Last active
December 16, 2021 15:40
-
-
Save devster31/5900ab23b50a5a57f025 to your computer and use it in GitHub Desktop.
OS optimizations for ec2 t2.micro - WIP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# https://www.nginx.com/blog/tuning-nginx/ | |
worker_connections 1024; | |
# Limit the number of connections NGINX allows, for example from a single client | |
# IP address. Setting them can help prevent individual clients from opening too | |
# many connections and consuming too many resources. | |
server { | |
# When several limit_conn directives are specified, any configured limit will apply. | |
limit_conn perip 10; | |
limit_conn perserver 100; | |
} | |
limit_conn_status 503; | |
limit_conn_zone $binary_remote_addr zone=perip:10m; | |
limit_conn_zone $server_name zone=perserver:10m; | |
# Limits the amount of bandwidth allowed for a client on a single connection. | |
# Setting it can prevent the system from being overloaded by certain clients | |
# and can help to ensure that all clients receive good quality of service. | |
limit_rate | |
# Limit the rate of requests being processed by NGINX. As with limit_rate, | |
# setting them can help prevent the system from being overloaded by certain | |
# clients and can help to ensure that all clients receive good quality of service. | |
# They can also be used to improve security, especially for login pages, by | |
# limiting the request rate so that it is adequate for a human user but too | |
# slow for programs trying to access your application (such as bots in a DDoS attack). | |
# If the requests rate exceeds the rate configured for a zone, their processing is | |
# delayed such that requests are processed at a defined rate. Excessive requests are | |
# delayed until their number exceeds the maximum burst size in which case the request | |
# is terminated with an error 503 (Service Temporarily Unavailable). By default, the | |
# maximum burst size is equal to zero. | |
# limit_req zone=name [burst=number] [nodelay]; | |
location { limit_req zone=one burst=5; } | |
limit_req_status 503; | |
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; # or r/m | |
# parameter to the server directive in an upstream configuration block | |
# Set the maximum number of simultaneous connections accepted by a server in an | |
# upstream group. This can help prevent the upstream servers from being overloaded. | |
# The default is zero, meaning that there is no limit. | |
max_conns 0; | |
# If max_conns is set for any upstream server, governs what happens when a request | |
# cannot be processed because there are no available servers in the upstream group | |
# and some of those servers have reached the max_conns limit. This directive can be | |
# set to the number of requests to queue and for how long. If this directive is not | |
# set, no queuing occurs. | |
# queue number [timeout=time]; The default value of the timeout parameter is 60 seconds. | |
# Context: upstream | |
queue 100 timeout=60; | |
gzip_min_length 10240; | |
gzip_disable "MSIE [1-6]\."; | |
#If you're serving a large number of static files you'll benefit from keeping filehandles | |
# to requested files open - this avoids the need to reopen them in the future. | |
# NOTE: You should only run with this enabled if you're not editing the files at | |
# the time you're serving them. Because file accesses are cached any 404s will be | |
# cached too, similarly file-sizes will be cached, and if you change them your served | |
# content will be out of date. | |
open_file_cache max=2000 inactive=20s; | |
open_file_cache_valid 60s; | |
open_file_cache_min_uses 5; | |
open_file_cache_errors off; | |
location { | |
fastcgi_buffer_size 128k; | |
fastcgi_buffers 256 16k; | |
fastcgi_busy_buffers_size 256k; | |
fastcgi_temp_file_write_size 256k; | |
} | |
http { | |
# from http://stale.coffee/ec2-micro-instance-adventure-nginx-php-mysql.html | |
fastcgi_cache CACHE; | |
fastcgi_cache_methods GET HEAD; | |
fastcgi_cache_valid 200 1m; | |
