Commit graph

14 commits

Author SHA1 Message Date
Joseph Schorr
91e7b4264e Increase burst rate on API rate limit to allow security scan info to be loaded 2018-07-18 15:23:58 -04:00
Joseph Schorr
1d94e4d605 Audit out endpoints and ensure everything has a defined rate limit (even if quite large)
For registry operations, these were the numbers found at time the PR was written:

download_blob 108 per second across fleet
v2_auth 180 per second across fleet
catalog 1 per second across fleet
fetch_manifest 205 per second across fleet
list_all_tags 150 per second across fleet

With an average fleet size of 25. As a result, we went with a registry limit of 10r/s (10 * 25 = 250 requests) to bound even the most prolific puller.

Fixes https://jira.coreos.com/browse/QUAY-976
2018-06-20 13:36:24 -04:00
Joseph Schorr
ef167ab7e3 Rate limit the catalog endpoint by auth token and IP address 2018-06-05 18:24:31 -04:00
Jimmy Zelinskie
e542de7e65 nginx: temporarily disable catalog for production 2018-06-05 16:06:10 -04:00
Joseph Schorr
e20295f573 Fix Kubernetes config provider for recent changes in Kub API
Kubernetes secret volumes are now mounted as read-only, so we have to write the files *only* via the Kub API

Fixes https://jira.coreos.com/browse/QUAY-911
2018-04-22 17:22:28 +03:00
Alec Merdler
fb7df1e568 fixed 502 route in Nginx config 2017-07-27 14:45:18 -04:00
Antoine Legrand
cdb3722c17 Use $QUAYPATH and $QUAYDIR in conf and init files 2017-07-05 16:23:54 +02:00
Joseph Schorr
bf51ec20e8 Disable gzip on HEAD requests in v2 endpoints
nginx's gzip module will ignore the content-length header on the HEAD request and try to gzip the body.... but there is no body, so it simply writes no header at all.

Code to turn this off was based off of https://trac.nginx.org/nginx/ticket/261
2017-05-03 18:27:45 -04:00
Jimmy Zelinskie
f6a785c1b5 conf/nginx: add cnr path 2017-03-23 13:06:22 -04:00
Joseph Schorr
dd35677712 Add configurable maximum layer size in nginx 2017-03-21 13:14:11 -04:00
Evan Cordell
41033ae05d fix typo 2017-02-23 19:03:26 -05:00
Evan Cordell
ecd441269b Pass host to apostille (required for k8s ingress) 2017-02-23 18:29:02 -05:00
Evan Cordell
16ec19d356 Add dnsmasq so nginx will allow an upstream service to not block startup 2017-02-23 14:38:16 -05:00
Evan Cordell
9affe193db Add support for tuf metadata endpoints 2017-02-23 14:38:16 -05:00
Renamed from conf/nginx/server-base.conf (Browse further)