Merge remote-tracking branch 'origin/hotfix'
Conflicts: conf/proxy-server-base.conf
This commit is contained in:
commit
291c1c810b
6 changed files with 34 additions and 97 deletions
|
@ -16,6 +16,11 @@ gzip_types text/plain text/xml text/css
|
||||||
text/javascript application/x-javascript
|
text/javascript application/x-javascript
|
||||||
application/octet-stream;
|
application/octet-stream;
|
||||||
|
|
||||||
|
map $proxy_protocol_addr $proper_forwarded_for {
|
||||||
|
"" $proxy_add_x_forwarded_for;
|
||||||
|
default $proxy_protocol_addr;
|
||||||
|
}
|
||||||
|
|
||||||
upstream web_app_server {
|
upstream web_app_server {
|
||||||
server unix:/tmp/gunicorn_web.sock fail_timeout=0;
|
server unix:/tmp/gunicorn_web.sock fail_timeout=0;
|
||||||
}
|
}
|
||||||
|
@ -33,3 +38,4 @@ upstream build_manager_controller_server {
|
||||||
upstream build_manager_websocket_server {
|
upstream build_manager_websocket_server {
|
||||||
server localhost:8787;
|
server localhost:8787;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,6 @@ include root-base.conf;
|
||||||
|
|
||||||
http {
|
http {
|
||||||
include http-base.conf;
|
include http-base.conf;
|
||||||
|
|
||||||
include rate-limiting.conf;
|
include rate-limiting.conf;
|
||||||
|
|
||||||
server {
|
server {
|
||||||
|
|
|
@ -4,9 +4,7 @@ include root-base.conf;
|
||||||
|
|
||||||
http {
|
http {
|
||||||
include http-base.conf;
|
include http-base.conf;
|
||||||
|
|
||||||
include hosted-http-base.conf;
|
include hosted-http-base.conf;
|
||||||
|
|
||||||
include rate-limiting.conf;
|
include rate-limiting.conf;
|
||||||
|
|
||||||
server {
|
server {
|
||||||
|
@ -25,8 +23,7 @@ http {
|
||||||
|
|
||||||
server {
|
server {
|
||||||
include proxy-protocol.conf;
|
include proxy-protocol.conf;
|
||||||
|
include server-base.conf;
|
||||||
include proxy-server-base.conf;
|
|
||||||
|
|
||||||
listen 8443 default proxy_protocol;
|
listen 8443 default proxy_protocol;
|
||||||
|
|
||||||
|
|
|
@ -1,87 +0,0 @@
|
||||||
# vim: ft=nginx
|
|
||||||
|
|
||||||
client_body_temp_path /var/log/nginx/client_body 1 2;
|
|
||||||
server_name _;
|
|
||||||
|
|
||||||
keepalive_timeout 5;
|
|
||||||
|
|
||||||
if ($args ~ "_escaped_fragment_") {
|
|
||||||
rewrite ^ /snapshot$uri;
|
|
||||||
}
|
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_redirect off;
|
|
||||||
|
|
||||||
proxy_set_header Transfer-Encoding $http_transfer_encoding;
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://web_app_server;
|
|
||||||
|
|
||||||
limit_req zone=webapp burst=25 nodelay;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /realtime {
|
|
||||||
proxy_pass http://web_app_server;
|
|
||||||
proxy_buffering off;
|
|
||||||
proxy_request_buffering off;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /v1/repositories/ {
|
|
||||||
proxy_buffering off;
|
|
||||||
|
|
||||||
proxy_request_buffering off;
|
|
||||||
|
|
||||||
proxy_pass http://registry_app_server;
|
|
||||||
proxy_temp_path /var/log/nginx/proxy_temp 1 2;
|
|
||||||
|
|
||||||
client_max_body_size 20G;
|
|
||||||
|
|
||||||
limit_req zone=repositories burst=5 nodelay;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /v1/ {
|
|
||||||
proxy_buffering off;
|
|
||||||
|
|
||||||
proxy_request_buffering off;
|
|
||||||
|
|
||||||
proxy_pass http://registry_app_server;
|
|
||||||
proxy_temp_path /var/log/nginx/proxy_temp 1 2;
|
|
||||||
|
|
||||||
client_max_body_size 20G;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /c1/ {
|
|
||||||
proxy_buffering off;
|
|
||||||
|
|
||||||
proxy_request_buffering off;
|
|
||||||
|
|
||||||
proxy_pass http://verbs_app_server;
|
|
||||||
proxy_temp_path /var/log/nginx/proxy_temp 1 2;
|
|
||||||
|
|
||||||
limit_req zone=api burst=5 nodelay;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /static/ {
|
|
||||||
# checks for static file, if not found proxy to app
|
|
||||||
alias /static/;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /v1/_ping {
|
|
||||||
add_header Content-Type text/plain;
|
|
||||||
add_header X-Docker-Registry-Version 0.6.0;
|
|
||||||
add_header X-Docker-Registry-Standalone 0;
|
|
||||||
return 200 'true';
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ ^/b1/controller(/?)(.*) {
|
|
||||||
proxy_pass http://build_manager_controller_server/$2;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ ^/b1/socket(/?)(.*) {
|
|
||||||
proxy_pass http://build_manager_websocket_server/$2;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
