Move tweakable parameters to envvars, some cleanup (#44)

* Move tweakable parameters to envvars, some cleanup

Signed-off-by: Levi Pesin <[email protected]>

* Fix (that's why you should pin everything)

Signed-off-by: Levi Pesin <[email protected]>

* Fix, update changelog

Signed-off-by: Levi Pesin <[email protected]>

* Fix, debug

Signed-off-by: Levi Pesin <[email protected]>

* Fix?

Signed-off-by: Levi Pesin <[email protected]>

* Fix

Signed-off-by: Levi Pesin <[email protected]>

* Fix

Signed-off-by: Levi Pesin <[email protected]>

* Update changelog

Signed-off-by: Levi Pesin <[email protected]>

* Update

Signed-off-by: Levi Pesin <[email protected]>

---------

Signed-off-by: Levi Pesin <[email protected]>

.github/workflows/build.yml

@@ -21,12 +21,12 @@ jobs:
     uses: warriors-life/.warriors-life-workflows/.github/workflows/build-docker.yml@dev
     with:
       image-name: ${{ github.repository }}
-      node-code-pre-test: |
-        export $(xargs -0 < test.env) && cat test.env >> $GITHUB_ENV
+      node-code-pre-test: | # https://unix.stackexchange.com/a/157619
+        export $(sed '/^[[:blank:]]*#/d;s/#.*//' test.env | xargs -0) && sed '/^[[:blank:]]*#/d;s/#.*//' test.env >> $GITHUB_ENV
         openssl req -x509 -config ssl-config/openssl-ca.conf -out server$NGINX_TRUSTED_CERTS -keyout ssl-config/ca.key -noenc
         openssl req -config ssl-config/openssl-cert.conf -CA server$NGINX_TRUSTED_CERTS -CAkey ssl-config/ca.key -out server$NGINX_CERT -keyout server$NGINX_CERT_KEY -noenc
         gzip -k server/static/*.{css,csv,html,ico,js,json,svg,txt,wasm,webmanifest}
-        cd server && docker-compose up -d
+        cd server && docker compose up -d
     secrets: inherit
     permissions:
       security-events: write
@@ -48,7 +48,7 @@ jobs:
         uses: warriors-life/.warriors-life-workflows/test-docker-image@dev
         with:
           code: |
-            export $(xargs -0 < test.env)
+            export $(sed '/^[[:blank:]]*#/d;s/#.*//' test.env | xargs -0)
             openssl req -x509 -config ssl-config/openssl-ca.conf -out server$NGINX_TRUSTED_CERTS -keyout ssl-config/ca.key -noenc
             openssl req -config ssl-config/openssl-cert.conf -CA server$NGINX_TRUSTED_CERTS -CAkey ssl-config/ca.key -out server$NGINX_CERT -keyout server$NGINX_CERT_KEY -noenc
             docker run --rm --env-file test.env --mount type=bind,src="$(pwd)"/server/ssl,dst=/ssl,ro ${{ needs.call-workflow.outputs.test-tag }} nginx -t

CHANGELOG.md

@@ -7,13 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+- Clarify in README versions where proxy runs ([`3ba53b`](https://github.com/warriors-life/warriors-life-nginx-proxy/commit/3ba53b7edcfbe82ff7e5d8fca0acb2fec21f755e)).
 - A TODO about redirecting unsupported browsers to a special page ([`ec9450`](https://github.com/warriors-life/warriors-life-nginx-proxy/commit/ec9450d16986088c757e3f6a746102eaea79beba)).
 - WebSockets are now specified in a different way and support for overriding static/dynamic files URL regexps was added (https://github.com/warriors-life/warriors-life-nginx-proxy/pull/43).
 
