Commit graph

207 commits

Author SHA1 Message Date
Evan Cordell
85667a9cf6 Creat mitm certs on boot 2016-04-29 14:10:33 -04:00
Evan Cordell
492dcf4781 Verify that jwt was issued by clair 2016-04-29 14:10:33 -04:00
Evan Cordell
118f2d0ce5 Add mitm certs to jwtproxy 2016-04-29 14:10:33 -04:00
Evan Cordell
9e7a501dae Authenticate in the other direction with jwtproxy 2016-04-29 14:10:33 -04:00
Evan Cordell
da0a988650 Configure jwtproxy from stack/conf yaml 2016-04-29 14:10:33 -04:00
Evan Cordell
adc86456b5 Secure the correct endpoint 2016-04-29 14:10:33 -04:00
Evan Cordell
8c8ee9c2be Add jwtproxy and configure verifier for /secscan/notify 2016-04-29 14:10:33 -04:00
Joseph Schorr
1264c6330e Increase read timeout on V2 to match V1
Fixes #1377
2016-04-19 17:52:54 -04:00
Jake Moshenko
0fdbf8a210 Trust upstream proxies to specify https scheme 2016-02-03 13:08:43 -05:00
Joseph Schorr
e7842a2a49 Add 502 page 2016-02-01 15:07:50 +02:00
Jimmy Zelinskie
e1f955a3f6 add a log rotation worker
Fixes #609.
2015-12-16 17:22:28 -05:00
Joseph Schorr
dd344aba81 Add request time and upstream request time to the nginx logs
Fixes #1026
2015-12-16 14:08:07 -05:00
Joseph Schorr
a25572f2b3 Enable HTTP2 under proxy protocol 2015-12-08 15:36:26 -05:00
Joseph Schorr
769ec4c2a3 Enable http2 in nginx 2015-12-04 17:06:55 -05:00
Silas Sewell
8781cf6e11 Increase nginx proxy timeout and close db before storage operation 2015-12-03 11:19:39 -05:00
Jimmy Zelinskie
87a4e1f417 404 on v2 routes for the hostname v1.quay.io
This also copies v2 into its own separate location directive because you
cannot have nested location directives. Also, the `if` directive can be
very tricky and should only be used to return response codes.
2015-11-24 17:02:09 -05:00
Jake Moshenko
4c0e215c2f Silence boto logs when running locally 2015-11-18 19:04:26 -05:00
Jake Moshenko
30bb97a04d Remove the Transfer Encoding directive from v2 headers 2015-11-18 17:23:30 -05:00
Jake Moshenko
d6c5fc5d1b Stop clobbering our proxy_set_header directives 2015-11-18 16:00:23 -05:00
Jake Moshenko
ad273eb002 Re-seed crypto random on all forks 2015-11-17 12:23:10 -05:00
Jake Moshenko
0459c3bc54 Merge remote-tracking branch 'upstream/master' into python-registry-v2 2015-11-16 14:22:54 -05:00
Joseph Schorr
49ab87bab4 Fix log permissions 2015-11-12 22:45:52 -05:00
Joseph Schorr
7816b0c657 Merge master into vulnerability-tool 2015-11-12 21:52:47 -05:00
Jake Moshenko
ab340e20ea Merge remote-tracking branch 'upstream/master' into python-registry-v2 2015-11-11 16:41:40 -05:00
Jimmy Zelinskie
5655c08467 fix security worker service permissions 2015-11-10 15:22:36 -05:00
Jimmy Zelinskie
270010105d add security notification worker to init 2015-11-10 15:22:30 -05:00
Silas Sewell
e826b14ca4 Merge pull request #725 from coreos-inc/setup-tool-georeplication
superuser: add storage replication config
2015-11-09 17:43:38 -05:00
Silas Sewell
5000b1621c superuser: add storage replication config 2015-11-09 17:34:22 -05:00
Jake Moshenko
c2fcf8bead Merge remote-tracking branch 'upstream/phase4-11-07-2015' into python-registry-v2 2015-11-06 18:18:29 -05:00
Quentin Machu
f59e35cc81 Add support for Quay's vulnerability tool 2015-11-06 15:22:18 -05:00
Quentin Machu
c1fa22d9b0 Define nginx v2 vhost & properly set 404 status code
Fixes #777
2015-11-04 14:56:18 -05:00
Silas Sewell
49b395ba4e Disable diffsworker 2015-11-03 23:59:38 -05:00
Quentin Machu
3f35265858 Merge pull request #683 from Quentin-M/whoops-404
Add 404 page
2015-10-30 14:30:20 -04:00
Jake Moshenko
e7a6176594 Merge remote-tracking branch 'upstream/v2-phase4' into python-registry-v2 2015-10-22 16:59:28 -04:00
Quentin Machu
adb744089e Add 404 page
Fixes coreos-inc/quay#677
2015-10-21 18:40:15 -04:00
Jimmy Zelinskie
069ab0c644 Merge pull request #658 from Quentin-M/nginx_semicolon
Add missing semicolon in nginx conf
2015-10-16 17:25:17 -04:00
Quentin Machu
18a7caf474 Add missing semicolon in nginx conf 2015-10-16 13:55:16 -04:00
Silas Sewell
9c866eac4b nginx: add www redirect
Fixes #452
2015-10-07 11:17:07 -04:00
Joseph Schorr
acac893495 Crypto's Random needs to be reset after forks, otherwise it exceptions 2015-09-28 15:45:01 -04:00
Jake Moshenko
26cea9a07c Merge remote-tracking branch 'upstream/master' into python-registry-v2 2015-09-17 16:16:27 -04:00
Silas Sewell
386c017d99 Add quay releases 2015-09-16 17:18:46 -04:00
Jake Moshenko
210ed7cf02 Merge remote-tracking branch 'upstream/master' into python-registry-v2 2015-09-04 16:32:01 -04:00
Quentin Machu
8a4c5a5491 Add newline char in syslog-ng config 2015-09-02 10:07:34 -04:00
josephschorr
62ea4a6cf4 Merge pull request #191 from coreos-inc/carmen
Add automatic storage replication
2015-09-01 15:04:36 -04:00
Joseph Schorr
724b1607d7 Add automatic storage replication
Adds a worker to automatically replicate data between storages and update the database accordingly
2015-09-01 14:53:32 -04:00
Jake Moshenko
3a0d28653b Stop logging user and messages files in syslog
They contained duplicates of all of our app logs.
2015-09-01 11:44:15 -04:00
Joseph Schorr
31fdb94436 Enable rate limiting of V2 requests 2015-08-25 14:18:34 -04:00
Joseph Schorr
0c7839203e Send the original host along to the registry code 2015-08-24 16:09:17 -04:00
Matt Jibson
5ce4702814 Merge pull request #329 from mjibson/fix-weak-dh
Fix weak DH configuration
2015-08-12 15:33:42 -04:00
Joseph Schorr
5bdd7ba990 Add support for custom favicon in ER
Fixes #340
2015-08-10 13:39:39 -04:00
Matt Jibson
c88edf8989 Fix weak DH configuration
The SSLLabs https://www.ssllabs.com/ssltest/ test reported a B rating for
our SSL configuration, mostly due to the weak DH confiugration we have,
which is vulnerable to the logjam attack. This is their recommended
configuration for nginx.