}
|
|
|
@ -1,7 +1,16 @@
|
||||||
# vim: ft=nginx
|
# vim: ft=nginx
|
||||||
|
|
||||||
|
# Check the Authorization header and, if it is empty, use their proxy protocol
|
||||||
|
# IP, else use the header as their unique identifier for rate limiting.
|
||||||
|
# Enterprise users will never be using proxy protocol, thus the value will be
|
||||||
|
# empty string. This means they will not get rate limited.
|
||||||
|
map $http_authorization $registry_bucket {
|
||||||
|
"" $proxy_protocol_addr;
|
||||||
|
default $http_authorization;
|
||||||
|
}
|
||||||
|
|
||||||
limit_req_zone $proxy_protocol_addr zone=webapp:10m rate=25r/s;
|
limit_req_zone $proxy_protocol_addr zone=webapp:10m rate=25r/s;
|
||||||
limit_req_zone $proxy_protocol_addr zone=repositories:10m rate=1r/s;
|
|
||||||
limit_req_zone $proxy_protocol_addr zone=api:10m rate=1r/s;
|
limit_req_zone $proxy_protocol_addr zone=api:10m rate=1r/s;
|
||||||
|
limit_req_zone $registry_bucket zone=repositories:10m rate=1r/s;
|
||||||
limit_req_status 429;
|
limit_req_status 429;
|
||||||
limit_req_log_level warn;
|
limit_req_log_level warn;
|
||||||
|
|
|
@ -3,16 +3,13 @@
|
||||||
client_body_temp_path /var/log/nginx/client_body 1 2;
|
client_body_temp_path /var/log/nginx/client_body 1 2;
|
||||||
server_name _;
|
server_name _;
|
||||||
|
|
||||||
set_real_ip_from 172.17.0.0/16;
|
|
||||||
real_ip_header X-Forwarded-For;
|
|
||||||
|
|
||||||
keepalive_timeout 5;
|
keepalive_timeout 5;
|
||||||
|
|
||||||
if ($args ~ "_escaped_fragment_") {
|
if ($args ~ "_escaped_fragment_") {
|
||||||
rewrite ^ /snapshot$uri;
|
rewrite ^ /snapshot$uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
proxy_set_header X-Forwarded-For $proper_forwarded_for;
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
proxy_redirect off;
|
proxy_redirect off;
|
||||||
|
@ -21,6 +18,8 @@ proxy_set_header Transfer-Encoding $http_transfer_encoding;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
proxy_pass http://web_app_server;
|
proxy_pass http://web_app_server;
|
||||||
|
|
||||||
|
limit_req zone=webapp;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /realtime {
|
location /realtime {
|
||||||
|
@ -29,6 +28,18 @@ location /realtime {
|
||||||
proxy_request_buffering off;
|
proxy_request_buffering off;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
location /v1/repositories/ {
|
||||||
|
proxy_buffering off;
|
||||||
|
|
||||||
|
proxy_request_buffering off;
|
||||||
|
|
||||||
|
proxy_pass http://registry_app_server;
|
||||||
|
proxy_read_timeout 2000;
|
||||||
|
proxy_temp_path /var/log/nginx/proxy_temp 1 2;
|
||||||
|
|
||||||
|
limit_req zone=repositories;
|
||||||
|
}
|
||||||
|
|
||||||
location /v1/ {
|
location /v1/ {
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
|
|
||||||
|
@ -47,6 +58,8 @@ location /c1/ {
|
||||||
|
|
||||||
proxy_pass http://verbs_app_server;
|
proxy_pass http://verbs_app_server;
|
||||||
proxy_temp_path /var/log/nginx/proxy_temp 1 2;
|
proxy_temp_path /var/log/nginx/proxy_temp 1 2;
|
||||||
|
|
||||||
|
limit_req zone=api;
|
||||||
}
|
}
|
||||||
|
|
||||||
location /static/ {
|
location /static/ {
|
||||||
|
|
Reference in a new issue