 ### Changed
-- Clarify in README versions where proxy runs ([`3ba53b`](https://github.com/warriors-life/warriors-life-nginx-proxy/commit/3ba53b7edcfbe82ff7e5d8fca0acb2fec21f755e)).
 - Replace `envsubst` for templating with [`njk`](https://github.com/saghul/njk) (https://github.com/warriors-life/warriors-life-nginx-proxy/pull/41).
 - Updated to NGINX 1.25.1 ([`0c23f4`](https://github.com/warriors-life/warriors-life-nginx-proxy/commit/0c23f46e1dd589f41a1ae7efa7cb695021710389)).
+- Moved most tweakable parameters to environment variables (https://github.com/warriors-life/warriors-life-nginx-proxy/pull/44).
+- Some cleanup and refactoring (https://github.com/warriors-life/warriors-life-nginx-proxy/pull/44).
 
 ### Removed
 - A TODO about removing "Server: nginx" header entirely ([`01dc10`](https://github.com/warriors-life/warriors-life-nginx-proxy/commit/01dc10f6fc2bfe89fc00eca5da017fce4cdfe1b6)).

README.md

@@ -25,6 +25,7 @@ The configuration uses the following environment variables for controlling it:
 - `$NGINX_STATIC` - directory, where static files (gzipped, brotlied, and empty originals) are located.
 - `$NGINX_AUTH_REALM` - authentication realm for HTTP Basic Authentication (enabled on all requests). Set to `off` to disable.
 - `$NGINX_AUTH_USERS` - path to users and passwords file used for authentication.
+- `$NGINX_WORKER_RLIMIT_NOFILE`, `$NGINX_WORKER_RLIMIT_CORE`, `$NGINX_WORKER_PROCESSES`, `$NGINX_WORKER_CONNECTIONS`, `$NGINX_WORKER_AIO_REQUESTS`, `$NGINX_MULTI_ACCEPT`, `$NGINX_POSTPONE_OUTPUT`, `$NGINX_SENDFILE_MAX_CHUNK`, `$NGINX_DIRECTIO_MIN_SIZE`, `$NGINX_THREAD_POOL_SIZE`, `$NGINX_THREAD_POOL_MAX_QUEUE`, `$NGINX_OUTPUT_BUFFERS_NUM`, `$NGINX_OUTPUT_BUFFERS_SIZE`, `$NGINX_OPEN_FILE_CACHE_MAX_SIZE`, `$NGINX_OPEN_FILE_CACHE_INACTIVE`, `$NGINX_OPEN_FILE_CACHE_MIN_USES`, `$NGINX_OPEN_FILE_CACHE_VALID`, `$NGINX_UPSTREAM_KEEPALIVE_CONNECTIONS`, `$NGINX_UPSTREAM_KEEPALIVE_REQUESTS`, `$NGINX_UPSTREAM_KEEPALIVE_TIME`, `$NGINX_UPSTREAM_KEEPALIVE_TIMEOUT`, `$NGINX_KEEPALIVE_REQUESTS`, `$NGINX_KEEPALIVE_TIME`, `$NGINX_KEEPALIVE_TIMEOUT`, `$NGINX_RESOLVER_TIMEOUT`, `$NGINX_LINGERING_TIME`, `$NGINX_LINGERING_TIMEOUT`, `$NGINX_GZIP_COMP_LEVEL`, `$NGINX_GZIP_NUM_BUFFERS`, `$NGINX_GZIP_BUFFER_SIZE`, `$NGINX_GZIP_MIN_LENGTH`, `$NGINX_SSL_SESSION_TIMEOUT`, `$NGINX_SSL_SESSION_CACHE_SIZE`, `$NGINX_UPSTREAM_ZONE_SIZE`, `$NGINX_PROXY_CONNECT_TIMEOUT`, `$NGINX_PROXY_READ_TIMEOUT`, `$NGINX_PROXY_SEND_TIMEOUT`, `$NGINX_PROXY_CACHE_LOCK_AGE`, `$NGINX_PROXY_CACHE_LOCK_TIMEOUT`, `$NGINX_PROXY_CACHE_KEYS_ZONE_SIZE`, `$NGINX_PROXY_CACHE_INACTIVE`, `$NGINX_PROXY_CACHE_MAX_SIZE`, `$NGINX_LIMIT_RATE`, `$NGINX_LIMIT_RATE_AFTER`, `$NGINX_LIMIT_CONN`, `$NGINX_LIMIT_REQ_RATE`, `$NGINX_RETRY_AFTER`, `$NGINX_AUTH_DELAY` - a bunch of variables controlling miscellaneous configuration parameters and choices.
 
