Sida Chen
62ea45b8c5
Merge pull request #3320 from thomasmckay/1279-nginx-conf
...
1279 - prohibit all DES nginx ciphers
2019-03-14 12:01:51 -04:00
Sida Chen
2819c264cd
Merge pull request #3393 from KeyboardNerd/wtf
...
Remove wtf
2019-03-01 18:33:53 -05:00
Sida Chen
20f93a6805
Remove wtf
2019-03-01 15:32:39 -05:00
Tom McKay
6be6f2181c
1279 - prohibit all DES nginx ciphers
2019-02-15 10:50:47 -05:00
Tom McKay
a4700d75c1
1290 - fix reverted nginx vts removal
2019-02-14 09:40:34 -05:00
Tom McKay
b38c31464f
1290 - remove nginx vts
2019-02-04 13:19:48 -05:00
Joseph Schorr
a1caefcabe
Merge pull request #3331 from thomasmckay/1286-nginx-names
...
1286 - increase nginx server name length
2019-01-15 15:30:35 -05:00
Kenny Lee Sin Cheong
bae3a47ee2
v1 registry flags for nginx server blocks ( #3307 )
2019-01-15 15:22:59 -05:00
Tom McKay
628bf07979
1286 - increase nginx server name length
2019-01-15 12:39:05 -05:00
Joseph Schorr
d71201ac50
Forgot that we use proxy protocol for production, so we need a new block for v1.quay.io
2018-09-06 13:59:21 -04:00
Joseph Schorr
2439cc6327
Remove v1-staging from server_name
2018-09-06 13:50:19 -04:00
Joseph Schorr
109bda3a6a
Add nginx configuration to serve our older SSL certificate from v1.quay.io and v1-staging.quay.io
...
This will allow us to upgrade our cluster to the new SSL certificate, while still serving the older one for older clients
2018-09-05 13:05:47 -04:00
Brad Ison
662daf1351
Add config for nginx vhost-traffic-status module
2018-07-25 12:57:13 -04:00
Joseph Schorr
2f297ab4fe
Increase the rate limit on the API
2018-07-18 15:44:20 -04:00
Joseph Schorr
91e7b4264e
Increase burst rate on API rate limit to allow security scan info to be loaded
2018-07-18 15:23:58 -04:00
Joseph Schorr
33a8099f35
Temporarily double the request limit. We'll start ratcheting it down over time.
2018-06-20 14:31:51 -04:00
Joseph Schorr
1d94e4d605
Audit out endpoints and ensure everything has a defined rate limit (even if quite large)
...
For registry operations, these were the numbers found at time the PR was written:
download_blob 108 per second across fleet
v2_auth 180 per second across fleet
catalog 1 per second across fleet
fetch_manifest 205 per second across fleet
list_all_tags 150 per second across fleet
With an average fleet size of 25. As a result, we went with a registry limit of 10r/s (10 * 25 = 250 requests) to bound even the most prolific puller.
Fixes https://jira.coreos.com/browse/QUAY-976
2018-06-20 13:36:24 -04:00
Joseph Schorr
ef167ab7e3
Rate limit the catalog endpoint by auth token and IP address
2018-06-05 18:24:31 -04:00
Jimmy Zelinskie
e542de7e65
nginx: temporarily disable catalog for production
2018-06-05 16:06:10 -04:00
Joseph Schorr
e20295f573
Fix Kubernetes config provider for recent changes in Kub API
...
Kubernetes secret volumes are now mounted as read-only, so we have to write the files *only* via the Kub API
Fixes https://jira.coreos.com/browse/QUAY-911
2018-04-22 17:22:28 +03:00
Joseph Schorr
9f996a8745
Change worker processes to be auto set based on CPU count
...
Fixes https://jira.coreos.com/browse/QS-109
2018-01-10 11:10:57 -05:00
Jimmy Zelinskie
e36bf25a5e
nginx: rate limit 1r/s
...
This reduces our rate limiting down to to 1 request per second.
2017-12-13 13:15:32 -05:00
Joseph Schorr
bd67eaf856
Make SSL more resilient and cached
2017-09-05 18:02:07 -04:00
Alec Merdler
fb7df1e568
fixed 502 route in Nginx config
2017-07-27 14:45:18 -04:00
Antoine Legrand
cdb3722c17
Use $QUAYPATH and $QUAYDIR in conf and init files
2017-07-05 16:23:54 +02:00
Joseph Schorr
bf51ec20e8
Disable gzip on HEAD requests in v2
endpoints
...
nginx's gzip module will ignore the content-length header on the HEAD request and try to gzip the body.... but there is no body, so it simply writes no header at all.
Code to turn this off was based off of https://trac.nginx.org/nginx/ticket/261
2017-05-03 18:27:45 -04:00
Jimmy Zelinskie
f6a785c1b5
conf/nginx: add cnr path
2017-03-23 13:06:22 -04:00
Joseph Schorr
dd35677712
Add configurable maximum layer size in nginx
2017-03-21 13:14:11 -04:00
Evan Cordell
41033ae05d
fix typo
2017-02-23 19:03:26 -05:00
Evan Cordell
ecd441269b
Pass host to apostille (required for k8s ingress)
2017-02-23 18:29:02 -05:00
Evan Cordell
16ec19d356
Add dnsmasq so nginx will allow an upstream service to not block startup
2017-02-23 14:38:16 -05:00
Evan Cordell
9affe193db
Add support for tuf metadata endpoints
2017-02-23 14:38:16 -05:00
Jake Moshenko
51ba68d135
Configure nginx to gzip our svg and js files.
2016-11-29 09:30:52 -05:00
Joseph Schorr
2726405ea5
Enable full debuggable logs on non-proxy protocol nginx config
...
Fixes #2037
2016-11-28 16:29:35 -05:00
Joseph Schorr
5109f4a04e
Change read timeout on WAMP to 5 min
2016-11-01 16:07:17 -04:00
Joseph Schorr
460137779f
Switch proxy resolver to use the local resolv.conf values
2016-09-29 11:13:41 +02:00
Joseph Schorr
dd2e086a20
Add feature flag to force all direct download URLs to be proxied
...
Fixes #1667
2016-09-29 11:13:41 +02:00
Joseph Schorr
d34650976a
Set the proxy_read_timeout for the builder web socket to be much higher
...
We rarely send data from the build manager to the builder, so this should make sure nginx doesn't accidentally kill the connection
Fixes #1782
2016-09-27 12:37:26 +02:00
Jimmy Zelinskie
46e11894d7
nginx: fix paths to stack
2016-08-13 13:53:04 -04:00
Jimmy Zelinskie
6a681bb748
move nginx
2016-08-10 16:14:54 -04:00