access_log {{ app_base }}/www_tmp/access.log;
     error_log {{ app_base }}/www_tmp/error.log;
 
-    client_max_body_size 50M;
-
     # Serve a static version of the nowplaying data for non-PHP-blocking delivery.
     location /api/nowplaying_static {
         expires 10s;

util/ansible/roles/nginx/templates/nginx.conf.j2

@@ -1,12 +1,14 @@
 user www-data;
-worker_processes auto;
+worker_processes  auto;
+worker_rlimit_nofile 65000;
+
 pid /run/nginx.pid;
 
 include /etc/nginx/modules-enabled/*.conf;
 
 events {
-    worker_connections 10240;
-    # multi_accept on;
+    worker_connections 65000;
+    multi_accept on;
 }
 
 http {
@@ -17,7 +19,9 @@ http {
     sendfile on;
     tcp_nopush on;
     tcp_nodelay on;
+
     keepalive_timeout 65;
+
     types_hash_max_size 2048;
     server_tokens off;
 
@@ -33,15 +37,14 @@ http {
     # SSL Settings
     ##
 
+{% if ansible_distribution_release == 'focal' %}
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+{% else %}
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
     ssl_prefer_server_ciphers on;
-
-    ##
-    # Logging Settings
-    ##
-
-    access_log /var/log/nginx/access.log;
-    error_log /var/log/nginx/error.log;
+{% endif %}
 
     ##
     # Logging Settings
@@ -56,13 +59,21 @@ http {
 
     gzip on;
     gzip_disable "msie6";
-
-    # gzip_vary on;
-    # gzip_proxied any;
-    # gzip_comp_level 6;
-    # gzip_buffers 16 8k;
-    # gzip_http_version 1.1;
-    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+    gzip_comp_level 6;
+    gzip_min_length 1100;
+    gzip_buffers 16 8k;
+    gzip_proxied any;
+    gzip_types
+        text/plain
+        text/css
+        text/js
+        text/xml
+        text/javascript
+        application/javascript
+        application/x-javascript
+        application/json
+        application/xml
+        application/xml+rss;
 
     ##
     # Virtual Host Configs

util/ansible/update.yml

@@ -16,7 +16,7 @@
     - { role : azuracast-radio, when : update_revision|int < 59 }
     - { role : supervisord, when : update_revision|int < 13 }
     - { role : mariadb, when : update_revision|int < 15 }
-    - { role : nginx, when : update_revision|int < 55 }
+    - { role : nginx, when : update_revision|int < 60 }
     - { role : redis, when : update_revision|int < 57 }
     - { role : php, when : update_revision|int < 50 }
     - composer