Merge pull request #4 from chaishiqi/iotex-stg

Iotex stg

.github/workflows/build_image.yml

@@ -2,13 +2,13 @@ name: build_image
 
 on:
   push:
-    branches: ["iotex-stg"]
+    branches: ["main"]
     tags: ["v*.*.*"]
 
 env:
   REGISTRY: ghcr.io
-  REPOSITORY_URI_WEB: iotex-project/safe-transaction-web
-  REPOSITORY_URI_NGINX: iotex-project/safe-transaction-nginx
+  REPOSITORY_URI_WEB: iotexproject/safe-transaction-web
+  REPOSITORY_URI_NGINX: iotexproject/safe-transaction-nginx
 
 jobs:
   build_docker_image:
@@ -59,7 +59,7 @@ jobs:
         with:
           platforms: linux/amd64
           context: .
-          file: ./Dockerfile
+          file: ./docker/web/Dockerfile
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta-web.outputs.tags }}
           labels: ${{ steps.meta-web.outputs.labels }}
@@ -77,7 +77,7 @@ jobs:
         with:
           context: .
           platforms: linux/amd64
-          file: ./nginx.Dockerfile
+          file: ./docker/nginx/Dockerfile
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta-nginx.outputs.tags }}
           labels: ${{ steps.meta-nginx.outputs.labels }}

docker/nginx/nginx.conf

@@ -1,68 +1,118 @@
-# https://github.com/KyleAMathews/docker-nginx/blob/master/nginx.conf
-# https://linode.com/docs/web-servers/nginx/configure-nginx-for-optimized-performance/
-# https://docs.gunicorn.org/en/stable/deploy.html
-
-worker_processes 1;
+worker_processes           auto;
+worker_rlimit_nofile       10000;
+worker_shutdown_timeout    65s;
 
 events {
-  worker_connections 2000; # increase if you have lots of clients
-  accept_mutex off; # set to 'on' if nginx worker_processes > 1
-  use epoll; # Enable epoll for Linux 2.6+
-  # 'use kqueue;' to enable for FreeBSD, OSX
+  worker_connections    5000;
+  accept_mutex          off;
+  use                   epoll;
+  multi_accept          on;
 }
 
