Commit graph

40 commits

Author SHA1 Message Date
Sida Chen
62ea45b8c5
Merge pull request #3320 from thomasmckay/1279-nginx-conf
1279 - prohibit all DES nginx ciphers
2019-03-14 12:01:51 -04:00
Sida Chen
2819c264cd
Merge pull request #3393 from KeyboardNerd/wtf
Remove wtf
2019-03-01 18:33:53 -05:00
Sida Chen
20f93a6805 Remove wtf 2019-03-01 15:32:39 -05:00
Tom McKay
6be6f2181c 1279 - prohibit all DES nginx ciphers 2019-02-15 10:50:47 -05:00
Tom McKay
a4700d75c1 1290 - fix reverted nginx vts removal 2019-02-14 09:40:34 -05:00
Tom McKay
b38c31464f 1290 - remove nginx vts 2019-02-04 13:19:48 -05:00
Joseph Schorr
a1caefcabe
Merge pull request #3331 from thomasmckay/1286-nginx-names
1286 - increase nginx server name length
2019-01-15 15:30:35 -05:00
Kenny Lee Sin Cheong
bae3a47ee2
v1 registry flags for nginx server blocks (#3307) 2019-01-15 15:22:59 -05:00
Tom McKay
628bf07979 1286 - increase nginx server name length 2019-01-15 12:39:05 -05:00
Joseph Schorr
d71201ac50 Forgot that we use proxy protocol for production, so we need a new block for v1.quay.io 2018-09-06 13:59:21 -04:00
Joseph Schorr
2439cc6327 Remove v1-staging from server_name 2018-09-06 13:50:19 -04:00
Joseph Schorr
109bda3a6a Add nginx configuration to serve our older SSL certificate from v1.quay.io and v1-staging.quay.io
This will allow us to upgrade our cluster to the new SSL certificate, while still serving the older one for older clients
2018-09-05 13:05:47 -04:00
Brad Ison
662daf1351
Add config for nginx vhost-traffic-status module 2018-07-25 12:57:13 -04:00
Joseph Schorr
2f297ab4fe Increase the rate limit on the API 2018-07-18 15:44:20 -04:00
Joseph Schorr
91e7b4264e Increase burst rate on API rate limit to allow security scan info to be loaded 2018-07-18 15:23:58 -04:00
Joseph Schorr
33a8099f35 Temporarily double the request limit. We'll start ratcheting it down over time. 2018-06-20 14:31:51 -04:00
Joseph Schorr
1d94e4d605 Audit out endpoints and ensure everything has a defined rate limit (even if quite large)
For registry operations, these were the numbers found at time the PR was written:

download_blob 108 per second across fleet
v2_auth 180 per second across fleet
catalog 1 per second across fleet
fetch_manifest 205 per second across fleet
list_all_tags 150 per second across fleet

With an average fleet size of 25. As a result, we went with a registry limit of 10r/s (10 * 25 = 250 requests) to bound even the most prolific puller.

Fixes https://jira.coreos.com/browse/QUAY-976
2018-06-20 13:36:24 -04:00
Joseph Schorr
ef167ab7e3 Rate limit the catalog endpoint by auth token and IP address 2018-06-05 18:24:31 -04:00
Jimmy Zelinskie
e542de7e65 nginx: temporarily disable catalog for production 2018-06-05 16:06:10 -04:00
Joseph Schorr
e20295f573 Fix Kubernetes config provider for recent changes in Kub API
Kubernetes secret volumes are now mounted as read-only, so we have to write the files *only* via the Kub API

Fixes https://jira.coreos.com/browse/QUAY-911
2018-04-22 17:22:28 +03:00
Joseph Schorr
9f996a8745 Change worker processes to be auto set based on CPU count
Fixes https://jira.coreos.com/browse/QS-109
2018-01-10 11:10:57 -05:00
Jimmy Zelinskie
e36bf25a5e nginx: rate limit 1r/s
This reduces our rate limiting down to to 1 request per second.
2017-12-13 13:15:32 -05:00
Joseph Schorr
bd67eaf856 Make SSL more resilient and cached 2017-09-05 18:02:07 -04:00
Alec Merdler
fb7df1e568 fixed 502 route in Nginx config 2017-07-27 14:45:18 -04:00
Antoine Legrand
cdb3722c17 Use $QUAYPATH and $QUAYDIR in conf and init files 2017-07-05 16:23:54 +02:00
Joseph Schorr
bf51ec20e8 Disable gzip on HEAD requests in v2 endpoints
nginx's gzip module will ignore the content-length header on the HEAD request and try to gzip the body.... but there is no body, so it simply writes no header at all.

Code to turn this off was based off of https://trac.nginx.org/nginx/ticket/261
2017-05-03 18:27:45 -04:00
Jimmy Zelinskie
f6a785c1b5 conf/nginx: add cnr path 2017-03-23 13:06:22 -04:00
Joseph Schorr
dd35677712 Add configurable maximum layer size in nginx 2017-03-21 13:14:11 -04:00
Evan Cordell
41033ae05d fix typo 2017-02-23 19:03:26 -05:00
Evan Cordell
ecd441269b Pass host to apostille (required for k8s ingress) 2017-02-23 18:29:02 -05:00
Evan Cordell
16ec19d356 Add dnsmasq so nginx will allow an upstream service to not block startup 2017-02-23 14:38:16 -05:00
Evan Cordell
9affe193db Add support for tuf metadata endpoints 2017-02-23 14:38:16 -05:00
Jake Moshenko
51ba68d135 Configure nginx to gzip our svg and js files. 2016-11-29 09:30:52 -05:00
Joseph Schorr
2726405ea5 Enable full debuggable logs on non-proxy protocol nginx config
Fixes #2037
2016-11-28 16:29:35 -05:00
Joseph Schorr
5109f4a04e Change read timeout on WAMP to 5 min 2016-11-01 16:07:17 -04:00
Joseph Schorr
460137779f Switch proxy resolver to use the local resolv.conf values 2016-09-29 11:13:41 +02:00
Joseph Schorr
dd2e086a20 Add feature flag to force all direct download URLs to be proxied
Fixes #1667
2016-09-29 11:13:41 +02:00
Joseph Schorr
d34650976a Set the proxy_read_timeout for the builder web socket to be much higher
We rarely send data from the build manager to the builder, so this should make sure nginx doesn't accidentally kill the connection

Fixes #1782
2016-09-27 12:37:26 +02:00
Jimmy Zelinskie
46e11894d7 nginx: fix paths to stack 2016-08-13 13:53:04 -04:00
Jimmy Zelinskie
6a681bb748 move nginx 2016-08-10 16:14:54 -04:00