From 32989bb166429dccf5d1957e828fb7a248caa5ed Mon Sep 17 00:00:00 2001
From: Hans van Zijst <hans@procolix.com>
Date: Mon, 30 Dec 2024 14:15:39 +0100
Subject: [PATCH] Added first nginx optimization blocks.

---
 matrix/nginx/workers/README.md          | 40 +++++++++-
 matrix/nginx/workers/locations.conf     | 99 +++++++++++++++++++++++++
 matrix/nginx/workers/proxy_forward.conf | 17 +++++
 3 files changed, 154 insertions(+), 2 deletions(-)
 create mode 100644 matrix/nginx/workers/locations.conf
 create mode 100644 matrix/nginx/workers/proxy_forward.conf

diff --git a/matrix/nginx/workers/README.md b/matrix/nginx/workers/README.md
index a26dbcd..eae73d1 100644
--- a/matrix/nginx/workers/README.md
+++ b/matrix/nginx/workers/README.md
@@ -33,6 +33,44 @@ keep things manageable, most of those tweaks go into separate configuration
 files that are either automatically included (those under `/etc/nginx/conf.d`)
 or explicitly where we need them (those under `/etc/nginx/snippets`).
 
+Let's start with a few settings that affect nginx as a whole. Edit these
+options in `/etc/nginx/nginx.conf`:
+
+```
+pcre_jit on;
+worker_rlimit_nofile 8192;
+worker_connections 4096;
+multi_accept off;
+gzip_comp_level 2;
+gzip_types application/javascript application/json application/x-javascript application/xml application/xml+rss image/svg+xml text/css text/javascript text/plain text/xml;
+gzip_min_length 1000;
+gzip_disable "MSIE [1-6]\.";
+```
+
+We're going to use lots of regular expressions in our config, `pcre_jit on`
+speeds those up considerably. Workers get 8K open files, and we want 4096
+workers instead of the default 768. Workers can only accept one connection,
+which is (in almost every case) proxy_forwarded, so we set `multi_accept off`.
+
+We change `gzip_comp_level` from 6 to 2, we expand the list of content that is
+to be gzipped, and don't zip anything shorter than 1000 characters, instead of
+the default 20. MSIE can take a hike...
+
+These are tweaks for the connection, save this in `/etc/ngnix/conf.d/conn_optimize.conf`.
+
+```
+client_body_buffer_size 32m;
+client_header_buffer_size 32k;
+client_max_body_size 1g;
+http2_max_concurrent_streams 128;
+keepalive_timeout 65;
+keepalive_requests 100;
+large_client_header_buffers 4 16k;
+server_names_hash_bucket_size 128;
+tcp_nodelay on;
+server_tokens off;
+```
+
 For every `proxy_forward` we want to configure several settings, and because
 we don't want to include the same list of settings every time, we put all of
 them in one snippet of code, that we can include every time we need it.
@@ -172,5 +210,3 @@ location ~ ^(/_matrix/client/(r0|v3)/sync|/_matrix/client/(api/v1|r0|v3)/events|
     proxy_pass http://syncworkers;
 }
 