 Following environment variables are set in Dockerfile, but can be changed:
 - `$NGINX_STATIC_IMMUTABLE_REGEXP`, `$NGINX_STATIC_MUTABLE_REGEXP`, and `$NGINX_DYNAMIC_REGEXP` - the regexps for detecting whether a given URL (relative) is a static immutable file, static mutable file, or dynamic file. Default to `^((?:/[\w-]+)+)-[0-9a-f]{64}(\.[a-z0-9]+)$` (filename-32bytehash.extension), `^((?:/[\w-]+)+)(\.[a-z0-9]+)$` (filename.extension), and `^((?:/[\w-]+)+|/)$` (filename or `/`).

src/Dockerfile

@@ -15,14 +15,16 @@ ENV NGINX_USER=nginx
 
 	# Clear /etc/nginx directory
 RUN rm -rf /etc/nginx && mkdir /etc/nginx && \
+	# Clear default links
+	rm -f /var/log/nginx/access.log && rm -f /var/log/nginx/error.log && \
 	# Link logs to stdout and stderr
 	ln -sf /dev/stdout $NGINX_ACCESS_LOG && ln -sf /dev/stderr $NGINX_ERROR_LOG && \
-	# Remove unneeded sntrypoint scripts
+	# Remove unneeded entrypoint scripts
 	rm -f /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh && rm -f /docker-entrypoint.d/20-envsubst-on-templates.sh && \
 	# Remove unneeded packages
 	apk del --no-network libintl tzdata && rm -f /usr/local/bin/envsubst && \
 	# Build njk
-	apkArch="$(cat /etc/apk/arch)" && tempDir="$(mktemp -d)" && chown nobody:nobody "$tempDir" && apk add --no-cache --virtual .build-deps gcc=12.2.1_git20220924-r4 make=4.3-r1 cmake=3.24.4-r0 libc-dev=0.7.2-r3 git=2.38.5-r0 && su nobody -s /bin/sh -c "export HOME=\"$tempDir\" && cd \"$tempDir\" && git clone --recursive --depth 1 --branch master https://github.com/saghul/njk && cd njk && make" && apk del --no-network .build-deps && mv "$tempDir/njk/build/njk-linux-$apkArch" /usr/local/bin/njk && rm -rf "$tempDir"
+	tempDir="$(mktemp -d)" && chown nobody:nobody "$tempDir" && apk add --no-cache --virtual .build-deps gcc=12.2.1_git20220924-r4 make=4.3-r1 cmake=3.24.4-r0 libc-dev=0.7.2-r3 git=2.38.5-r0 && su nobody -s /bin/sh -c "export HOME=\"$tempDir\" && cd \"$tempDir\" && git clone --recursive --depth 1 --branch master https://github.com/saghul/njk && cd njk && make" && apk del --no-network .build-deps && mv "$tempDir/njk/build/njk" /usr/local/bin/njk && rm -rf "$tempDir"
 
 COPY --link 20-njk-on-templates.sh /docker-entrypoint.d/
 

src/compression.conf

@@ -8,9 +8,9 @@ gzip_types
 	image/svg+xml image/x-icon
 	application/wasm;
 
