quay/conf/nginx/server-base.conf.jnj

# vim: ft=nginx

server_name _;

keepalive_timeout 5;

if ($host = "www.quay.io") {
    return 301 $proper_scheme://quay.io$request_uri;
}

# Disable the ability to be embedded into iframes
add_header X-Frame-Options DENY;


# Proxy Headers
proxy_set_header X-Forwarded-For $proper_forwarded_for;
proxy_set_header X-Forwarded-Proto $proper_scheme;
proxy_set_header Host $host;
proxy_redirect off;

proxy_set_header Transfer-Encoding $http_transfer_encoding;

location / {
    proxy_pass   http://web_app_server;
}

location /realtime {
    proxy_pass   http://web_app_server;
    proxy_buffering off;
    proxy_request_buffering off;
}

location ~ ^/_storage_proxy/([^/]+)/([^/]+)/([^/]+)/(.+) {
    include resolver.conf;

    auth_request /_storage_proxy_auth;

    proxy_pass $2://$3/$4$is_args$args;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $3;

    add_header Host $3;

    proxy_buffering off;
    proxy_request_buffering off;

    proxy_read_timeout 60s;
}


location = /_storage_proxy_auth {
    proxy_pass http://web_app_server;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";

    proxy_set_header X-Original-URI $request_uri;

    proxy_read_timeout 10;
}

# At the begining and end of a push/pull, (/v1/repositories|/v2/auth/) is hit by the Docker
# client. By rate-limiting just this endpoint, we can avoid accidentally
# blocking pulls/pushes for images with many layers.
location ~ ^/(v1/repositories|v2/auth)/ {
    proxy_buffering off;

    proxy_request_buffering off;

    proxy_pass http://registry_app_server;
    proxy_read_timeout 2000;
    proxy_temp_path /tmp 1 2;

    limit_req zone=repositories burst=10;
}

location /secscan/ {
    proxy_pass http://jwtproxy_secscan;
}

{% if signing_enabled %}
location ~ ^/v2/(.+)/_trust/tuf/(.*)$ {
  set $upstream_tuf {{ tuf_server }};
  proxy_pass $upstream_tuf$uri;
  proxy_set_header Host "{{ tuf_host }}";
}
{% endif %}

location ~ ^/cnr {
    proxy_buffering off;

    proxy_request_buffering off;

    proxy_pass http://registry_app_server;
    proxy_read_timeout 120;
    proxy_temp_path /tmp 1 2;

    limit_req zone=repositories burst=10;
}

location ~ ^/v2 {
    # If we're being accessed via v1.quay.io, pretend we don't support v2.
    if ($host = "v1.quay.io") {
        return 404;
    }

    if ($request_method = HEAD ) {
        gzip off;
    }

    # Setting ANY header clears all inherited proxy_set_header directives
    proxy_set_header X-Forwarded-For $proper_forwarded_for;
    proxy_set_header X-Forwarded-Proto $proper_scheme;
    proxy_set_header Host $host;

    proxy_buffering off;

    proxy_request_buffering off;

    proxy_read_timeout 2000;

    proxy_http_version 1.1;

    proxy_pass   http://registry_app_server;
    proxy_temp_path /tmp 1 2;

    client_max_body_size {{ maximum_layer_size }};
}

location ~ ^/v1 {
    # Setting ANY header clears all inherited proxy_set_header directives
    proxy_set_header X-Forwarded-For $proper_forwarded_for;
    proxy_set_header X-Forwarded-Proto $proper_scheme;
    proxy_set_header Host $host;

    proxy_buffering off;

    proxy_request_buffering off;

    proxy_http_version 1.1;

    proxy_pass   http://registry_app_server;
    proxy_temp_path /tmp 1 2;

    client_max_body_size {{ maximum_layer_size }};
}

location /v1/_ping {
    add_header Content-Type text/plain;
    add_header X-Docker-Registry-Version 0.6.0;
    add_header X-Docker-Registry-Standalone 0;
    return 200 'true';
}

location /c1/ {
    proxy_buffering off;

    proxy_request_buffering off;

    proxy_pass   http://verbs_app_server;
    proxy_temp_path /tmp 1 2;

    limit_req zone=verbs burst=10;
}

location /static/ {
    # checks for static file, if not found proxy to app
    alias      {{static_dir}};
    error_page 404 /404;
}

error_page 502 {{static_dir}}/502.html;

location ~ ^/b1/controller(/?)(.*) {
    proxy_pass http://build_manager_controller_server/$2;
}

location ~ ^/b1/socket(/?)(.*) {
    proxy_pass http://build_manager_websocket_server/$2;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_read_timeout 300;
}
Add vim nginx ft to nginx config files 2015-01-13 15:19:42 -05:00			`# vim: ft=nginx`

