@@ -324,46 +324,63 @@ Resources:
324324
325325 user nginx;
326326 worker_processes auto;
327- error_log /var/log/nginx/error.log notice;
327+
328+ # number of file descriptors used for nginx
329+ # the limit for the maximum FDs on the server is usually set by the OS.
330+ # if you don't set FD's then OS settings will be used which is by default 2000
331+ worker_rlimit_nofile 100000;
332+
333+ # only log critical errors
334+ error_log /var/log/nginx/error.log crit;
328335 pid /run/nginx.pid;
329336 ssl_engine pkcs11;
330337
331338 # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
332339 include /usr/share/nginx/modules/*.conf;
333340
334341 events {
335- worker_connections 1024;
342+ # determines how much clients will be served per worker
343+ # max clients = worker_connections * worker_processes
344+ # max clients is also limited by the number of socket connections available on the system (~64k)
345+ worker_connections 4000;
346+
347+ # optimized to serve many clients with each thread, essential for linux
348+ use epoll;
349+
350+ # accept as many connections as possible, may flood worker connections if set too low
351+ multi_accept on;
336352 }
337353
338354 http {
339- log_format json_combined escape=json
340- '{'
341- '"time":"$time_iso8601",'
342- '"process":"$pid",'
343- '"filename":"$request_filename",'
344- '"remoteIP":"$remote_addr",'
345- '"method":"$request_method",'
346- '"request":"$request_uri",'
347- '"status":"$status",'
348- '"responseTime":"$request_time",'
349- '"referer":"$http_referer",'
350- '"userAgent":"$http_user_agent",'
351- '"bytesSent":"$bytes_sent",'
352- '"bytesReceived":"$request_length",'
353- '"host":"$host",'
354- '"connection_requests":"$connection_requests",'
355- '"connection_active":"$connections_active",'
356- '"connection_read":"$connections_reading",'
357- '"connection_write":"$connections_writing",'
358- '"connection_wait":"$connections_waiting"'
359- '}';
360-
361- access_log /var/log/nginx/access.log json_combined;
355+ # to boost I/O on HDD we can disable access logs
356+ access_log off;
357+
362358 charset utf-8;
363359
364- sendfile on;
365- tcp_nopush on;
366- keepalive_timeout 65;
360+ # copies data between one FD and other from within the kernel
361+ # faster than read() + write()
362+ sendfile on;
363+
364+ # send headers in one piece, it is better than sending them one by one
365+ tcp_nopush on;
366+
367+ # don't buffer data sent, good for small data bursts in real time
368+ # https://brooker.co.za/blog/2024/05/09/nagle.html
369+ # https://news.ycombinator.com/item?id=10608356
370+ tcp_nodelay on;
371+
372+ # allow the server to close connection on non responding client, this will free up memory
373+ reset_timedout_connection on;
374+
375+ # request timed out -- default 60
376+ client_body_timeout 10;
377+
378+ # if client stop responding, free up memory -- default 60
379+ send_timeout 2;
380+
381+ # server will close connection after this time -- default 75
382+ keepalive_timeout 30;
383+
367384 types_hash_max_size 4096;
368385
369386 include /etc/nginx/mime.types;
@@ -374,6 +391,8 @@ Resources:
374391 # for more information.
375392 include /etc/nginx/conf.d/*.conf;
376393
394+ server_tokens off;
395+
377396 server {
378397 listen 443 ssl;
379398 http2 on;
@@ -393,25 +412,32 @@ Resources:
393412 proxy_set_header X-Forwarded-Proto https;
394413 proxy_set_header X-Forwarded-Port 443;
395414 proxy_set_header Proxy "";
415+ proxy_set_header Connection "";
396416
397417 proxy_pass http://127.0.0.1:8080;
398418 proxy_buffering on;
399419 proxy_redirect off;
400420 proxy_http_version 1.1;
401421 }
402-
403- error_page 404 /404.html;
404- location = /404.html {
405- }
406-
407- error_page 500 502 503 504 /50x.html;
408- location = /50x.html {
409- }
410422 }
411423 }
412424owner : root
413425 group : root
414426 mode : " 000644"
427+ " /etc/pki/tls/openssl.d/openssl-acm.cnf "
428+ content : |-
429+ [openssl_init]
430+ engines = engine_section
431+
432+ [engine_section]
433+ pkcs11 = pkcs11_section
434+
435+ [pkcs11_section]
436+ engine_id = pkcs11
437+ init = 1
438+ owner : root
439+ group : root
440+ mode : " 000644"
415441 " /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json "
416442 content : |-
417443 {
@@ -563,6 +589,7 @@ Resources:
563589 ensureRunning : true
564590 files :
565591 - " /etc/nitro_enclaves/acm.yaml"
592+ - " /etc/pki/tls/openssl.d/openssl-acm.cnf"
566593 packages :
567594 yum :
568595 - aws-nitro-enclaves-acm
@@ -663,9 +690,6 @@ Resources:
663690
664691 usermod -aG ne ec2-user
665692
666- # Edit the OpenSSL configuration /etc/pki/tls/openssl.cnf
667- sed -i '/alg_section = evp_properties/a\engines = engine_section\n\n[engine_section]\npkcs11 = pkcs11_section\n\n[ pkcs11_section ]\nengine_id = pkcs11\ninit = 1' /etc/pki/tls/openssl.cnf
668-
669693 systemctl enable --now amazon-cloudwatch-agent.service
670694 systemctl enable --now nitro-enclaves-allocator.service
671695 systemctl enable --now nitro-enclaves-vsock-proxy.service
@@ -739,7 +763,7 @@ Resources:
739763 InstancesDistribution :
740764 OnDemandAllocationStrategy : lowest-price
741765 OnDemandBaseCapacity : 1
742- OnDemandPercentageAboveBaseCapacity : 0
766+ OnDemandPercentageAboveBaseCapacity : 0 # all spot
743767 SpotAllocationStrategy : price-capacity-optimized
744768 LaunchTemplate :
745769 LaunchTemplateSpecification :
0 commit comments