-gzip_comp_level 5; # TODO: configure these three settings (TWEAK)
-gzip_buffers 16 8k;
-gzip_min_length 1000;
+gzip_comp_level {{ env.NGINX_GZIP_COMP_LEVEL }};
+gzip_buffers {{ env.NGINX_GZIP_NUM_BUFFERS }} {{ env.NGINX_GZIP_BUFFER_SIZE }};
+gzip_min_length {{ env.NGINX_GZIP_MIN_LENGTH }};
 
 # TODO: brotli (FEAT, https://github.com/google/ngx_brotli/issues/115)
 # brotli on;
@@ -23,6 +23,6 @@ gzip_min_length 1000;
 #	image/svg+xml image/x-icon
 #	application/wasm;
 #
-# brotli_comp_level 6; # TODO: configure these three settings (TWEAK)
-# brotli_window 512k;
-# brotli_min_length 1000;
+# brotli_comp_level {{ env.NGINX_BROTLI_COMP_LEVEL }};
+# brotli_window {{ env.NGINX_BROTLI_WINDOW }};
+# brotli_min_length {{ env.NGINX_BROTLI_MIN_LENGTH }};

src/dynamic.conf

@@ -1,5 +1,4 @@
 include headers.conf;
-include proxy.conf;
 
 limit_except GET POST {
 	deny all; # TODO: Does this actually set error code to 405 and send Allow header? (TEST)
@@ -29,9 +28,9 @@ proxy_cache_revalidate on;
 proxy_cache_valid 200 206 404 1d;
 
 proxy_cache_lock on;
-proxy_cache_lock_timeout 10s;
-proxy_cache_lock_age 60s;
-proxy_cache_use_stale updating;
+proxy_cache_lock_age {{ env.NGINX_PROXY_CACHE_LOCK_AGE }};
+proxy_cache_lock_timeout {{ env.NGINX_PROXY_CACHE_LOCK_TIMEOUT }};
+proxy_cache_use_stale error timeout http_503 updating;
 
 slice 1m;
 proxy_cache_key $uri$is_args$args$slice_range;
@@ -41,4 +40,4 @@ proxy_cookie_domain ~ $host;
 proxy_cookie_flags ~ secure httponly samesite=lax;
 proxy_cookie_path ~ /;
 
-proxy_set_header Early-Data $ssl_early_data;
+proxy_set_header Early-Data $ssl_early_data;

src/headers.conf

@@ -28,4 +28,4 @@ add_header Report-To "{ \"group\": \"endpoint\", \"include_subdomains\": true, \
 add_header X-Frame-Options "deny";
 add_header X-XSS-Protection "0";
 
-# TODO: CORS headers (Access-Control, etc?) (FEAT)
+# TODO: CORS headers (Access-Control, etc?) (FEAT)

src/hsts.conf

@@ -1 +1 @@
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

src/http.conf

@@ -3,28 +3,29 @@ include performance.conf;
 include rate_limiting.conf;
 include compression.conf;
 include ssl.conf;
+include proxy.conf;
+
+# TODO: HTTP/3 (FEAT)
 
 http2 on;
 
 server_tokens off;
 
 msie_padding off;
 
-proxy_cache_path /tmp/proxy-cache keys_zone=cache:10m inactive=1d max_size=10g; # TODO: configure (TWEAK)
-
 resolver {{ env.NGINX_RESOLVER }}; # TODO: test if this is needed (TEST)
 
 upstream backend {
 	random; # TODO: if keepalived would be used, then a more intelligent algorithm could be used (SHARESTATE)
 
-	zone main 64k;
+	zone main {{ env.NGINX_UPSTREAM_ZONE_SIZE }};
 
-	keepalive 32;
-	keepalive_requests 1000;
-	keepalive_time 1h;
-	keepalive_timeout 5m; # TODO: configure (TWEAK)
+	keepalive {{ env.NGINX_UPSTREAM_KEEPALIVE_CONNECTIONS }};
+	keepalive_requests {{ env.NGINX_UPSTREAM_KEEPALIVE_REQUESTS }};
+	keepalive_time {{ env.NGINX_UPSTREAM_KEEPALIVE_TIME }};
+	keepalive_timeout {{ env.NGINX_UPSTREAM_KEEPALIVE_TIMEOUT }};
 
