RedXen/frontend-docker
RedXen
/
frontend-docker
Archived
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

Let applications decide the hash, remove dupe checks and increase varnish limit

This commit is contained in:
Alex 2020-03-18 00:03:22 +01:00
parent cc1f1e1ad7
commit 91028573d1
No known key found for this signature in database
GPG Key ID: 79DB21404E300A27
3 changed files with 28 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
base.yml
View File

@ -56,7 +56,7 @@ services:
resources: resources:
limits: limits:
cpus: '0.10' cpus: '0.10'
memory: '100M' memory: '500M'
restart_policy: restart_policy:
condition: any condition: any
update_config: update_config:

22
build/HAProxy/haproxy.conf
View File

@ -1,6 +1,4 @@
global global
tune.ssl.default-dh-param 2048
ssl-default-bind-options ssl-min-ver TLSv1.2
maxconn 2048 maxconn 2048
maxconnrate 40 maxconnrate 40
uid 65534 uid 65534
@ -23,7 +21,7 @@ defaults
timeout client 60s timeout client 60s
timeout server 240s timeout server 240s
timeout http-keep-alive 240s timeout http-keep-alive 240s
default-server resolvers dockerdns init-addr libc,none resolve-opts prevent-dup-ip default-server resolvers dockerdns init-addr libc,none resolve-opts prevent-dup-ip check
resolvers dockerdns resolvers dockerdns
nameserver docker 127.0.0.11:53 nameserver docker 127.0.0.11:53
@ -42,9 +40,6 @@ frontend https
acl root url / acl root url /
acl public_cache res.hdr(content-type) -i -m str text/css -i -m str application/javascript -i -m beg font/
acl private_cache res.hdr(content-type) -i -m beg image/ -i -m beg audio/ -i -m beg video/ -i -m beg text/ -i -m beg application/
acl grafana hdr_beg(host) -i stats.redxen.eu acl grafana hdr_beg(host) -i stats.redxen.eu
acl git hdr_beg(host) -i git.redxen.eu acl git hdr_beg(host) -i git.redxen.eu
acl transmission hdr_beg(host) -i seed.redxen.eu acl transmission hdr_beg(host) -i seed.redxen.eu
@ -58,8 +53,7 @@ frontend https
http-response replace-header Set-Cookie (.*) \1;\ Secure http-response replace-header Set-Cookie (.*) \1;\ Secure
http-response add-header X-Forwarded-Proto https http-response add-header X-Forwarded-Proto https
http-response set-header Cache-Control public\ max-age=31536000 if public_cache ! private_cache http-response set-header Cache-Control public\ max-age=31536000 if homepage
http-response set-header Cache-Control private\ max-age=86400\ must-revalidate if private_cache
http-response set-header X-XSS-Protection 1;\ mode=block http-response set-header X-XSS-Protection 1;\ mode=block
http-response set-header X-Content-Type-Options nosniff http-response set-header X-Content-Type-Options nosniff
@ -74,27 +68,27 @@ frontend https
use_backend fedi if fediver use_backend fedi if fediver
backend homepage backend homepage
server-template redxen-space 3 rxhome.s3-website.eu-central-1.amazonaws.com:80 server-template redxen-space 3 rxhome.s3-website.eu-central-1.amazonaws.com:80 no-check
http-request set-header Host rxhome.s3-website.eu-central-1.amazonaws.com http-request set-header Host rxhome.s3-website.eu-central-1.amazonaws.com
http-request set-header Connection \"\" http-request set-header Connection \"\"
backend grafana backend grafana
server-template grafana-docker 5 tasks.tig_grafana:3000 check server-template grafana-docker 5 tasks.tig_grafana:3000
option httpchk HEAD / HTTP/1.1\r\nHost:\ stats.redxen.eu option httpchk HEAD / HTTP/1.1\r\nHost:\ stats.redxen.eu
http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
backend fedi backend fedi
server pleroma-docker tasks.pleroma_server:4000 check server pleroma-docker tasks.pleroma_server:4000
option httpchk HEAD / HTTP/1.1\r\nHost:\ social.redxen.eu option httpchk HEAD / HTTP/1.1\r\nHost:\ social.redxen.eu
backend git backend git
server git-docker tasks.git_gitea:3000 check server git-docker tasks.git_gitea:3000
option httpchk HEAD / HTTP/1.1\r\nHost:\ git.redxen.eu option httpchk HEAD / HTTP/1.1\r\nHost:\ git.redxen.eu
http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ https:\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ https:\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'unsafe-inline\'\ \'unsafe-eval\'\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
backend transmission backend transmission
server transmission-docker tasks.seedbox_transmission:9091 check server transmission-docker tasks.seedbox_transmission:9091
http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests http-response set-header Content-Security-Policy default-src\ \'self\';connect-src\ \'self\';font-src\ https:\ data:\ \'self\';script-src\ \'self\';style-src\ \'self\'\ \'unsafe-inline\';media-src\ https:\ \'self\';img-src\ https:\ blob:\ data:\ \'self\';frame-src\ \'self\';object-src\ \'none\';block-all-mixed-content;upgrade-insecure-requests
backend seedown backend seedown
server httpd-seedown tasks.seedbox_httpd:80 check server httpd-seedown tasks.seedbox_httpd:80

33
build/Varnish/varnish.vcl
View File

@ -23,10 +23,17 @@ sub vcl_recv {
if (req.http.Upgrade ~ "(?i)websocket") { if (req.http.Upgrade ~ "(?i)websocket") {
return (pipe); return (pipe);
} }
if (req.method != "GET" && req.method != "HEAD") { if (req.method == "GET" || req.method == "HEAD") {
return (pass); return (hash);
} }
return (hash); return (pass);
}
sub vcl_hash {
hash_data(req.url);
if (req.http.cookie) {
hash_data(req.http.cookie);
}
return (lookup);
} }
sub vcl_hit { sub vcl_hit {
if (obj.ttl + obj.grace > 0s) { if (obj.ttl + obj.grace > 0s) {
@ -34,23 +41,21 @@ sub vcl_hit {
} }
return (pass); return (pass);
} }
sub vcl_miss {
return (fetch);
}
sub vcl_pipe { sub vcl_pipe {
if (req.http.upgrade) { if (req.http.upgrade) {
set bereq.http.upgrade = req.http.upgrade; set bereq.http.upgrade = req.http.upgrade;
} }
return (pipe); return (pipe);
} }
sub vcl_hash {
hash_data(req.url);
if (req.http.Cookie) {
hash_data(req.http.Cookie);
}
}
sub vcl_backend_response { sub vcl_backend_response {
set beresp.grace = 1m; if (beresp.status == 500 || beresp.status == 502 || beresp.status == 503 || beresp.status == 504) {
set beresp.keep = 4m; return (abandon);
if (beresp.http.ETag || beresp.http.Last-Modified) {
set beresp.keep = 4h;
} }
return (deliver); if (beresp.http.Cache-Control ~ "public") {
return (deliver);
}
return (pass);
} }