diff --git a/README.md b/README.md index 5df979a..34b12c0 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Optimized configuration for Ubuntu server with EasyEngine -* * * +**[View on GitHub](https://github.com/VirtuBox/ubuntu-nginx-web-server)** ## Server Stack @@ -16,7 +16,7 @@ * * * -Configuration files with comments and informations available by following the link **source** +Configuration files with comments available by following the link **source** ## Initial configuration @@ -44,8 +44,30 @@ git clone https://github.com/VirtuBox/ubuntu-nginx-web-server.git $HOME/ubuntu-n ```bash cp $HOME/ubuntu-nginx-web-server/etc/sysctl.d/60-ubuntu-nginx-web-server.conf /etc/sysctl.d/60-ubuntu-nginx-web-server.conf +``` + +Ubuntu 16.04 LTS do not support the new tcp congestion control algorithm bbr, we will use htcp instead. + +```bash +# On ubuntu 18.04 LTS +modprobe tcp_bbr +echo -e '\nnet.ipv4.tcp_congestion_control = bbr\nnet.ipv4.tcp_notsent_lowat = 16384' >> /etc/sysctl.d/60-ubuntu-nginx-web-server.conf + +# On ubuntu 16.04 LTS +modprobe tcp_htcp +echo 'net.ipv4.tcp_congestion_control = htcp' >> /etc/sysctl.d/60-ubuntu-nginx-web-server.conf +``` + +Then to apply the configuration : + +```bash sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf -cp -f $HOME/ubuntu-nginx-web-server/etc/security/limits.conf /etc/security/limits.conf +``` + +Increase openfiles limits + +```bash +sudo bash -c 'echo -e "* hard nofile 500000\n* soft nofile 500000\nroot hard nofile 500000\nroot soft nofile 500000\n" >> /etc/security/limits.conf' ``` ### disable transparent hugepage for redis @@ -67,6 +89,12 @@ bash <(wget -qO - https://downloads.mariadb.com/MariaDB/mariadb_repo_setup) --ma sudo apt update && sudo apt install mariadb-server -y ``` +Secure MariaDB after install by running the command : + +```bash +mysql_secure_installation +``` + ### MySQL Tuning You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf) @@ -89,7 +117,7 @@ sudo service mysql start ### Increase MariaDB open files limits ```bash -cp -f $HOME/ubuntu-nginx-web-server/etc/systemd/system/mariadb.service.d/limits.conf /etc/systemd/system/mariadb.service.d/limits.conf +echo -e '[Service]\nLimitNOFILE=500000' > /etc/systemd/system/mariadb.service.d/limits.conf sudo systemctl daemon-reload sudo systemctl restart mariadb @@ -172,6 +200,26 @@ git -C /etc/php/ add /etc/php/ && git -C /etc/php/ commit -m "add php7.2 configu ``` +### Set the proper alternative for /usr/bin/php + +If you want to choose which version of php to use with the command `php`, you can use the command `update-alternatives` + +```bash +# php5.6 +sudo update-alternatives --install /usr/bin/php php /usr/bin/php5.6 80 + +# php7.0 +sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.0 80 + +# php7.1 +sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.1 80 + +# php7.2 +sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.2 80 +``` + +Then you can check php version with command `php -v` + ## NGINX Configuration ### Additional Nginx configuration (/etc/nginx/conf.d) @@ -180,7 +228,7 @@ git -C /etc/php/ add /etc/php/ && git -C /etc/php/ commit -m "add php7.2 configu - webp image mapping : webp.conf - new fastcgi_cache_bypass mapping for wordpress : map-wp-fastcgi-cache.conf - stub_status configuration on 127.0.0.1:80 : stub_status.conf -- restore visitor real IP under cloudflare : cloudflare.conf +- restore visitor real IP under Cloudflare : cloudflare.conf - mitigate WordPress DoS attack ```bash @@ -250,7 +298,7 @@ git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update 22222 ```bash sudo mkdir -p /etc/systemd/system/nginx.service.d -cp -f $HOME/ubuntu-nginx-web-server/etc/systemd/system/nginx.service.d/limits.conf /etc/systemd/system/nginx.service.d/limits.conf +echo -e '[Service]\nLimitNOFILE=500000' > /etc/systemd/system/nginx.service.d/limits.conf sudo systemctl daemon-reload sudo systemctl restart nginx.service @@ -262,7 +310,7 @@ sudo systemctl restart nginx.service ### Harden SSH Security -WARNING : SSH Configuration with root login allowed with ed25519 & ECDSA SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config) +WARNING : SSH Configuration with root login allowed using SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config) cp -f $HOME/ubuntu-nginx-web-server/etc/ssh/sshd_config /etc/ssh/sshd_config @@ -280,23 +328,20 @@ ufw default deny incoming CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}') ufw allow $CURRENT_SSH_PORT -# DNS - HTTP/S - FTP - NTP - RSYNC - DHCP - SNMP - Librenms - Netdata - EE Backend +# DNS - HTTP/S - FTP - NTP - RSYNC - DHCP - EE Backend ufw allow 53 ufw allow http ufw allow https ufw allow 21 ufw allow 123 -ufw allow 161 ufw allow 68 ufw allow 546 ufw allow 873 -ufw allow 6556 -ufw allow 19999 ufw allow 22222 # enable UFW -ufw enable +echo "y" | ufw enable ``` ### Custom jails for fail2ban @@ -359,6 +404,13 @@ bash <(curl -Ss https://my-netdata.io/kickstart.sh) all echo 1 >/sys/kernel/mm/ksm/run echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs +# increase open files limits for netdata +sudo mkdir -p /etc/systemd/system/netdata.service.d +echo -e '[Service]\nLimitNOFILE=500000' > /etc/systemd/system/netdata.service.d/limits.conf + +sudo systemctl daemon-reload +sudo systemctl restart netdata.service + # disable email notifications sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /usr/lib/netdata/conf.d/health_alarm_notify.conf service netdata restart @@ -403,14 +455,14 @@ root@vps:~ cheat cat [Github repository](https://github.com/scopatz/nanorc) ```bash -wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -O- | sh +wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -qO- | sh ``` ### Add WP-CLI & bash-completion for user www-data ```bashrc # download wp-cli bash_completion -cp -f $HOME/ubuntu-nginx-web-server/etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash +wget -qO /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash # change /var/www owner chown www-data:www-data /var/www @@ -420,8 +472,7 @@ cp -f $HOME/ubuntu-nginx-web-server/var/www/.profile /var/www/.profile cp -f $HOME/ubuntu-nginx-web-server/var/www/.bashrc /var/www/.bashrc # set owner -chown www-data:www-data /var/www/.profile -chown www-data:www-data /var/www/.bashrc +chown www-data:www-data /var/www/{.profile,.bashrc} ``` ### Custom Nginx error pages diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 0000000..34b12c0 --- /dev/null +++ b/docs/README.md @@ -0,0 +1,495 @@ +# Optimized configuration for Ubuntu server with EasyEngine + +**[View on GitHub](https://github.com/VirtuBox/ubuntu-nginx-web-server)** + +## Server Stack + +- Ubuntu 16.04/18.04 LTS +- Nginx 1.15.x / 1.14.x +- PHP-FPM 7/7.1/7.2 +- MariaDB 10.3 +- REDIS 4.0 +- Memcached +- Fail2ban +- Netdata +- UFW + +* * * + +Configuration files with comments available by following the link **source** + +## Initial configuration + +### System update and packages cleanup + +```bash +apt-get update && apt-get upgrade -y && apt-get autoremove --purge -y && apt-get clean +``` + +### Install useful packages + +```bash +sudo apt-get install haveged curl git unzip zip fail2ban htop nload nmon ntp gnupg gnupg2 wget pigz tree ccze -y +``` + +### Clone the repository + +```bash +git clone https://github.com/VirtuBox/ubuntu-nginx-web-server.git $HOME/ubuntu-nginx-web-server +``` + +### Tweak Kernel & Increase open files limits + +[source sysctl.conf](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/sysctl.conf) - [limits.conf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/security/limits.conf) + +```bash +cp $HOME/ubuntu-nginx-web-server/etc/sysctl.d/60-ubuntu-nginx-web-server.conf /etc/sysctl.d/60-ubuntu-nginx-web-server.conf +``` + +Ubuntu 16.04 LTS do not support the new tcp congestion control algorithm bbr, we will use htcp instead. + +```bash +# On ubuntu 18.04 LTS +modprobe tcp_bbr +echo -e '\nnet.ipv4.tcp_congestion_control = bbr\nnet.ipv4.tcp_notsent_lowat = 16384' >> /etc/sysctl.d/60-ubuntu-nginx-web-server.conf + +# On ubuntu 16.04 LTS +modprobe tcp_htcp +echo 'net.ipv4.tcp_congestion_control = htcp' >> /etc/sysctl.d/60-ubuntu-nginx-web-server.conf +``` + +Then to apply the configuration : + +```bash +sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf +``` + +Increase openfiles limits + +```bash +sudo bash -c 'echo -e "* hard nofile 500000\n* soft nofile 500000\nroot hard nofile 500000\nroot soft nofile 500000\n" >> /etc/security/limits.conf' +``` + +### disable transparent hugepage for redis + +```bash +echo never > /sys/kernel/mm/transparent_hugepage/enabled +``` + +* * * + +## EasyEngine Setup + +### Install MariaDB 10.3 + +Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/install-latest-mariadb-release-easyengine/) + +```bash +bash <(wget -qO - https://downloads.mariadb.com/MariaDB/mariadb_repo_setup) --mariadb-server-version=10.3 --skip-maxscale -y +sudo apt update && sudo apt install mariadb-server -y +``` + +Secure MariaDB after install by running the command : + +```bash +mysql_secure_installation +``` + +### MySQL Tuning + +You can download my example of my.cnf, optimized for VPS with 4GB RAM. [my.cnf source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/mysql/my.cnf) + +```bash +cp -f $HOME/ubuntu-nginx-web-server/etc/mysql/my.cnf /etc/mysql/my.cnf +``` + +It include modification of innodb_log_file_size variable, so you need to use the following commands to apply the new configuration : + +```bash +sudo service mysql stop + +sudo mv /var/lib/mysql/ib_logfile0 /var/lib/mysql/ib_logfile0.bak +sudo mv /var/lib/mysql/ib_logfile1 /var/lib/mysql/ib_logfile1.bak + +sudo service mysql start +``` + +### Increase MariaDB open files limits + +```bash +echo -e '[Service]\nLimitNOFILE=500000' > /etc/systemd/system/mariadb.service.d/limits.conf + +sudo systemctl daemon-reload +sudo systemctl restart mariadb +``` + +## Install EasyEngine + +```bash +# noninteractive install - you can replace $USER with your username & root@$HOSTNAME by your email +sudo bash -c 'echo -e "[user]\n\tname = $USER\n\temail = root@$HOSTNAME" > $HOME/.gitconfig' + +wget -qO ee rt.cx/ee && bash ee +``` + +### enable ee bash_completion + +```bash +source /etc/bash_completion.d/ee_auto.rc +``` + +### Install Nginx, php5.6, php7.0, postfix, redis and configure EE backend + +```bash +ee stack install +ee stack install --php7 --redis --admin --phpredisadmin +``` + +### Set your email instead of root@localhost + +```bash +echo 'root: my.email@address.com' >> /etc/aliases +newaliases +``` + +### Install Composer - Fix phpmyadmin install issue + +```bash +cd ~/ ||exit +curl -sS https://getcomposer.org/installer | php +mv composer.phar /usr/bin/composer + +chown www-data:www-data /var/www +sudo -u www-data -H composer update -d /var/www/22222/htdocs/db/pma/ +``` + +### Allow shell for www-data for SFTP usage + +```bash +usermod -s /bin/bash www-data +``` + +## PHP 7.1 & 7.2 Setup + +### Install php7.1-fpm + +```bash +# php7.1-fpm +apt update && apt install php7.1-fpm php7.1-cli php7.1-zip php7.1-opcache php7.1-mysql php7.1-mcrypt php7.1-mbstring php7.1-json php7.1-intl \ +php7.1-gd php7.1-curl php7.1-bz2 php7.1-xml php7.1-tidy php7.1-soap php7.1-bcmath -y php7.1-xsl + +# copy php-fpm pools & php.ini configuration +cp -rf $HOME/ubuntu-nginx-web-server/etc/php/7.1/fpm/* /etc/php/7.1/fpm/ +service php7.1-fpm restart + +git -C /etc/php/ add /etc/php/ && git -C /etc/php/ commit -m "add php7.1 configuration" + +``` + +### Install php7.2-fpm + +```bash +# php7.2-fpm +apt update && apt install php7.2-fpm php7.2-xml php7.2-bz2 php7.2-zip php7.2-mysql php7.2-intl php7.2-gd php7.2-curl php7.2-soap php7.2-mbstring php7.2-bcmath -y + +# copy php-fpm pools & php.ini configuration +cp -rf $HOME/ubuntu-nginx-web-server/etc/php/7.2/fpm/* /etc/php/7.2/fpm/ +service php7.2-fpm restart + +git -C /etc/php/ add /etc/php/ && git -C /etc/php/ commit -m "add php7.2 configuration" + +``` + +### Set the proper alternative for /usr/bin/php + +If you want to choose which version of php to use with the command `php`, you can use the command `update-alternatives` + +```bash +# php5.6 +sudo update-alternatives --install /usr/bin/php php /usr/bin/php5.6 80 + +# php7.0 +sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.0 80 + +# php7.1 +sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.1 80 + +# php7.2 +sudo update-alternatives --install /usr/bin/php php /usr/bin/php7.2 80 +``` + +Then you can check php version with command `php -v` + +## NGINX Configuration + +### Additional Nginx configuration (/etc/nginx/conf.d) + +- New upstreams (php7.1, php7.2, netdata) : upstream.conf +- webp image mapping : webp.conf +- new fastcgi_cache_bypass mapping for wordpress : map-wp-fastcgi-cache.conf +- stub_status configuration on 127.0.0.1:80 : stub_status.conf +- restore visitor real IP under Cloudflare : cloudflare.conf +- mitigate WordPress DoS attack + +```bash +# copy all common nginx configurations +cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/conf.d/* /etc/nginx/conf.d/ + +# commit change with git +git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update conf.d configurations" +``` + +### EE common configuration + +```bash +cp -rf $HOME/ubuntu-nginx-web-server/etc/nginx/common/* /etc/nginx/common/ + +# commit change with git +git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update common configurations" +``` + +### Compile last Nginx mainline release with [nginx-ee script](https://github.com/VirtuBox/nginx-ee) + +```bash +bash <(wget-qO - https://raw.githubusercontent.com/VirtuBox/nginx-ee/master/nginx-build.sh) +``` + +* * * + +## Custom configurations + +### clean php-fpm php.ini configuration + +```bash +# PHP 7.0 +cp -rf $HOME/ubuntu-nginx-web-server/etc/php/7.0/* /etc/php/7.0/ +service php7.0-fpm restart + +git -C /etc/php/ add /etc/php/ && git -C /etc/php/ commit -m "add php7.2 configuration" +``` + +### Nginx optimized configurations + +```bash +# TLSv1.2 TLSv1.3 only +cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx.conf + +# TLS intermediate - TLS v1.0 v1.1 v1.2 v1.3 +cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-intermediate.conf + +# TLSv1.2 only +cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/nginx.conf /etc/nginx/nginx-tlsv12.conf + +# commit change with git +git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update nginx.conf configurations" +``` + +### Nginx configuration for netdata + +```bash +# add nginx reverse-proxy for netdata on https://yourserver.hostname:22222/netdata/ +cp -f $HOME/ubuntu-nginx-web-server/etc/nginx/sites-available/22222 /etc/nginx/sites-available/22222 + +# commit change with git +git -C /etc/nginx/ add /etc/nginx/ && git -C /etc/nginx/ commit -m "update 22222 configuration" +``` + +#### Increase Nginx open files limits + +```bash +sudo mkdir -p /etc/systemd/system/nginx.service.d +echo -e '[Service]\nLimitNOFILE=500000' > /etc/systemd/system/nginx.service.d/limits.conf + +sudo systemctl daemon-reload +sudo systemctl restart nginx.service +``` + +* * * + +## Security + +### Harden SSH Security + +WARNING : SSH Configuration with root login allowed using SSH keys only [source](https://github.com/VirtuBox/ubuntu-nginx-web-server/blob/master/etc/ssh/sshd_config) + + cp -f $HOME/ubuntu-nginx-web-server/etc/ssh/sshd_config /etc/ssh/sshd_config + +### UFW + +Instructions available in [VirtuBox Knowledgebase](https://kb.virtubox.net/knowledgebase/ufw-iptables-firewall-configuration-made-easier/) + +```bash +# enable ufw log - allow outgoing - deny incoming +ufw logging low +ufw default allow outgoing +ufw default deny incoming + +# allow incoming traffic on SSH port +CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}') +ufw allow $CURRENT_SSH_PORT + +# DNS - HTTP/S - FTP - NTP - RSYNC - DHCP - EE Backend +ufw allow 53 +ufw allow http +ufw allow https +ufw allow 21 +ufw allow 123 +ufw allow 68 +ufw allow 546 +ufw allow 873 +ufw allow 22222 + + +# enable UFW +echo "y" | ufw enable +``` + +### Custom jails for fail2ban + +- wordpress bruteforce +- ssh +- recidive (after 3 bans) +- backend http auth +- nginx bad bots + +```bash +cp -rf $HOME/ubuntu-nginx-web-server/etc/fail2ban/filter.d/* /etc/fail2ban/filter.d/ +cp -rf $HOME/ubuntu-nginx-web-server/etc/fail2ban/jail.d/* /etc/fail2ban/jail.d/ + +fail2ban-client reload +``` + +### Secure Memcached server + +```bash +echo '-U 0' >> /etc/memcached.conf +sudo systemctl restart memcached +``` + +If you do not use memcached, you can safely stop and disable it : + +```bash +sudo systemctl stop memcached +sudo systemctl disable memcached.service +``` + +## Optional + +### ee-acme-sh + +[Github repository](https://virtubox.github.io/ee-acme-sh/) - Script to setup letsencrypt certificates using acme.sh on EasyEngine servers + +- subdomain support +- ivp6 support +- wildcards certificates support + +```bash +wget-qO install-ee-acme.sh https://raw.githubusercontent.com/VirtuBox/ee-acme-sh/master/install.sh +chmod +x install-ee-acme.sh +./install-ee-acme.sh + +# enable acme.sh & ee-acme-sh +source .bashrc +``` + +### netdata + +[Github repository](https://github.com/firehol/netdata) + +```bash + +bash <(curl -Ss https://my-netdata.io/kickstart.sh) all + +# save 40-60% of netdata memory +echo 1 >/sys/kernel/mm/ksm/run +echo 1000 >/sys/kernel/mm/ksm/sleep_millisecs + +# increase open files limits for netdata +sudo mkdir -p /etc/systemd/system/netdata.service.d +echo -e '[Service]\nLimitNOFILE=500000' > /etc/systemd/system/netdata.service.d/limits.conf + +sudo systemctl daemon-reload +sudo systemctl restart netdata.service + +# disable email notifications +sudo sed -i 's/SEND_EMAIL="YES"/SEND_EMAIL="NO"/' /usr/lib/netdata/conf.d/health_alarm_notify.conf +service netdata restart +``` + +### cht.sh (cheat) + +[Github repository](https://github.com/chubin/cheat.sh) + +```bash +curl https://cht.sh/:cht.sh > /usr/bin/cht.sh +chmod +x /usr/bin/cht.sh + + +echo "alias cheat='cht.sh'" >> $HOME/.bashrc +source $HOME/.bashrc +``` + +usage : `cheat ` + +```bash +root@vps:~ cheat cat +# cat + +# Print and concatenate files. + +# Print the contents of a file to the standard output: + cat file + +# Concatenate several files into the target file: + cat file1 file2 > target_file + +# Append several files into the target file: + cat file1 file2 >> target_file + +# Number all output lines: + cat -n file +``` + +### nanorc - Improved Nano Syntax Highlighting Files + +[Github repository](https://github.com/scopatz/nanorc) + +```bash +wget https://raw.githubusercontent.com/scopatz/nanorc/master/install.sh -qO- | sh +``` + +### Add WP-CLI & bash-completion for user www-data + +```bashrc +# download wp-cli bash_completion +wget -qO /etc/bash_completion.d/wp-completion.bash https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash + +# change /var/www owner +chown www-data:www-data /var/www + +# download .profile & .bashrc for www-data +cp -f $HOME/ubuntu-nginx-web-server/var/www/.profile /var/www/.profile +cp -f $HOME/ubuntu-nginx-web-server/var/www/.bashrc /var/www/.bashrc + +# set owner +chown www-data:www-data /var/www/{.profile,.bashrc} +``` + +### Custom Nginx error pages + +[Github Repository](https://github.com/alexphelps/server-error-pages) + +Installation + +```bash +# clone the github repository +sudo -u www-data -H git clone https://github.com/alexphelps/server-error-pages.git /var/www/error +``` + +Then include this configuration in your nginx vhost by adding the following line + +```bash +include common/error_pages.conf; +``` + +Published & maintained by [VirtuBox](https://virtubox.net) diff --git a/docs/files/etc/sysctl.d/60-ubuntu-nginx-web-server.conf b/docs/files/etc/sysctl.d/60-ubuntu-nginx-web-server.conf index a80b261..61c9a9b 100644 --- a/docs/files/etc/sysctl.d/60-ubuntu-nginx-web-server.conf +++ b/docs/files/etc/sysctl.d/60-ubuntu-nginx-web-server.conf @@ -1,9 +1,11 @@ # Kernel sysctl configuration file for Linux # -# Version 1.15 - 2018-10-13 +# Version 1.16 - 2018-10-23 # Michiel Klaver - IT Professional # Modified by VirtuBox # +# Instructions available on https://github.com/VirtuBox/ubuntu-nginx-web-server +# # Sources : # https://klaver.it/linux/sysctl.conf # https://easyengine.io/tutorials/linux/sysctl-conf/ @@ -26,9 +28,9 @@ # http://en.wikipedia.org/wiki/Sysctl # # Usage -# wget -O /etc/sysctl.d/10-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/10-ubuntu-nginx-web-server.conf +# wget -O /etc/sysctl.d/60-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/60-ubuntu-nginx-web-server.conf # -# sysctl -e -p /etc/sysctl.d/10-ubuntu-nginx-web-server.conf +# sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details. # @@ -174,11 +176,6 @@ net.ipv6.conf.default.accept_ra_pinfo = 0 ### TUNING NETWORK PERFORMANCE ### ### -# enable BBR congestion control and set tcp_notsent_lowat to 16KB for HTTP/2 prioritization to work reliably -# source : https://blog.cloudflare.com/http-2-prioritization-with-nginx/ -net.ipv4.tcp_congestion_control = bbr -net.ipv4.tcp_notsent_lowat = 16384 - # For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12) net.core.default_qdisc = fq diff --git a/etc/sysctl.d/60-ubuntu-nginx-web-server.conf b/etc/sysctl.d/60-ubuntu-nginx-web-server.conf index a80b261..61c9a9b 100644 --- a/etc/sysctl.d/60-ubuntu-nginx-web-server.conf +++ b/etc/sysctl.d/60-ubuntu-nginx-web-server.conf @@ -1,9 +1,11 @@ # Kernel sysctl configuration file for Linux # -# Version 1.15 - 2018-10-13 +# Version 1.16 - 2018-10-23 # Michiel Klaver - IT Professional # Modified by VirtuBox # +# Instructions available on https://github.com/VirtuBox/ubuntu-nginx-web-server +# # Sources : # https://klaver.it/linux/sysctl.conf # https://easyengine.io/tutorials/linux/sysctl-conf/ @@ -26,9 +28,9 @@ # http://en.wikipedia.org/wiki/Sysctl # # Usage -# wget -O /etc/sysctl.d/10-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/10-ubuntu-nginx-web-server.conf +# wget -O /etc/sysctl.d/60-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/60-ubuntu-nginx-web-server.conf # -# sysctl -e -p /etc/sysctl.d/10-ubuntu-nginx-web-server.conf +# sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details. # @@ -174,11 +176,6 @@ net.ipv6.conf.default.accept_ra_pinfo = 0 ### TUNING NETWORK PERFORMANCE ### ### -# enable BBR congestion control and set tcp_notsent_lowat to 16KB for HTTP/2 prioritization to work reliably -# source : https://blog.cloudflare.com/http-2-prioritization-with-nginx/ -net.ipv4.tcp_congestion_control = bbr -net.ipv4.tcp_notsent_lowat = 16384 - # For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12) net.core.default_qdisc = fq