-	server {{ env.NGINX_BACKEND }}; # TODO: slow_start=30s (NGINX Plus)
+	server {{ env.NGINX_BACKEND }}; # TODO: slow_start={{ env.NGINX_UPSTREAM_SLOW_START }} (NGINX Plus)
 	# TODO: test if this works with Kubernetes, or if it requires NGINX Plus to resolve (TEST)
 
 	# TODO: health checks (NGINX Plus)
@@ -34,18 +35,18 @@ upstream backend {
 {% for name, regexp, backend in env.NGINX_WEBSOCKETS | toJSON %}
 upstream {{ name }}_backend {
 	random;
-	zone {{ name }} 64k;
+	zone {{ name }} {{ env.NGINX_UPSTREAM_ZONE_SIZE }};
 	server {{ backend }};
 }
 {% endfor %}
 {% endif %}
 
 map $status $retry_after {
 	default '';
-	429 5;
+	429 {{ env.NGINX_RETRY_AFTER }};
 }
 
-# see https://stackoverflow.com/a/69540402 for description of headers in Nginx
+# see https://stackoverflow.com/a/69540402 for description of headers in NGINX
 
 map $http_upgrade $connection_upgrade { # TODO: test this (TEST)
 	default Upgrade;
@@ -107,7 +108,7 @@ server {
 
 	auth_basic {{ env.NGINX_AUTH_REALM }};
 	auth_basic_user_file {{ env.NGINX_AUTH_USERS }};
-	auth_delay 1s;
+	auth_delay {{ env.NGINX_AUTH_DELAY }};
 
 	# TODO: redirect unsupported browsers to a special page (related: https://trac.nginx.org/nginx/ticket/1958) (FEAT)
 

src/mime.conf

@@ -29,4 +29,4 @@ charset_types
 	text/plain text/csv
 	text/css application/javascript
 	application/json application/manifest+json
-	image/svg+xml;
+	image/svg+xml;

src/nginx.conf

@@ -1,6 +1,7 @@
 # TODO: worker_connections/worker_processes/worker_rlimit_nofile/ulimit: https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/#insufficient-fds, https://nginx.org/en/docs/ngx_core_module.html, https://serverfault.com/questions/787919/optimal-value-for-nginx-worker-connections, https://gist.github.com/v0lkan/90fcb83c86918732b894, https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration#worker-processes-and-worker-connections (FEAT, TWEAK)
 # TODO: backlog/somaxconn: https://docs.nginx.com/nginx/admin-guide/web-server/serving-static-content/#optimizing-the-backlog-queue (FEAT, TWEAK)
-# TODO: investigate other performance articles: https://www.nginx.com/blog/thread-pools-boost-performance-9x/, https://www.nginx.com/blog/tuning-nginx#limit_rate, https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/, https://www.nginx.com/blog/performance-tuning-tips-tricks/, https://www.nginx.com/wp-content/uploads/2018/11/NGINX-Conf-2018-slides_Rawdat-tuning.pdf (FEAT, TWEAK)
+# TODO: investigate other performance articles: https://www.nginx.com/blog/thread-pools-boost-performance-9x/, https://www.nginx.com/blog/tuning-nginx#limit_rate, https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/, https://www.nginx.com/blog/performance-tuning-tips-tricks/, https://www.nginx.com/wp-content/uploads/2018/11/NGINX-Conf-2018-slides_Rawdat-tuning.pdf, https://www.unixteacher.org/blog/tuning-nginx-to-handle-more-than-50-000-requests/ (FEAT, TWEAK)
+# TODO: investigate cookbooks: https://calomel.org/nginx.html, https://www.oreilly.com/library/view/nginx-cookbook/9781492049098/ (FEAT, TWEAK)
 