 http {
-    include mime.types;
-    # fallback in case we can't determine a type
-    default_type application/octet-stream;
-    sendfile on;
-
-    upstream app_server {
-      # ip_hash; # For load-balancing
-      #
-      # fail_timeout=0 means we always retry an upstream even if it failed
-      # to return a good HTTP response
-      server unix:/nginx/gunicorn.socket fail_timeout=0;
-
-      # for a TCP configuration
-      # server web:8000 fail_timeout=0;
-      keepalive 32;
+  include         /etc/nginx/mime.types;
+  default_type    application/octet-stream;
+
+  sendfile       on;
+  tcp_nopush     on;
+  tcp_nodelay    on;
+
+  # Real IP
+  set_real_ip_from     127.0.0.1;
+  set_real_ip_from     10.0.0.0/8;
+  set_real_ip_from     172.16.0.0/12;
+  set_real_ip_from     192.168.0.0/16;
+  real_ip_header       X-Forwarded-For;
+  real_ip_recursive    on;
+
+  # Logs
+  map "$time_local:$msec" $time_local_ms { ~(^\S+)(\s+\S+):\d+\.(\d+)$ $1.$3$2; }
+
+  log_format main escape=json
+    '$remote_addr - $realip_remote_addr - $request_time - [$time_local_ms] - $msec - '
+    '$http_x_amzn_trace_id - $request_id - $connection-$connection_requests - '
+    '$scheme - $host - $server_port - $ssl_protocol - $ssl_cipher - '
+    '$request_method - $request_uri - $server_protocol - $status - $request_completion - '
+    '$bytes_sent - $request_length - "$http_referer" - "$http_user_agent" - '
+    '$proxy_host - "$upstream_addr" - "$upstream_status" - "$upstream_connect_time" - "$upstream_response_time" ';
+    # '$proxy_host - "$upstream_addr" - "$upstream_status" - "$upstream_connect_time" - "$upstream_response_time" - "$request_body" ';
+
+  access_log    /var/log/nginx/access.log    main;
+  error_log     /var/log/nginx/error.log     info;
+
+  # SSL
+  ssl_certificate        /etc/nginx/self.crt;
+  ssl_certificate_key    /etc/nginx/self.key;
+  ssl_protocols          TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers            HIGH:!aNULL:!MD5;
+
+  # Compression
+  gzip               on;
+  gzip_min_length    1000;
+  gzip_comp_level    3;
+  gzip_types         text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml;
+
+  # Timeouts
+  keepalive_timeout        10s;
+  client_header_timeout    10s;
+  client_body_timeout      30s;
+  send_timeout             65s;
+
+  # Request
+  client_max_body_size    100M;
+
+  # Response
+  charset    utf-8;
+
+  # Proxy
+  proxy_connect_timeout    65s;
+  proxy_send_timeout       65s;
+  proxy_read_timeout       65s;
+
+  proxy_buffering            off;
+  proxy_buffers              8 64k;
+  proxy_buffer_size          64k;
+  proxy_busy_buffers_size    128k;
+
+  proxy_http_version        1.1;
+  proxy_intercept_errors    off;
+
+  proxy_set_header    X-Forwarded-For       $proxy_add_x_forwarded_for;
+  #proxy_set_header    X-Forwarded-Proto     $scheme;
+  # $http_x_forwarded_proto (passed by AWS ALB) stores the real protocol used by end user
+  proxy_set_header    X-Forwarded-Proto     $http_x_forwarded_proto;
+  proxy_set_header    X-Forwarded-Host      $server_name;
+  proxy_set_header    X-Forwarded-Server    $host;
+  proxy_set_header    X-Real-IP             $remote_addr;
+  proxy_set_header    Host                  $host;
+  proxy_set_header    Connection            "";
+  add_header          Front-End-Https       on;
+  add_header          X-Robots-Tag          "noindex,nofollow,noarchive";
+  proxy_redirect      off;
+
+  # Upstreams
+  upstream app_server {
+    server       unix:/nginx/gunicorn.socket    fail_timeout=0;
+    keepalive    32;
+  }
+
+  # Servers
+  server {
+    listen  8000              deferred  default_server;
+    listen  8443  ssl  http2  deferred  default_server;
+
+    # Version
+    # location /version.txt { root /usr/share/nginx/html; }
+
+    # Static
+    location /static {
+        alias      /nginx/staticfiles;
+        expires    365d;
     }
 
-    server {
-        access_log off;
-        listen 8000 deferred;
-        charset utf-8;
-        keepalive_timeout 75s;
-
-        # https://thoughts.t37.net/nginx-optimization-understanding-sendfile-tcp-nodelay-and-tcp-nopush-c55cdd276765
-        # tcp_nopush on;
-        # tcp_nodelay on;
-
-        gzip             on;
-        gzip_min_length 1000;
-        gzip_comp_level  2;
-        # text/html is always included by default
-        gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml;
-        gzip_disable "MSIE [1-6]\.";
-
-        location /static {
-            alias /nginx/staticfiles;
-            expires 365d;
-        }
-
-        location / {
-            proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
-            proxy_set_header    X-Forwarded-Proto   $scheme;
-            proxy_set_header    Host                $host;
-            # we don't want nginx trying to do something clever with
-            # redirects, we set the Host: header above already.
-            proxy_redirect off;
-            proxy_pass http://app_server/;
-
-            proxy_set_header X-Forwarded-Host $server_name;
-            proxy_set_header X-Real-IP $remote_addr;
-            add_header              Front-End-Https   on;
-        }
+    # App
+    location / {
+        proxy_pass    http://app_server;
     }
+  }
 }