From b059a1e3c2c40e160b2faab03c1be6bc0bcb8b1a Mon Sep 17 00:00:00 2001 From: Julien Gomes Dias Date: Fri, 8 Jul 2022 09:45:24 +0200 Subject: [PATCH 1/3] Ajout de Memory consumption OpCache --- roles/php7_fpm/defaults/main.yml | 1 + roles/php7_fpm/tasks/configure_fpm.yml | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/roles/php7_fpm/defaults/main.yml b/roles/php7_fpm/defaults/main.yml index 1f48aec1..8ba10bf3 100644 --- a/roles/php7_fpm/defaults/main.yml +++ b/roles/php7_fpm/defaults/main.yml @@ -12,3 +12,4 @@ opcache_revalidate_freq: "60" composer_version: 2.3.8 composer_sum: "c6ab768ad3239c4d4cc4f39f8ff7462925e088cd441e5bdb749fbf6efe049769" upload_max_filesize: "2M" +opcache_memory_consumption: 128 \ No newline at end of file diff --git a/roles/php7_fpm/tasks/configure_fpm.yml b/roles/php7_fpm/tasks/configure_fpm.yml index af7ee5f4..f2a76320 100644 --- a/roles/php7_fpm/tasks/configure_fpm.yml +++ b/roles/php7_fpm/tasks/configure_fpm.yml @@ -10,6 +10,16 @@ tags: - confphpfpm + - name: "Memory consumption from 128M to {{ opcache_memory_consumption }} for PHP{{ php_version }}" + lineinfile: + line: "opcache.memory_consumption = {{ opcache_memory_consumption }}" + regexp: "^opcache.memory_consumption" + path: "{{ php_ini_file }}" + state: present + notify: reload php-fpm php7_fpm + tags: + - confphpfpm + - name: "opcache.save_comments to {{ opcache_save_comments }} for PHP{{ php_version }}" lineinfile: line: "opcache.save_comments = {{ opcache_save_comments }}" -- GitLab From 5219568961dce1b874e9379f671fa5bc6ca6ab5f Mon Sep 17 00:00:00 2001 From: Sylvain Arrachart Date: Wed, 28 Jun 2023 13:43:09 +0000 Subject: [PATCH 2/3] Config file for v26 --- .../templates/nginx_nextcloud.j2 | 182 ++++++++++-------- 1 file changed, 97 insertions(+), 85 deletions(-) diff --git a/roles/nextcloud_instance/templates/nginx_nextcloud.j2 b/roles/nextcloud_instance/templates/nginx_nextcloud.j2 index ecb059b2..453855e8 100644 --- a/roles/nextcloud_instance/templates/nginx_nextcloud.j2 +++ b/roles/nextcloud_instance/templates/nginx_nextcloud.j2 @@ -4,6 +4,12 @@ upstream php-handler{{ app_instance_id }} { #server unix:/var/run/php5-fpm.sock; } +# Set the `immutable` cache control options only for assets with a cache busting `v` argument + 7 map $arg_v $asset_immutable { + 8 "" ""; + 9 default "immutable"; + 10 } + map $http_user_agent $log_ua { ~Monit 0; default 1; @@ -29,25 +35,39 @@ server { ssl_certificate /etc/letsencrypt/live/{{ app_domain }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ app_domain }}/privkey.pem; - # Add headers to serve security related headers - # Before enabling Strict-Transport-Security headers please read into this - # topic first. - # add_header Strict-Transport-Security "max-age=15768000; - # includeSubDomains; preload;"; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Strict-Transport-Security "max-age=15768000"; - add_header Referrer-Policy no-referrer; - add_header X-Frame-Options "SAMEORIGIN" always; + # set max upload size and increase upload timeout: + client_max_body_size 512M; + client_body_timeout 300s; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Pagespeed is not supported by Nextcloud, so if your server is built + # with the `ngx_pagespeed` module, uncomment this line to disable it. + #pagespeed off; + + # The settings allows you to optimize the HTTP2 bandwitdth. + # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ + # for tunning hints + client_body_buffer_size 512k; + + # HTTP response headers borrowed from Nextcloud `.htaccess` + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; # Path to the root of your installation root {{ app_instance_root }}/; @@ -55,6 +75,15 @@ server { access_log {{ www_log | mandatory }}/{{ app_instance_id }}/access.log combined if=$log_ua; error_log {{ www_log | mandatory }}/{{ app_instance_id }}/error.log; + index index.php index.html /index.php$request_uri; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + location = /robots.txt { allow all; log_not_found off; @@ -66,91 +95,74 @@ server { # `location ~ /(\.|autotest|...)