fastcgi_cache_bypass $no_cache; | |
fastcgi_no_cache $no_cache; | |
#move next 3 lines to /etc/nginx/nginx.conf if you want to use fastcgi_cache across many sites | |
fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:500m inactive=60m; | |
fastcgi_cache_key "$scheme$request_method$host$request_uri"; | |
fastcgi_cache_use_stale error timeout invalid_header http_500; | |
} | |
server { | |
#fastcgi_cache start | |
set $no_cache 0; | |
# POST requests and urls with a query string should always go to PHP | |
if ($request_method = POST) { | |
set $no_cache 1; | |
} | |
if ($query_string != "") { | |
set $no_cache 1; | |
} | |
# Don't cache uris containing the following segments | |
if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") { | |
set $no_cache 1; | |
} | |
# Don't use the cache for logged in users or recent commenters | |
if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") { | |
set $no_cache 1; | |
} | |
} | |
# Pass all .php files onto a php-fpm/php-fcgi server. | |
location ~ [^/]\.php(/|$) { | |
fastcgi_split_path_info ^(.+?\.php)(/.*)$; | |
# This is a robust solution for path info security issue and works | |
# with "cgi.fix_pathinfo = 1" in /etc/php.ini (default) | |
if (!-f $document_root$fastcgi_script_name) { | |
return 404; | |
} | |
include fastcgi.conf; | |
fastcgi_index index.php; | |
# fastcgi_intercept_errors on; | |
fastcgi_pass php; | |
# Options for fcgi cache if enabled | |
# fastcgi_cache_bypass $no_cache; | |
# fastcgi_no_cache $no_cache; | |
# fastcgi_cache WORDPRESS; | |
# fastcgi_cache_valid 200 60m; | |
} | |
location ~ /purge(/.*) { | |
# Uncomment the following two lines to allow purge only from the webserver | |
#allow 127.0.0.1; | |
#deny all; | |
fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1"; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
emergency_restart_threshold 10 | |
emergency_restart_interval 1m | |
process_control_timeout 10s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# from http://engineering.chartbeat.com/2014/01/02/part-1-lessons-learned-tuning-tcp-and-nginx-in-ec2/ | |
# Max receive buffer size (8 Mb) | |
net.core.rmem_max=8388608 | |
# Max send buffer size (8 Mb) | |
net.core.wmem_max=8388608 | |
# Default receive buffer size | |
net.core.rmem_default=65536 | |
# Default send buffer size | |
net.core.wmem_default=65536 | |
# The first value tells the kernel the minimum receive/send buffer for each TCP connection, | |
# and this buffer is always allocated to a TCP socket, | |
# even under high pressure on the system. … | |
# The second value specified tells the kernel the default receive/send buffer | |
# allocated for each TCP socket. This value overrides the /proc/sys/net/core/rmem_default | |
# value used by other protocols. … The third and last value specified | |
# in this variable specifies the maximum receive/send buffer that can be allocated for a TCP socket. | |
# Note: The kernel will auto tune these values between the min-max range | |
# If for some reason you wanted to change this behavior, disable net.ipv4.tcp_moderate_rcvbuf | |
net.ipv4.tcp_rmem=8192 873800 8388608 | |
net.ipv4.tcp_wmem=4096 655360 8388608 | |
# Units are in page size (default page size is 4 kb) | |
# These are global variables affecting total pages for TCP | |
# sockets | |
# 8388608 * 4 = 32 GB | |
# low pressure high | |
# When mem allocated by TCP exceeds “pressure”, kernel will put pressure on TCP memory | |
# We set all these values high to basically prevent any mem pressure from ever occurring | |
# on our TCP sockets | |
net.ipv4.tcp_mem=8388608 8388608 8388608 | |
# Increase max number of sockets allowed in TIME_WAIT | |
net.ipv4.tcp_max_tw_buckets=6000000 | |
# Increase max half-open connections. | |
net.ipv4.tcp_max_syn_backlog=65536 | |
# Increase max TCP orphans | |
# These are sockets which have been closed and no longer have a file handle attached to them | |
net.ipv4.tcp_max_orphans=262144 | |