-That's the concept. 
-
diff --git a/matrix/nginx/workers/locations.conf b/matrix/nginx/workers/locations.conf
new file mode 100644
index 0000000..8b3c599
--- /dev/null
+++ b/matrix/nginx/workers/locations.conf
@@ -0,0 +1,99 @@
+# Account-data
+location ~ ^(/_matrix/client/(r0|v3|unstable)/.*/tags|/_matrix/client/(r0|v3|unstable)/.*/account_data) {
+    include snippets/proxy.conf;
+    proxy_pass http://account_data;
+}
+
+# Typing
+location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing {
+    include snippets/proxy.conf;
+    proxy_pass http://typing;
+}
+
+# Receipts
+location ~ ^(/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt|/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers) {
+    include snippets/proxy.conf;
+    proxy_pass http://receipts;
+}
+
+# Presence
+location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/ {
+    include snippets/proxy.conf;
+    proxy_pass http://presence;
+}
+
+# To device
+location ~ ^/_matrix/client/(r0|v3|unstable)/sendToDevice/ {
+    include snippets/proxy.conf;
+    proxy_pass http://todevice;
+}
+
+# Push rules
+location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/pushrules/ {
+    include snippets/proxy.conf;
+    proxy_pass http://push_rules;
+}
+
+# Userdir
+location ~ ^/_matrix/client/(r0|v3|unstable)/user_directory/search$ {
+    include snippets/proxy.conf;
+    proxy_pass http://userdir;
+}
+
+# Media, users1
+location ~* ^/_matrix/((client|federation)/[^/]+/)media/ {
+    include snippets/proxy.conf;
+    proxy_pass http://media;
+}
+# Media, users2
+location ~* ^/_matrix/media/v3/upload {
+    include snippets/proxy.conf;
+    proxy_pass http://media;
+}
+
+# Media, admin
+location ~ ^/_synapse/admin/v1/(purge_)?(media(_cache)?|room|user|quarantine_media|users)/[\s\S]+|media$ {
+    include snippets/private.conf;
+    include snippets/proxy.conf;
+    proxy_pass http://media;
+}
+
+# Login
+location ~ ^(/_matrix/client/(api/v1|r0|v3|unstable)/login|/_matrix/client/(r0|v3|unstable)/register|/_matrix/client/(r0|v3|unstable)/register/available|/_matrix/client/v1/register/m.login.registration_token/validity|/_matrix/client/(r0|v3|unstable)/password_policy)$ {
+    include snippets/proxy.conf;
+    proxy_pass http://login;
+}
+
+# Normal/initial sync
+location ~ ^/_matrix/client/(r0|v3)/sync$ {
+    include snippets/proxy.conf;
+    proxy_pass http://$sync;
+}
+
+# Normal sync
+location ~ ^/_matrix/client/(api/v1|r0|v3)/events$ {
+    include snippets/proxy.conf;
+    proxy_pass http://normal_sync;
+}
+
+# Initial sync
+location ~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$ {
+    include snippets/proxy.conf;
+    proxy_pass http://initial_sync;
+}
+location ~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ {
+    include snippets/proxy.conf;
+    proxy_pass http://initial_sync;
+}
+
+# Federation readers
+location ~ ^(/_matrix/federation/v1/event/|/_matrix/federation/v1/state/|/_matrix/federation/v1/state_ids/|/_matrix/federation/v1/backfill/|/_matrix/federation/v1/get_missing_events/|/_matrix/federation/v1/publicRooms|/_matrix/federation/v1/query/|/_matrix/federation/v1/make_join/|/_matrix/federation/v1/make_leave/|/_matrix/federation/(v1|v2)/send_join/|/_matrix/federation/(v1|v2)/send_leave/|/_matrix/federation/v1/make_knock/|/_matrix/federation/v1/send_knock/|/_matrix/federation/(v1|v2)/invite/|/_matrix/federation/v1/event_auth/|/_matrix/federation/v1/timestamp_to_event/|/_matrix/federation/v1/exchange_third_party_invite/|/_matrix/federation/v1/user/devices/|/_matrix/key/v2/query|/_matrix/federation/v1/hierarchy/|/_matrix/federation/v1/send/) {
+    include snippets/proxy.conf;
+    proxy_pass http://incoming_federation;
+}
+
+# Main thread for all the rest
+location / {
+    include snippets/proxy.conf;
+    proxy_pass http://inbound_main;
+
diff --git a/matrix/nginx/workers/proxy_forward.conf b/matrix/nginx/workers/proxy_forward.conf
new file mode 100644
index 0000000..b681e44
--- /dev/null
+++ b/matrix/nginx/workers/proxy_forward.conf
@@ -0,0 +1,17 @@
+proxy_connect_timeout 2s;
+proxy_buffering off;
+proxy_http_version 1.1;
+proxy_read_timeout 3600s;
+proxy_redirect off;
+proxy_send_timeout 120s;
+proxy_socket_keepalive on;
+proxy_ssl_verify off;
+
+proxy_set_header Accept-Encoding "";
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-For $remote_addr;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header Connection $connection_upgrade;
+proxy_set_header Upgrade $http_upgrade;
+
+client_max_body_size 50M;