From: https://weakdh.org/sysadmin.html

This has been verified to work with docker 0.10.0.
2015-08-07 12:03:05 -04:00
Joseph Schorr
70de107268 Make GC of repositories fully async for whitelisted namespaces
This change adds a worker to conduct GC on repositories with garbage every 10s.

Fixes #144
2015-07-28 15:30:04 -04:00
Jake Moshenko
bc29561f8f Fix and templatize the logic for external JWT AuthN and registry v2 Auth.
Make it explicit that the registry-v2 stuff is not ready for prime time.
2015-07-17 11:56:15 -04:00
Jimmy Zelinskie
68894a6cad nginx: comment out last part of OCSP stapling 2015-07-14 18:07:53 -04:00
Jimmy Zelinskie
973aa601ef nginx: "temporarily" disable OCSP stapling 2015-07-14 17:33:57 -04:00
Jake Moshenko
91b2c21789 Reference our certificate file as trusted to enable OCSP stapling. 2015-07-01 15:35:40 -04:00
Joseph Schorr
784a45372d Make the doupdatelimits script optional
Without the `privileged` flag or the proper kernel capability, this command can fail the start of the container. With this change, we still print the error message, but don't fail container start. The downside of this command not running is a lower maximum connection count (128), which should be okay for most of our enterprise customers.
2015-07-01 15:13:36 +03:00
Jake Moshenko
ee154c37a8 Merge pull request #121 from coreos-inc/robots
Add support for custom robots.txt in conf/stack
2015-06-17 15:48:30 -04:00
Jimmy Zelinskie
3166c9a38f nginx: recompile with SSL module, move directives 2015-06-16 12:30:25 -04:00
Joseph Schorr
191f84fd0b Add support for custom robots.txt in conf/stack
Fixes #115
2015-06-11 12:33:21 -04:00
Jimmy Zelinskie
f7c81e2a34 binarydeps: tengine 2.1.0 -> nginx 1.8.0
nginx stable now has unbuffered uploading support, thus we are no longer
required to use tengine.
2015-06-08 15:35:56 -04:00
Jimmy Zelinskie
581d2fa4fc nginx: move ssl config out of server-base 2015-05-22 16:25:28 -04:00
Jimmy Zelinskie
4323eb58da nginx: SSL config into server-base.conf 2015-05-22 13:54:43 -04:00
Jimmy Zelinskie
f9f933feff nginx: update cipher suite, HSTS, X-Frame-Options 2015-05-22 13:35:49 -04:00
Jimmy Zelinskie
60763d69b1 nginx: support OCSP Stapling 2015-05-20 16:32:12 -04:00
Jimmy Zelinskie
4689c00fad nginx: drop SSLv3, support TLS 1.1 & 1.2 2015-05-20 16:31:32 -04:00
Jimmy Zelinskie
c44846103e nginx: enable Strict Transport Security 2015-05-20 16:31:00 -04:00
Joseph Schorr
3f1e8f3c27 Add a RepositoryActionCount table so we can use it (instead of LogEntry) when scoring repo search results 2015-04-13 13:31:07 -04:00
Jake Moshenko
24cf27bd12 Route all of the logging through syslog-ng. Add the ability to specify extra syslog-ng config. Simplify the Dockerfile. 2015-03-26 09:22:47 -04:00
Jimmy Zelinskie
b4b06ec8c8 nginx: add comment explaining repo rate limiting 2015-02-25 12:32:48 -05:00
Jimmy Zelinskie
2a826f52d4 nginx: rename api rate limit bucket to verbs 2015-02-25 12:32:30 -05:00
Jimmy Zelinskie
ebff374408 nginx: tweak rate limiting; remove webapp limiting 2015-02-25 12:22:41 -05:00
Jimmy Zelinskie
ef61145b2c Merge branch 'master' of github.com:coreos-inc/quay 2015-02-23 20:54:15 -05:00