 # TODO: closed API on a subdomain for monitoring (https://docs.nginx.com/nginx/admin-guide/monitoring/live-activity-monitoring/), updating keyzones (https://docs.nginx.com/nginx/admin-guide/security-controls/denylisting-ip-addresses/), upstreams configuration (https://docs.nginx.com/nginx/admin-guide/load-balancer/dynamic-configuration-api/), protected by SSO (https://docs.nginx.com/nginx/deployment-guides/single-sign-on/cognito/), etc (FEAT, NGINX Plus)
 # TODO: keepalived (https://docs.nginx.com/nginx/admin-guide/high-availability/ha-keepalived/, https://docs.nginx.com/nginx/admin-guide/high-availability/ha-keepalived-nodes/, https://docs.nginx.com/nginx/deployment-guides/amazon-web-services/)? (FEAT, NGINX Plus, SHARESTATE)
@@ -10,42 +11,40 @@
 user {{ env.NGINX_USER }};
 pid /run/nginx.pid;
 
-error_log {{ env.NGINX_ERROR_LOG }} notice; # TODO: investigate which log level is the best (TWEAK)
+error_log {{ env.NGINX_ERROR_LOG }} notice;
 
 # TODO: load_module modules/ngx_fips_check_module.so; (NGINX-MOD)
 
-# TODO: worker_cpu_affinity? (FEAT, TWEAK)
-
-worker_processes auto; # TODO: configure (TWEAK)
+pcre_jit on;
 
-worker_rlimit_nofile 2048; # TODO: configure (TWEAK)
+thread_pool default threads={{ env.NGINX_THREAD_POOL_SIZE }} max_queue={{ env.NGINX_THREAD_POOL_MAX_QUEUE }};
 
-pcre_jit on;
+working_directory {{ env.NGINX_DUMPS }};
+worker_rlimit_core {{ env.NGINX_WORKER_RLIMIT_CORE }};
 
-thread_pool default threads=32 max_queue=65536; # TODO: configure (TWEAK)
+worker_rlimit_nofile {{ env.NGINX_WORKER_RLIMIT_NOFILE }};
 
-timer_resolution 100ms; # TODO: configure (TWEAK)
+# TODO: worker_cpu_affinity? (FEAT, TWEAK)
 
-working_directory {{ env.NGINX_DUMPS }};
-worker_rlimit_core 16G;
+worker_processes {{ env.NGINX_WORKER_PROCESSES }};
 
 worker_shutdown_timeout 60s;
 
 events {
-	use epoll; # Linux
+	use epoll; # Linux 4.5+
 
-	multi_accept off; # TODO: decide if it should be turned on (TWEAK)
+	multi_accept {{ env.NGINX_MULTI_ACCEPT }};
 
-	worker_connections 1024; # TODO: configure (TWEAK)
+	worker_connections {{ env.NGINX_WORKER_CONNECTIONS }};
 
-	worker_aio_requests 32; # TODO: configure (TWEAK)
+	worker_aio_requests {{ env.NGINX_WORKER_AIO_REQUESTS }};
 }
 
 http {
-	access_log {{ env.NGINX_ACCESS_LOG }} combined gzip flush=30m; # TODO: decide which log format to use (TWEAK)
-	                                                               # TODO: find best gzip level, buffer size, and flush time (TWEAK)
+	access_log {{ env.NGINX_ACCESS_LOG }} combined; # TODO: decide which log format to use (TWEAK)
+	                                                # TODO: is there any benefit doing buffering and/or compression of logs on NGINX side instead of Docker? (TEST)
 	include {{ env.NGINX_NJK_OUTPUT_DIR }}/http.conf;
 }
 