Configure nginx to emit logstash logs for access logs. Move all nginx config to a conf subdir. Rework nginx config to share common parts. 2014-01-31 18:13:46 -05:00			`server_name _;`

			`keepalive_timeout 5;`

nginx: add www redirect Fixes #452 2015-10-07 11:17:07 -04:00			`if ($host = "www.quay.io") {`
Trust upstream proxies to specify https scheme 2016-02-03 13:08:43 -05:00			`return 301 $proper_scheme://quay.io$request_uri;`
nginx: add www redirect Fixes #452 2015-10-07 11:17:07 -04:00			`}`

nginx: move ssl config out of server-base 2015-05-22 16:25:28 -04:00			`# Disable the ability to be embedded into iframes`
nginx: SSL config into server-base.conf 2015-05-22 13:54:43 -04:00			`add_header X-Frame-Options DENY;`


			`# Proxy Headers`
nginx: make rate limiting awesome 2015-02-19 16:24:05 -05:00			`proxy_set_header X-Forwarded-For $proper_forwarded_for;`
Trust upstream proxies to specify https scheme 2016-02-03 13:08:43 -05:00			`proxy_set_header X-Forwarded-Proto $proper_scheme;`
Stop clobbering our proxy_set_header directives 2015-11-18 15:53:52 -05:00			`proxy_set_header Host $host;`
Break out a new server{} config for port 444> This also restores docker proxy stuff with recursive enabled 2015-01-21 15:59:29 -05:00			`proxy_redirect off;`
Split the app into separate backends, which can use different worker types and different timeouts. 2014-10-14 13:58:08 -04:00
Break out a new server{} config for port 444> This also restores docker proxy stuff with recursive enabled 2015-01-21 15:59:29 -05:00			`proxy_set_header Transfer-Encoding $http_transfer_encoding;`
Split the app into separate backends, which can use different worker types and different timeouts. 2014-10-14 13:58:08 -04:00
Configure nginx to emit logstash logs for access logs. Move all nginx config to a conf subdir. Rework nginx config to share common parts. 2014-01-31 18:13:46 -05:00			`location / {`
Split the app into separate backends, which can use different worker types and different timeouts. 2014-10-14 13:58:08 -04:00			`proxy_pass http://web_app_server;`
			`}`

Fix the /realtime endpoint by making sure buffering is off 2014-10-17 15:50:40 -04:00			`location /realtime {`
			`proxy_pass http://web_app_server;`
			`proxy_buffering off;`
Strip whitespace from ALL the things. 2014-11-24 16:07:38 -05:00			`proxy_request_buffering off;`
Fix the /realtime endpoint by making sure buffering is off 2014-10-17 15:50:40 -04:00			`}`

Add feature flag to force all direct download URLs to be proxied Fixes #1667 2016-08-24 12:55:33 -04:00			`location ~ ^/_storage_proxy/([^/]+)/([^/]+)/([^/]+)/(.+) {`
Switch proxy resolver to use the local resolv.conf values 2016-09-19 16:06:19 -04:00			`include resolver.conf;`
Add feature flag to force all direct download URLs to be proxied Fixes #1667 2016-08-24 12:55:33 -04:00
Switch proxy resolver to use the local resolv.conf values 2016-09-19 16:06:19 -04:00			`auth_request /_storage_proxy_auth;`
Add feature flag to force all direct download URLs to be proxied Fixes #1667 2016-08-24 12:55:33 -04:00
			`proxy_pass $2://$3/$4$is_args$args;`

			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header Host $3;`

			`add_header Host $3;`

			`proxy_buffering off;`
			`proxy_request_buffering off;`

			`proxy_read_timeout 60s;`
			`}`


			`location = /_storage_proxy_auth {`
			`proxy_pass http://web_app_server;`
			`proxy_pass_request_body off;`
			`proxy_set_header Content-Length "";`

			`proxy_set_header X-Original-URI $request_uri;`

			`proxy_read_timeout 10;`
			`}`

Enable rate limiting of V2 requests 2015-08-25 14:18:34 -04:00			`# At the begining and end of a push/pull, (/v1/repositories\|/v2/auth/) is hit by the Docker`
nginx: add comment explaining repo rate limiting 2015-02-25 12:32:48 -05:00			`# client. By rate-limiting just this endpoint, we can avoid accidentally`
			`# blocking pulls/pushes for images with many layers.`
Enable rate limiting of V2 requests 2015-08-25 14:18:34 -04:00			`location ~ ^/(v1/repositories\|v2/auth)/ {`
nginx: make rate limiting awesome 2015-02-19 16:24:05 -05:00			`proxy_buffering off;`