` which would otherwise handle requests # for `/.well-known`. location ^~ /.well-known { - # The following 6 rules are borrowed from `.htaccess` + # The rules in this block are an adaptation of the rules + # in `.htaccess` that concern `/.well-known`. location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; } - # Anything else is dynamically handled by Nextcloud - location ^~ /.well-known { return 301 /index.php$uri; } - try_files $uri $uri/ =404; - } - - # set max upload size - client_max_body_size 512M; - fastcgi_buffers 64 4K; + location /.well-known/acme-challenge { try_files $uri $uri/ =404; } + location /.well-known/pki-validation { try_files $uri $uri/ =404; } - # Enable gzip but do not remove ETag headers - gzip on; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + # Let Nextcloud's API for `/.well-known` URIs handle all other + # requests by passing them to the front-end controller. + return 301 /index.php$request_uri; + } + + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. - #pagespeed off; + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + # Required for legacy support + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; - location / { - rewrite ^ /index.php$uri; - } + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { - deny all; - } - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } + try_files $fastcgi_script_name =404; - location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { - fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param PATH_INFO $path_info; fastcgi_param HTTPS on; - #Avoid sending the security headers twice - fastcgi_param modHeadersAvailable true; - fastcgi_param front_controller_active true; - fastcgi_pass php-handler{{ app_instance_id }}; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass php-handler; + fastcgi_intercept_errors on; fastcgi_request_buffering off; + + fastcgi_max_temp_file_size 0; } - location ~ ^/(?:updater|ocs-provider)(?:$|/) { - try_files $uri/ =404; - index index.php; + location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463, $asset_immutable"; + access_log off; # Optional: Don't log access to assets + + location ~ \.wasm$ { + default_type application/wasm; + } } - # Adding the cache control header for js and css files - # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff|svg|gif)$ { - try_files $uri /index.php$uri$is_args$args; - add_header Cache-Control "public, max-age=15778463"; - # Add headers to serve security related headers (It is intended to - # have those duplicated to the ones above) - # Before enabling Strict-Transport-Security headers please read into - # this topic first. - # add_header Strict-Transport-Security "max-age=15768000; - # includeSubDomains; preload;"; - # - # WARNING: Only add the preload option once you read about - # the consequences in https://hstspreload.org/. This option - # will add the domain to a hardcoded list that is shipped - # in all major browsers and getting removed from this list - # could take several months. - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - # Optional: Don't log access to assets - access_log off; + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets } - location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { - try_files $uri /index.php$uri$is_args$args; - # Optional: Don't log access to other assets - access_log off; + # Rule borrowed from `.htaccess` + location /remote { + return 301 /remote.php$request_uri; + } + + location / { + try_files $uri $uri/ /index.php$request_uri; } } \ No newline at end of file -- GitLab From def6e939ff1ec47b01a899fd1b18d9d20ffadd89 Mon Sep 17 00:00:00 2001 From: Julien Gomes Dias Date: Wed, 16 Aug 2023 16:06:26 +0000 Subject: [PATCH 3/3] [fix] Change php-handler to php-handler{{ app_instance_id }} --- roles/nextcloud_instance/templates/nginx_nextcloud.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/nextcloud_instance/templates/nginx_nextcloud.j2 b/roles/nextcloud_instance/templates/nginx_nextcloud.j2 index 453855e8..10a01104 100644 --- a/roles/nextcloud_instance/templates/nginx_nextcloud.j2 +++ b/roles/nextcloud_instance/templates/nginx_nextcloud.j2 @@ -133,7 +133,7 @@ server { fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice fastcgi_param front_controller_active true; # Enable pretty urls - fastcgi_pass php-handler; + fastcgi_pass php-handler{{ app_instance_id }}; fastcgi_intercept_errors on; fastcgi_request_buffering off; @@ -165,4 +165,4 @@ server { location / { try_files $uri $uri/ /index.php$request_uri; } -} \ No newline at end of file +} -- GitLab