2015-01-13 20:19:42 +00:00
|
|
|
# vim: ft=nginx
|
|
|
|
|
2014-01-31 23:13:46 +00:00
|
|
|
server_name _;
|
|
|
|
|
|
|
|
keepalive_timeout 5;
|
|
|
|
|
2015-10-07 15:17:07 +00:00
|
|
|
if ($host = "www.quay.io") {
|
2016-02-03 18:08:43 +00:00
|
|
|
return 301 $proper_scheme://quay.io$request_uri;
|
2015-10-07 15:17:07 +00:00
|
|
|
}
|
|
|
|
|
2015-05-22 20:25:28 +00:00
|
|
|
# Disable the ability to be embedded into iframes
|
2015-05-22 17:54:43 +00:00
|
|
|
add_header X-Frame-Options DENY;
|
|
|
|
|
|
|
|
|
|
|
|
# Proxy Headers
|
2015-02-19 21:24:05 +00:00
|
|
|
proxy_set_header X-Forwarded-For $proper_forwarded_for;
|
2016-02-03 18:08:43 +00:00
|
|
|
proxy_set_header X-Forwarded-Proto $proper_scheme;
|
2015-11-18 20:53:52 +00:00
|
|
|
proxy_set_header Host $host;
|
2015-01-21 20:59:29 +00:00
|
|
|
proxy_redirect off;
|
2014-10-14 17:58:08 +00:00
|
|
|
|
2015-01-21 20:59:29 +00:00
|
|
|
proxy_set_header Transfer-Encoding $http_transfer_encoding;
|
2014-10-14 17:58:08 +00:00
|
|
|
|
2014-01-31 23:13:46 +00:00
|
|
|
location / {
|
2014-10-14 17:58:08 +00:00
|
|
|
proxy_pass http://web_app_server;
|
|
|
|
}
|
|
|
|
|
2014-10-17 19:50:40 +00:00
|
|
|
location /realtime {
|
|
|
|
proxy_pass http://web_app_server;
|
|
|
|
proxy_buffering off;
|
2014-11-24 21:07:38 +00:00
|
|
|
proxy_request_buffering off;
|
2014-10-17 19:50:40 +00:00
|
|
|
}
|
|
|
|
|
2016-08-24 16:55:33 +00:00
|
|
|
location ~ ^/_storage_proxy/([^/]+)/([^/]+)/([^/]+)/(.+) {
|
2016-09-19 20:06:19 +00:00
|
|
|
include resolver.conf;
|
2016-08-24 16:55:33 +00:00
|
|
|
|
2016-09-19 20:06:19 +00:00
|
|
|
auth_request /_storage_proxy_auth;
|
2016-08-24 16:55:33 +00:00
|
|
|
|
|
|
|
proxy_pass $2://$3/$4$is_args$args;
|
|
|
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header Host $3;
|
|
|
|
|
|
|
|
add_header Host $3;
|
|
|
|
|
|
|
|
proxy_buffering off;
|
|
|
|
proxy_request_buffering off;
|
|
|
|
|
|
|
|
proxy_read_timeout 60s;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
location = /_storage_proxy_auth {
|
|
|
|
proxy_pass http://web_app_server;
|
|
|
|
proxy_pass_request_body off;
|
|
|
|
proxy_set_header Content-Length "";
|
|
|
|
|
|
|
|
proxy_set_header X-Original-URI $request_uri;
|
|
|
|
|
|
|
|
proxy_read_timeout 10;
|
|
|
|
}
|
|
|
|
|
2015-08-25 18:18:34 +00:00
|
|
|
# At the begining and end of a push/pull, (/v1/repositories|/v2/auth/) is hit by the Docker
|
2015-02-25 17:32:48 +00:00
|
|
|
# client. By rate-limiting just this endpoint, we can avoid accidentally
|
|
|
|
# blocking pulls/pushes for images with many layers.
|
2015-08-25 18:18:34 +00:00
|
|
|
location ~ ^/(v1/repositories|v2/auth)/ {
|
2015-02-19 21:24:05 +00:00
|
|
|
proxy_buffering off;
|
|
|
|
|
|
|
|
proxy_request_buffering off;
|
|
|
|
|
|
|
|
proxy_pass http://registry_app_server;
|
|
|
|
proxy_read_timeout 2000;
|
2015-03-26 13:21:45 +00:00
|
|
|
proxy_temp_path /tmp 1 2;
|
2015-02-19 21:24:05 +00:00
|
|
|
|
2015-02-25 17:22:41 +00:00
|
|
|
limit_req zone=repositories burst=10;
|
2015-02-19 21:24:05 +00:00
|
|
|
}
|
|
|
|
|
2016-04-18 17:56:03 +00:00
|
|
|
location /secscan/ {
|
2016-04-21 16:40:16 +00:00
|
|
|
proxy_pass http://jwtproxy_secscan;
|
2016-04-18 16:42:17 +00:00
|
|
|
}
|
|
|
|
|
2017-02-13 19:14:44 +00:00
|
|
|
{% if signing_enabled %}
|
|
|
|
location ~ ^/v2/(.+)/_trust/tuf/(.*)$ {
|
2017-02-14 23:09:56 +00:00
|
|
|
set $upstream_tuf {{ tuf_server }};
|
|
|
|
proxy_pass $upstream_tuf$uri;
|
2017-02-24 00:02:05 +00:00
|
|
|
proxy_set_header Host "{{ tuf_host }}";
|
2017-02-13 19:14:44 +00:00
|
|
|
}
|
|
|
|
{% endif %}
|
|
|
|
|
2017-03-23 17:06:22 +00:00
|
|
|
location ~ ^/cnr {
|
|
|
|
proxy_buffering off;
|
|
|
|
|
|
|
|
proxy_request_buffering off;
|
|
|
|
|
|
|
|
proxy_pass http://registry_app_server;
|
|
|
|
proxy_read_timeout 120;
|
|
|
|
proxy_temp_path /tmp 1 2;
|
|
|
|
|
|
|
|
limit_req zone=repositories burst=10;
|
|
|
|
}
|
|
|
|
|
2018-04-06 21:23:50 +00:00
|
|
|
location ~ ^/api/suconfig {
|
|
|
|
proxy_pass http://web_app_server;