			`proxy_request_buffering off;`

			`proxy_pass http://registry_app_server;`
			`proxy_read_timeout 2000;`
Route all of the logging through syslog-ng. Add the ability to specify extra syslog-ng config. Simplify the Dockerfile. 2015-03-26 09:21:45 -04:00			`proxy_temp_path /tmp 1 2;`
nginx: make rate limiting awesome 2015-02-19 16:24:05 -05:00
nginx: tweak rate limiting; remove webapp limiting 2015-02-25 12:22:41 -05:00			`limit_req zone=repositories burst=10;`
nginx: make rate limiting awesome 2015-02-19 16:24:05 -05:00			`}`

Secure the correct endpoint 2016-04-18 12:56:03 -05:00			`location /secscan/ {`
Configure jwtproxy from stack/conf yaml 2016-04-21 11:40:16 -05:00			`proxy_pass http://jwtproxy_secscan;`
Add jwtproxy and configure verifier for `/secscan/notify` 2016-04-18 11:42:17 -05:00			`}`

Add support for tuf metadata endpoints 2017-02-13 14:14:44 -05:00			`{% if signing_enabled %}`
			`location ~ ^/v2/(.+)/_trust/tuf/(.*)$ {`
Add dnsmasq so nginx will allow an upstream service to not block startup 2017-02-14 18:09:56 -05:00			`set $upstream_tuf {{ tuf_server }};`
			`proxy_pass $upstream_tuf$uri;`
fix typo 2017-02-23 19:02:05 -05:00			`proxy_set_header Host "{{ tuf_host }}";`
Add support for tuf metadata endpoints 2017-02-13 14:14:44 -05:00			`}`
			`{% endif %}`

conf/nginx: add cnr path 2017-03-23 13:06:22 -04:00			`location ~ ^/cnr {`
			`proxy_buffering off;`

			`proxy_request_buffering off;`

			`proxy_pass http://registry_app_server;`
			`proxy_read_timeout 120;`
			`proxy_temp_path /tmp 1 2;`

			`limit_req zone=repositories burst=10;`
			`}`

404 on v2 routes for the hostname v1.quay.io This also copies v2 into its own separate location directive because you cannot have nested location directives. Also, the `if` directive can be very tricky and should only be used to return response codes. 2015-11-24 17:02:09 -05:00			`location ~ ^/v2 {`
			`# If we're being accessed via v1.quay.io, pretend we don't support v2.`
			`if ($host = "v1.quay.io") {`
			`return 404;`
			`}`

Disable gzip on HEAD requests in `v2` endpoints nginx's gzip module will ignore the content-length header on the HEAD request and try to gzip the body.... but there is no body, so it simply writes no header at all. Code to turn this off was based off of https://trac.nginx.org/nginx/ticket/261 2017-05-03 18:27:45 -04:00			`if ($request_method = HEAD ) {`
			`gzip off;`
			`}`

404 on v2 routes for the hostname v1.quay.io This also copies v2 into its own separate location directive because you cannot have nested location directives. Also, the `if` directive can be very tricky and should only be used to return response codes. 2015-11-24 17:02:09 -05:00			`# Setting ANY header clears all inherited proxy_set_header directives`
			`proxy_set_header X-Forwarded-For $proper_forwarded_for;`
Trust upstream proxies to specify https scheme 2016-02-03 13:08:43 -05:00			`proxy_set_header X-Forwarded-Proto $proper_scheme;`
404 on v2 routes for the hostname v1.quay.io This also copies v2 into its own separate location directive because you cannot have nested location directives. Also, the `if` directive can be very tricky and should only be used to return response codes. 2015-11-24 17:02:09 -05:00			`proxy_set_header Host $host;`

			`proxy_buffering off;`

			`proxy_request_buffering off;`

Increase read timeout on V2 to match V1 Fixes #1377 2016-04-19 17:52:54 -04:00			`proxy_read_timeout 2000;`
Increase nginx proxy timeout and close db before storage operation 2015-12-03 11:19:39 -05:00
404 on v2 routes for the hostname v1.quay.io This also copies v2 into its own separate location directive because you cannot have nested location directives. Also, the `if` directive can be very tricky and should only be used to return response codes. 2015-11-24 17:02:09 -05:00			`proxy_http_version 1.1;`

			`proxy_pass http://registry_app_server;`
			`proxy_temp_path /tmp 1 2;`

Add configurable maximum layer size in nginx 2017-02-27 13:03:20 -05:00			`client_max_body_size {{ maximum_layer_size }};`
404 on v2 routes for the hostname v1.quay.io This also copies v2 into its own separate location directive because you cannot have nested location directives. Also, the `if` directive can be very tricky and should only be used to return response codes. 2015-11-24 17:02:09 -05:00			`}`

