Merge remote-tracking branch 'origin/hotfix'

Conflicts:
	conf/proxy-server-base.conf
This commit is contained in:
Jake Moshenko 2015-02-19 17:37:44 -05:00
commit 291c1c810b
6 changed files with 34 additions and 97 deletions

View file

@ -16,6 +16,11 @@ gzip_types text/plain text/xml text/css
text/javascript application/x-javascript text/javascript application/x-javascript
application/octet-stream; application/octet-stream;
map $proxy_protocol_addr $proper_forwarded_for {
"" $proxy_add_x_forwarded_for;
default $proxy_protocol_addr;
}
upstream web_app_server { upstream web_app_server {
server unix:/tmp/gunicorn_web.sock fail_timeout=0; server unix:/tmp/gunicorn_web.sock fail_timeout=0;
} }
@ -33,3 +38,4 @@ upstream build_manager_controller_server {
upstream build_manager_websocket_server { upstream build_manager_websocket_server {
server localhost:8787; server localhost:8787;
} }

View file

@ -4,7 +4,6 @@ include root-base.conf;
http { http {
include http-base.conf; include http-base.conf;
include rate-limiting.conf; include rate-limiting.conf;
server { server {

View file

@ -4,9 +4,7 @@ include root-base.conf;
http { http {
include http-base.conf; include http-base.conf;
include hosted-http-base.conf; include hosted-http-base.conf;
include rate-limiting.conf; include rate-limiting.conf;
server { server {
@ -25,8 +23,7 @@ http {
server { server {
include proxy-protocol.conf; include proxy-protocol.conf;
include server-base.conf;
include proxy-server-base.conf;
listen 8443 default proxy_protocol; listen 8443 default proxy_protocol;

View file

@ -1,87 +0,0 @@
# vim: ft=nginx
client_body_temp_path /var/log/nginx/client_body 1 2;
server_name _;
keepalive_timeout 5;
if ($args ~ "_escaped_fragment_") {
rewrite ^ /snapshot$uri;
}
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header Transfer-Encoding $http_transfer_encoding;
location / {
proxy_pass http://web_app_server;
limit_req zone=webapp burst=25 nodelay;
}
location /realtime {
proxy_pass http://web_app_server;
proxy_buffering off;
proxy_request_buffering off;
}
location /v1/repositories/ {
proxy_buffering off;
proxy_request_buffering off;
proxy_pass http://registry_app_server;
proxy_temp_path /var/log/nginx/proxy_temp 1 2;
client_max_body_size 20G;
limit_req zone=repositories burst=5 nodelay;
}
location /v1/ {
proxy_buffering off;
proxy_request_buffering off;
proxy_pass http://registry_app_server;
proxy_temp_path /var/log/nginx/proxy_temp 1 2;
client_max_body_size 20G;
}
location /c1/ {
proxy_buffering off;
proxy_request_buffering off;
proxy_pass http://verbs_app_server;
proxy_temp_path /var/log/nginx/proxy_temp 1 2;
limit_req zone=api burst=5 nodelay;
}
location /static/ {
# checks for static file, if not found proxy to app
alias /static/;
}
location /v1/_ping {
add_header Content-Type text/plain;
add_header X-Docker-Registry-Version 0.6.0;
add_header X-Docker-Registry-Standalone 0;
return 200 'true';
}
location ~ ^/b1/controller(/?)(.*) {
proxy_pass http://build_manager_controller_server/$2;
}
location ~ ^/b1/socket(/?)(.*) {
proxy_pass http://build_manager_websocket_server/$2;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

View file

@ -1,7 +1,16 @@
# vim: ft=nginx # vim: ft=nginx
# Check the Authorization header and, if it is empty, use their proxy protocol
# IP, else use the header as their unique identifier for rate limiting.
# Enterprise users will never be using proxy protocol, thus the value will be
# empty string. This means they will not get rate limited.
map $http_authorization $registry_bucket {
"" $proxy_protocol_addr;
default $http_authorization;
}
limit_req_zone $proxy_protocol_addr zone=webapp:10m rate=25r/s; limit_req_zone $proxy_protocol_addr zone=webapp:10m rate=25r/s;
limit_req_zone $proxy_protocol_addr zone=repositories:10m rate=1r/s;
limit_req_zone $proxy_protocol_addr zone=api:10m rate=1r/s; limit_req_zone $proxy_protocol_addr zone=api:10m rate=1r/s;
limit_req_zone $registry_bucket zone=repositories:10m rate=1r/s;
limit_req_status 429; limit_req_status 429;
limit_req_log_level warn; limit_req_log_level warn;

View file

@ -3,16 +3,13 @@
client_body_temp_path /var/log/nginx/client_body 1 2; client_body_temp_path /var/log/nginx/client_body 1 2;
server_name _; server_name _;
set_real_ip_from 172.17.0.0/16;
real_ip_header X-Forwarded-For;
keepalive_timeout 5; keepalive_timeout 5;
if ($args ~ "_escaped_fragment_") { if ($args ~ "_escaped_fragment_") {
rewrite ^ /snapshot$uri; rewrite ^ /snapshot$uri;
} }
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proper_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_redirect off; proxy_redirect off;
@ -21,6 +18,8 @@ proxy_set_header Transfer-Encoding $http_transfer_encoding;
location / { location / {
proxy_pass http://web_app_server; proxy_pass http://web_app_server;
limit_req zone=webapp;
} }
location /realtime { location /realtime {
@ -29,6 +28,18 @@ location /realtime {
proxy_request_buffering off; proxy_request_buffering off;
} }
location /v1/repositories/ {
proxy_buffering off;
proxy_request_buffering off;
proxy_pass http://registry_app_server;
proxy_read_timeout 2000;
proxy_temp_path /var/log/nginx/proxy_temp 1 2;
limit_req zone=repositories;
}
location /v1/ { location /v1/ {
proxy_buffering off; proxy_buffering off;
@ -47,6 +58,8 @@ location /c1/ {
proxy_pass http://verbs_app_server; proxy_pass http://verbs_app_server;
proxy_temp_path /var/log/nginx/proxy_temp 1 2; proxy_temp_path /var/log/nginx/proxy_temp 1 2;
limit_req zone=api;
} }
location /static/ { location /static/ {