 # TODO: add configuration for streams (FEAT, STREAM)
-# TODO: add configuration for mail server (FEAT, MAIL)
+# TODO: add configuration for mail server (FEAT, MAIL)

src/performance.conf

@@ -1,8 +1,8 @@
 # TODO: configure
 # client_max_body_size, client_body_buffer_size, client_header_buffer_size, large_client_header_buffers
 # client_body_timeout, client_header_timeout, send_timeout (https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration#buffers, https://gist.github.com/v0lkan/90fcb83c86918732b894)
-# ssl_buffer_size
-# http2_body_preread_size, http2_chunk_size, http2_max_concurrent_pushes, http2_max_concurrent_streams, http2_recv_buffer_size
+# ssl_buffer_size, http2_body_preread_size, http2_chunk_size, http2_max_concurrent_streams, http2_recv_buffer_size, subrequest_output_buffer_size
+# connection_pool_size, request_pool_size,
 # proxy_buffer_size, proxy_buffering, proxy_buffers, proxy_busy_buffers_size, proxy_max_temp_file_size, proxy_request_buffering, 	proxy_temp_file_write_size
 # map_hash_bucket_size, map_hash_max_size, proxy_headers_hash_bucket_size, proxy_headers_hash_max_size, referer_hash_bucket_size, referer_hash_max_size, server_names_hash_bucket_size, server_names_hash_max_size, types_hash_bucket_size, types_hash_max_size, variables_hash_bucket_size, variables_hash_max_size (https://nginx.org/en/docs/hash.html) (FEAT, TWEAK)
 
@@ -11,29 +11,30 @@ tcp_nodelay on;
 
 # TODO: which of these directives work with enabled things like gzip? (TEST)
 sendfile on;
-sendfile_max_chunk 2m;
+sendfile_max_chunk {{ env.NGINX_SENDFILE_MAX_CHUNK }};
 aio threads=default;
 aio_write on;
-directio 8m;
-output_buffers 2 32k; # TODO: configure all these values (TWEAK)
+directio {{ env.NGINX_DIRECTIO_MIN_SIZE }};
+output_buffers {{ env.NGINX_OUTPUT_BUFFERS_NUM }} {{ env.NGINX_OUTPUT_BUFFERS_SIZE }};
 
-open_file_cache max=1000 inactive=1d;
+open_file_cache max={{ env.NGINX_OPEN_FILE_CACHE_MAX_SIZE }} inactive={{ env.NGINX_OPEN_FILE_CACHE_INACTIVE }};
 open_file_cache_errors on;
-open_file_cache_valid 60s; # TODO: configure (TWEAK)
+open_file_cache_min_uses {{ env.NGINX_OPEN_FILE_CACHE_MIN_USES }};
+open_file_cache_valid {{ env.NGINX_OPEN_FILE_CACHE_VALID }};
 
 keepalive_disable none;
-keepalive_requests 1000;
-keepalive_time 1h;
-keepalive_timeout 75s; # TODO: configure (TWEAK)
+keepalive_requests {{ env.NGINX_KEEPALIVE_REQUESTS }};
+keepalive_time {{ env.NGINX_KEEPALIVE_TIME }};
+keepalive_timeout {{ env.NGINX_KEEPALIVE_TIMEOUT }};
 
 reset_timedout_connection on; # TODO: test if this works (TEST)
 
-postpone_output 1448; # should be less or equal than Maximum Segment Size, TODO: configure (TWEAK)
+postpone_output {{ env.NGINX_POSTPONE_OUTPUT }};
 
-read_ahead 1; # should be greater than zero
+read_ahead 1; # should be greater than zero, the exact value is ignored on Linux
 
-resolver_timeout 10s;
+resolver_timeout {{ env.NGINX_RESOLVER_TIMEOUT }};
 
 lingering_close on;
-lingering_time 30s;
-lingering_timeout 5s;
+lingering_time {{ env.NGINX_LINGERING_TIME }};
+lingering_timeout {{ env.NGINX_LINGERING_TIMEOUT }};