# Max listen queue backlog | |
# make sure to increase nginx backlog as well if changed | |
net.core.somaxconn = 16384 | |
# Max number of packets that can be queued on interface input | |
# If kernel is receiving packets faster than can be processed | |
# this queue increases | |
net.core.netdev_max_backlog = 16384 | |
# Only retry creating TCP connections twice | |
# Minimize the time it takes for a connection attempt to fail | |
net.ipv4.tcp_synack_retries = 2 | |
net.ipv4.tcp_syn_retries = 2 | |
# Timeout closing of TCP connections after 7 seconds | |
net.ipv4.tcp_fin_timeout = 7 | |
# Avoid falling back to slow start after a connection goes idle | |
# keeps our cwnd large with the keep alive connections | |
net.ipv4.tcp_slow_start_after_idle = 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
# listens both on IPv4 and IPv6 on 443 and enables HTTPS and HTTP/2 support. | |
# HTTP/2 is available in nginx 1.9.5 and above. | |
listen *:443 ssl http2; | |
listen [::]:443 ssl http2; | |
# indicate locations of SSL key files. | |
ssl_certificate /srv/www/ssl/ssl.crt; | |
ssl_certificate_key /srv/www/ssl/ssl.key; | |
ssl_dhparam /srv/www/master/ssl/dhparam.pem; | |
# indicate the server name | |
server_name example.com *.example.com; | |
# Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional. | |
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; | |
# Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score as of Sept 2015. | |
ssl_session_cache shared:SSL:20m; | |
ssl_session_timeout 10m; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5'; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vm.swappiness = 20 (10) | |
net.core.somaxconn = 256 # max 512 before nginx backlog needs changing | |
net.core.netdev_max_backlog = | |
net.core.rmem_default = 212992 | |
net.core.rmem_max = 212992 # 16777216 | |
net.core.wmem_default = 212992 | |
net.core.wmem_max = 212992 # 16777216 | |
net.ipv4.ip_local_port_range = 1024 65535 | |
# Enables fast recycling of TIME_WAIT sockets. | |
# (Use with caution according to the kernel documentation!) | |
net.ipv4.tcp_tw_recycle = 1 | |
# Allow reuse of sockets in TIME_WAIT state for new connections | |
# only when it is safe from the network stack’s perspective. | |
net.ipv4.tcp_tw_reuse = 1 | |
# Increase the number of outstanding syn requests allowed. | |
# c.f. The use of syncookies. | |
net.ipv4.tcp_max_syn_backlog = 4096 | |
net.ipv4.tcp_syncookies = 1 | |
fs.file-max = 98236 | |
# Forking servers, like PostgreSQL or Apache, scale to much | |
# higher levels of concurrent connections if this is made larger, | |
# by at least an order of magnitude: | |
kernel.sched_migration_cost_ns = 5000000 | |
# PostgreSQL specific | |
kernel.sched_autogroup_enabled = 0 | |
# generic noatime for system mounts |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# WordPress single site rules. | |
# Designed to be included in any server {} block. | |
# This order might seem weird - this is attempted to match last if rules below fail. | |
# http://wiki.nginx.org/HttpCoreModule | |
location / { | |
try_files $uri $uri/ /index.php?$args; | |
} | |
# Add trailing slash to */wp-admin requests. | |
rewrite /wp-admin$ $scheme://$host$uri/ permanent; | |
# Directives to send expires headers and turn off 404 error logging. | |
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { | |
access_log off; log_not_found off; expires max; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; from http://stale.coffee/ec2-micro-instance-adventure-nginx-php-mysql.html | |
[global] | |
emergency_restart_threshold = 10 | |
emergency_restart_interval = 1m | |
process_control_timeout = 10s | |
[www] | |
listen = /var/run/php-fpm/php-fpm.sock | |
listen.owner = nginx | |
listen.group = nginx | |
listen.mode = 0664 | |
user = nginx | |
group = nginx | |
pm.max_children = 20 | |
pm.start_servers = 5 | |
pm.min_spare_servers = 5 | |
pm.max_spare_servers = 20 | |
pm.max_requests = 200 | |
php_admin_value[memory_limit] = 64M |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment