chrisloftus/nginx vhost

## gistfile1.txt
$ ab -n 5000 -c 333 http://redacted
This is ApacheBench, Version 2.3 <$Revision: 1528965 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking 188.166.145.38 (be patient)
Completed 500 requests
Completed 1000 requests
Completed 1500 requests
Completed 2000 requests
Completed 2500 requests
Completed 3000 requests
Completed 3500 requests
Completed 4000 requests
Completed 4500 requests
Completed 5000 requests
Finished 5000 requests


Server Software:        nginx/1.10.0
Server Hostname:        redacted
Server Port:            80

Document Path:          redacted
Document Length:        82321 bytes

Concurrency Level:      333
Time taken for tests:   107.260 seconds
Complete requests:      5000
Failed requests:        0
Total transferred:      416490320 bytes
HTML transferred:       411605000 bytes
Requests per second:    46.62 [#/sec] (mean)
Time per request:       7143.506 [ms] (mean)
Time per request:       21.452 [ms] (mean, across all concurrent requests)
Transfer rate:          3792.00 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0    1   1.2      0       7
Processing:   208 6920 1131.0   7120    8608
Waiting:      206 6918 1131.0   7117    8607
Total:        215 6921 1130.0   7120    8609

Percentage of the requests served within a certain time (ms)
  50%   7120
  66%   7272
  75%   7385
  80%   7476
  90%   7785
  95%   8073
  98%   8275
  99%   8393
 100%   8609 (longest request)

## nginx vhost
server {
	listen 80;
	listen [::]:80;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/production/public;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.php;

	server_name _;

	location = /socket.io/ {
          proxy_pass http://127.0.0.1:6001;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
          proxy_set_header Host $host;
  }

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ /index.php?$query_string;
	}

	location ~ \.php$ {
          include snippets/fastcgi-php.conf;

          # With php5-cgi alone:
          #fastcgi_pass 127.0.0.1:9000;
          # With php5-fpm:
          fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
  }

	location ~* \.(css|js|png|gif|jpg|svg|ico|json)$ {
          expires 365d;
  }

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	#	deny all;
	#}
}

## nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 50000;

events {
	worker_connections 8192;
	multi_accept on;
	use epoll;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 0;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

  client_body_buffer_size 128k;
  client_max_body_size 100m;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	#access_log /var/log/nginx/access.log;
        access_log off;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	gzip_vary on;
	gzip_min_length 10240;
	gzip_proxied any;
	gzip_comp_level 2;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}

## php-fpm pool.conf
pm = static
pm.max_children = 15
pm.max_requests = 500

## sysctl.conf
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

# Digital Ocean Recommended Settings:
net.core.wmem_max=12582912
net.core.rmem_max=12582912
net.ipv4.tcp_rmem= 10240 87380 12582912
net.ipv4.tcp_wmem= 10240 87380 12582912


# tweaked.io/guide/kernel
net.ipv4.ip_local_port_range = 1024 65535

net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syncookies = 1

net.core.somaxconn = 1024
	$ ab -n 5000 -c 333 http://redacted
	This is ApacheBench, Version 2.3 <$Revision: 1528965 $>
	Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
	Licensed to The Apache Software Foundation, http://www.apache.org/

	Benchmarking 188.166.145.38 (be patient)
	Completed 500 requests
	Completed 1000 requests
	Completed 1500 requests
	Completed 2000 requests
	Completed 2500 requests
	Completed 3000 requests
	Completed 3500 requests
	Completed 4000 requests
	Completed 4500 requests
	Completed 5000 requests
	Finished 5000 requests


	Server Software: nginx/1.10.0
	Server Hostname: redacted
	Server Port: 80

	Document Path: redacted
	Document Length: 82321 bytes

	Concurrency Level: 333
	Time taken for tests: 107.260 seconds
	Complete requests: 5000
	Failed requests: 0
	Total transferred: 416490320 bytes
	HTML transferred: 411605000 bytes
	Requests per second: 46.62 [#/sec] (mean)
	Time per request: 7143.506 [ms] (mean)
	Time per request: 21.452 [ms] (mean, across all concurrent requests)
	Transfer rate: 3792.00 [Kbytes/sec] received

	Connection Times (ms)
	min mean[+/-sd] median max
	Connect: 0 1 1.2 0 7
	Processing: 208 6920 1131.0 7120 8608
	Waiting: 206 6918 1131.0 7117 8607
	Total: 215 6921 1130.0 7120 8609

	Percentage of the requests served within a certain time (ms)
	50% 7120
	66% 7272
	75% 7385
	80% 7476
	90% 7785
	95% 8073
	98% 8275
	99% 8393
	100% 8609 (longest request)
	server {
	listen 80;
	listen [::]:80;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /var/www/production/public;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.php;

	server_name _;

	location = /socket.io/ {
	proxy_pass http://127.0.0.1:6001;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header Host $host;
	}

	location / {
	# First attempt to serve request as file, then
	# as directory, then fall back to displaying a 404.
	try_files $uri $uri/ /index.php?$query_string;
	}

	location ~ \.php$ {
	include snippets/fastcgi-php.conf;

	# With php5-cgi alone:
	#fastcgi_pass 127.0.0.1:9000;
	# With php5-fpm:
	fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
	}

	location ~* \.(css\|js\|png\|gif\|jpg\|svg\|ico\|json)$ {
	expires 365d;
	}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	# deny all;
	#}
	}
	user www-data;
	worker_processes auto;
	pid /run/nginx.pid;
	worker_rlimit_nofile 50000;

	events {
	worker_connections 8192;
	multi_accept on;
	use epoll;
	}

	http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 0;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	client_body_buffer_size 128k;
	client_max_body_size 100m;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	#access_log /var/log/nginx/access.log;
	access_log off;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	gzip_vary on;
	gzip_min_length 10240;
	gzip_proxied any;
	gzip_comp_level 2;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}
	#
	# /etc/sysctl.conf - Configuration file for setting system variables
	# See /etc/sysctl.d/ for additional system variables.
	# See sysctl.conf (5) for information.
	#

	#kernel.domainname = example.com

	# Uncomment the following to stop low-level messages on console
	#kernel.printk = 3 4 1 3

	##############################################################3
	# Functions previously found in netbase
	#

	# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
	# Turn on Source Address Verification in all interfaces to
	# prevent some spoofing attacks
	#net.ipv4.conf.default.rp_filter=1
	#net.ipv4.conf.all.rp_filter=1

	# Uncomment the next line to enable TCP/IP SYN cookies
	# See http://lwn.net/Articles/277146/
	# Note: This may impact IPv6 TCP sessions too
	#net.ipv4.tcp_syncookies=1

	# Uncomment the next line to enable packet forwarding for IPv4
	#net.ipv4.ip_forward=1

	# Uncomment the next line to enable packet forwarding for IPv6
	# Enabling this option disables Stateless Address Autoconfiguration
	# based on Router Advertisements for this host
	#net.ipv6.conf.all.forwarding=1


	###################################################################
	# Additional settings - these settings can improve the network
	# security of the host and prevent against some network attacks
	# including spoofing attacks and man in the middle attacks through
	# redirection. Some network environments, however, require that these
	# settings are disabled so review and enable them as needed.
	#
	# Do not accept ICMP redirects (prevent MITM attacks)
	#net.ipv4.conf.all.accept_redirects = 0
	#net.ipv6.conf.all.accept_redirects = 0
	# _or_
	# Accept ICMP redirects only for gateways listed in our default
	# gateway list (enabled by default)
	# net.ipv4.conf.all.secure_redirects = 1
	#
	# Do not send ICMP redirects (we are not a router)
	#net.ipv4.conf.all.send_redirects = 0
	#
	# Do not accept IP source route packets (we are not a router)
	#net.ipv4.conf.all.accept_source_route = 0
	#net.ipv6.conf.all.accept_source_route = 0
	#
	# Log Martian Packets
	#net.ipv4.conf.all.log_martians = 1
	#

	# Digital Ocean Recommended Settings:
	net.core.wmem_max=12582912
	net.core.rmem_max=12582912
	net.ipv4.tcp_rmem= 10240 87380 12582912
	net.ipv4.tcp_wmem= 10240 87380 12582912


	# tweaked.io/guide/kernel
	net.ipv4.ip_local_port_range = 1024 65535

	net.ipv4.tcp_tw_recycle = 1
	net.ipv4.tcp_tw_reuse = 1

	net.ipv4.tcp_max_syn_backlog = 4096
	net.ipv4.tcp_syncookies = 1

	net.core.somaxconn = 1024