|
|
|
|
|
|
|
|
# For suconfig, set our read timeout as super large for both DB migrations
|
|
|
|
# and awaiting for secrets to be updated.
|
|
|
|
proxy_read_timeout 2000;
|
|
|
|
}
|
|
|
|
|
2015-11-24 22:02:09 +00:00
|
|
|
location ~ ^/v2 {
|
|
|
|
# If we're being accessed via v1.quay.io, pretend we don't support v2.
|
|
|
|
if ($host = "v1.quay.io") {
|
|
|
|
return 404;
|
|
|
|
}
|
|
|
|
|
2017-05-03 22:27:45 +00:00
|
|
|
if ($request_method = HEAD ) {
|
|
|
|
gzip off;
|
|
|
|
}
|
|
|
|
|
2015-11-24 22:02:09 +00:00
|
|
|
# Setting ANY header clears all inherited proxy_set_header directives
|
|
|
|
proxy_set_header X-Forwarded-For $proper_forwarded_for;
|
2016-02-03 18:08:43 +00:00
|
|
|
proxy_set_header X-Forwarded-Proto $proper_scheme;
|
2015-11-24 22:02:09 +00:00
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
|
|
|
proxy_buffering off;
|
|
|
|
|
|
|
|
proxy_request_buffering off;
|
|
|
|
|
2016-04-19 21:52:54 +00:00
|
|
|
proxy_read_timeout 2000;
|
2015-12-03 16:19:39 +00:00
|
|
|
|
2015-11-24 22:02:09 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
|
|
|
proxy_pass http://registry_app_server;
|
|
|
|
proxy_temp_path /tmp 1 2;
|
|
|
|
|
2017-02-27 18:03:20 +00:00
|
|
|
client_max_body_size {{ maximum_layer_size }};
|
2015-11-24 22:02:09 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
location ~ ^/v1 {
|
2015-11-18 22:23:30 +00:00
|
|
|
# Setting ANY header clears all inherited proxy_set_header directives
|
|
|
|
proxy_set_header X-Forwarded-For $proper_forwarded_for;
|
2016-02-03 18:08:43 +00:00
|
|
|
proxy_set_header X-Forwarded-Proto $proper_scheme;
|
2015-11-18 22:23:30 +00:00
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
2014-10-14 17:58:08 +00:00
|
|
|
proxy_buffering off;
|
|
|
|
|
|
|
|
proxy_request_buffering off;
|
|
|
|
|
2015-06-04 18:31:08 +00:00
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
2014-10-14 17:58:08 +00:00
|
|
|
proxy_pass http://registry_app_server;
|
2015-03-26 13:21:45 +00:00
|
|
|
proxy_temp_path /tmp 1 2;
|
2014-10-14 17:58:08 +00:00
|
|
|
|
2017-02-27 18:03:20 +00:00
|
|
|
client_max_body_size {{ maximum_layer_size }};
|
2014-10-14 17:58:08 +00:00
|
|
|
}
|
|
|
|
|
2015-11-04 19:56:18 +00:00
|
|
|
location /v1/_ping {
|
|
|
|
add_header Content-Type text/plain;
|
|
|
|
add_header X-Docker-Registry-Version 0.6.0;
|
|
|
|
add_header X-Docker-Registry-Standalone 0;
|
|
|
|
return 200 'true';
|
|
|
|
}
|
|
|
|
|
2014-10-14 17:58:08 +00:00
|
|
|
location /c1/ {
|
2014-01-31 23:13:46 +00:00
|
|
|
proxy_buffering off;
|
|
|
|
|
|
|
|
proxy_request_buffering off;
|
|
|
|
|
2014-10-14 17:58:08 +00:00
|
|
|
proxy_pass http://verbs_app_server;
|
2015-03-26 13:21:45 +00:00
|
|
|
proxy_temp_path /tmp 1 2;
|
2015-02-19 21:24:05 +00:00
|
|
|
|
2015-02-25 17:32:30 +00:00
|
|
|
limit_req zone=verbs burst=10;
|
2014-10-02 20:04:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
location /static/ {
|
|
|
|
# checks for static file, if not found proxy to app
|
2017-07-27 18:45:18 +00:00
|
|
|
alias {{static_dir}}/;
|
2015-10-21 19:28:45 +00:00
|
|
|
error_page 404 /404;
|
2014-11-24 21:07:38 +00:00
|
|
|
}
|
2014-11-25 23:08:18 +00:00
|
|
|
|
2017-02-01 23:17:25 +00:00
|
|
|
error_page 502 {{static_dir}}/502.html;
|
2016-02-01 13:07:50 +00:00
|
|
|
|
2014-11-25 23:08:18 +00:00
|
|
|
location ~ ^/b1/controller(/?)(.*) {
|
|
|
|
proxy_pass http://build_manager_controller_server/$2;
|
|
|
|
}
|
|
|
|
|
|
|
|
location ~ ^/b1/socket(/?)(.*) {
|
|
|
|
proxy_pass http://build_manager_websocket_server/$2;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
proxy_set_header Connection "upgrade";
|
2016-11-01 20:07:17 +00:00
|
|
|
proxy_read_timeout 300;
|
2014-12-01 17:48:59 +00:00
|
|
|
}
|