			`location ~ ^/v1 {`
Remove the Transfer Encoding directive from v2 headers 2015-11-18 17:23:30 -05:00			`# Setting ANY header clears all inherited proxy_set_header directives`
			`proxy_set_header X-Forwarded-For $proper_forwarded_for;`
Trust upstream proxies to specify https scheme 2016-02-03 13:08:43 -05:00			`proxy_set_header X-Forwarded-Proto $proper_scheme;`
Remove the Transfer Encoding directive from v2 headers 2015-11-18 17:23:30 -05:00			`proxy_set_header Host $host;`

Split the app into separate backends, which can use different worker types and different timeouts. 2014-10-14 13:58:08 -04:00			`proxy_buffering off;`

			`proxy_request_buffering off;`

binarydeps: tengine 2.1.0 -> nginx 1.8.0 nginx stable now has unbuffered uploading support, thus we are no longer required to use tengine. 2015-06-04 14:31:08 -04:00			`proxy_http_version 1.1;`

Split the app into separate backends, which can use different worker types and different timeouts. 2014-10-14 13:58:08 -04:00			`proxy_pass http://registry_app_server;`
Route all of the logging through syslog-ng. Add the ability to specify extra syslog-ng config. Simplify the Dockerfile. 2015-03-26 09:21:45 -04:00			`proxy_temp_path /tmp 1 2;`
Split the app into separate backends, which can use different worker types and different timeouts. 2014-10-14 13:58:08 -04:00
Add configurable maximum layer size in nginx 2017-02-27 13:03:20 -05:00			`client_max_body_size {{ maximum_layer_size }};`
Split the app into separate backends, which can use different worker types and different timeouts. 2014-10-14 13:58:08 -04:00			`}`

Define nginx v2 vhost & properly set 404 status code Fixes #777 2015-11-04 14:56:18 -05:00			`location /v1/_ping {`
			`add_header Content-Type text/plain;`
			`add_header X-Docker-Registry-Version 0.6.0;`
			`add_header X-Docker-Registry-Standalone 0;`
			`return 200 'true';`
			`}`

Split the app into separate backends, which can use different worker types and different timeouts. 2014-10-14 13:58:08 -04:00			`location /c1/ {`
Configure nginx to emit logstash logs for access logs. Move all nginx config to a conf subdir. Rework nginx config to share common parts. 2014-01-31 18:13:46 -05:00			`proxy_buffering off;`

			`proxy_request_buffering off;`

Split the app into separate backends, which can use different worker types and different timeouts. 2014-10-14 13:58:08 -04:00			`proxy_pass http://verbs_app_server;`
Route all of the logging through syslog-ng. Add the ability to specify extra syslog-ng config. Simplify the Dockerfile. 2015-03-26 09:21:45 -04:00			`proxy_temp_path /tmp 1 2;`
nginx: make rate limiting awesome 2015-02-19 16:24:05 -05:00
nginx: rename api rate limit bucket to verbs 2015-02-25 12:32:30 -05:00			`limit_req zone=verbs burst=10;`
Move the /static handler into the base and have nginx serve the Docker ping endpoint 2014-10-02 16:04:23 -04:00			`}`

			`location /static/ {`
			`# checks for static file, if not found proxy to app`
Use $QUAYPATH and $QUAYDIR in conf and init files 2017-02-02 00:17:25 +01:00			`alias {{static_dir}};`
Add 404 page Fixes coreos-inc/quay#677 2015-10-21 15:28:45 -04:00			`error_page 404 /404;`
Strip whitespace from ALL the things. 2014-11-24 16:07:38 -05:00			`}`
- Change SSL to only be enabled via an environment variable. Nginx will be terminating SSL for the ER. - Add the missing dependencies to the requirements.txt - Change the builder ports to non-standard locations - Add the /b1/socket and /b1/controller endpoints in nginx, to map to the build manager - Have the build manager start automatically. 2014-11-25 18:08:18 -05:00
Use $QUAYPATH and $QUAYDIR in conf and init files 2017-02-02 00:17:25 +01:00			`error_page 502 {{static_dir}}/502.html;`
Add 502 page 2016-02-01 15:07:50 +02:00
- Change SSL to only be enabled via an environment variable. Nginx will be terminating SSL for the ER. - Add the missing dependencies to the requirements.txt - Change the builder ports to non-standard locations - Add the /b1/socket and /b1/controller endpoints in nginx, to map to the build manager - Have the build manager start automatically. 2014-11-25 18:08:18 -05:00			`location ~ ^/b1/controller(/?)(.*) {`
			`proxy_pass http://build_manager_controller_server/$2;`
			`}`

			`location ~ ^/b1/socket(/?)(.*) {`
			`proxy_pass http://build_manager_websocket_server/$2;`
			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
Change read timeout on WAMP to 5 min 2016-11-01 16:07:17 -04:00			`proxy_read_timeout 300;`
Merge branch 'bagger' 2014-12-01 12:48:59 -05:00			`}`