Jimmy Zelinskie
7554c47a30 nginx: burst=5 for API calls
This means that requests are delayed until the client reaches the burst
rate and then they will receive the 429.
2015-02-23 20:53:21 -05:00
Jake Moshenko
a0833b7978 Fix the worker timeout for synchronous verbs workers. 2015-02-23 16:02:22 -05:00
Jake Moshenko
291c1c810b Merge remote-tracking branch 'origin/hotfix'
Conflicts:
	conf/proxy-server-base.conf
2015-02-19 17:37:44 -05:00
Jimmy Zelinskie
4a2b25200a nginx: make rate limiting awesome 2015-02-19 16:24:05 -05:00
Jimmy Zelinskie
01811ee793 nginx: add missing semicolon 2015-02-19 13:31:49 -05:00
Jimmy Zelinskie
11c5632121 nginx: remove blacklisted IP 2015-02-19 12:46:03 -05:00
Jimmy Zelinskie
b7159293c1 nginx: create unauth/auth ratelimiting
This also removes nodelay on rate limiting and temporarily blacklists an
IP address.
2015-02-19 12:32:06 -05:00
Jake Moshenko
04b06547b8 Remove all of the timeouts since they were not doing the right thing anyway. 2015-02-18 17:04:25 -05:00
Joseph Schorr
f107b50a46 Merge branch 'master' into ackbar 2015-02-12 12:04:45 -05:00
Joseph Schorr
42db221576 Disable proxy server buffer changes 2015-02-11 16:25:09 -05:00
Jake Moshenko
0f3d87466e Unify the logging infrastructure and turn the prod logging level to INFO in preparation for picking up a new cloud logger. 2015-02-11 14:15:18 -05:00
Jimmy Zelinskie
3abb5bf0a3 nginx: set proxy_buffer_size to 6MB
Because tags are included in our sessions, pushes containing many tags
will make our headers larger than the buffer nginx uses to send to the
client and then nginx is unable to validate the headers.
2015-02-10 15:48:27 -05:00
Joseph Schorr
9dfe523615 Merge master changes 2015-02-05 13:11:16 -05:00
Jake Moshenko
11562a74de Remove the old builder infrastructure. 2015-01-29 11:03:23 -05:00
Jimmy Zelinskie
24365fb960 nginx: rate-limiting for /c1/ 2015-01-26 15:42:56 -05:00
Jimmy Zelinskie
f99025f123 nginx: adjust proxy protocol rate limiting values 2015-01-26 15:03:27 -05:00
Joseph Schorr
30b895b795 Merge branch 'grunt-js-folder' of https://github.com/coreos-inc/quay into ackbar 2015-01-23 17:26:14 -05:00
Jimmy Zelinskie
b5f7777fd7 nginx: create proxy-server-base.conf w/ rate limit 2015-01-23 16:50:16 -05:00
Jimmy Zelinskie
64bea5387b nginx: rate limiting only on proxy protocol 2015-01-23 16:04:06 -05:00
Jimmy Zelinskie
a185b53db4 nginx: set real IP from any address 2015-01-23 15:13:24 -05:00
Jimmy Zelinskie
b19b256b52 Proxy Protocol on port 8443 2015-01-22 16:10:02 -05:00
Jimmy Zelinskie
a715d97660 health check endpoint without proxy protocol 2015-01-22 12:58:48 -05:00
Jimmy Zelinskie
73557f20b9 add missing semicolon 2015-01-22 12:16:04 -05:00
Jimmy Zelinskie
365290d3c4 Add and include proxy-protocol.conf 2015-01-21 17:11:23 -05:00
Jimmy Zelinskie
e93d0b83ec reset nginx config to master 2015-01-21 17:00:43 -05:00
Jimmy Zelinskie
0f8aad9ef1 Break out a new server{} config for port 444>
This also restores docker proxy stuff with recursive enabled
2015-01-21 15:59:29 -05:00
Jimmy Zelinskie
b7d6d42317 comment out docker reverse proxy stuff 2015-01-21 15:05:35 -05:00