# vim: ft=nginx server_name _; keepalive_timeout 5; if ($host = "www.quay.io") { return 301 $proper_scheme://quay.io$request_uri; } # Disable the ability to be embedded into iframes add_header X-Frame-Options DENY; # Proxy Headers proxy_set_header X-Forwarded-For $proper_forwarded_for; proxy_set_header X-Forwarded-Proto $proper_scheme; proxy_set_header Host $host; proxy_redirect off; proxy_set_header Transfer-Encoding $http_transfer_encoding; location / { proxy_pass http://web_app_server; } location /realtime { proxy_pass http://web_app_server; proxy_buffering off; proxy_request_buffering off; } location ~ ^/_storage_proxy/([^/]+)/([^/]+)/([^/]+)/(.+) { include resolver.conf; auth_request /_storage_proxy_auth; proxy_pass $2://$3/$4$is_args$args; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $3; add_header Host $3; proxy_buffering off; proxy_request_buffering off; proxy_read_timeout 60s; } location = /_storage_proxy_auth { proxy_pass http://web_app_server; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Original-URI $request_uri; proxy_read_timeout 10; } # At the begining and end of a push/pull, (/v1/repositories|/v2/auth/) is hit by the Docker # client. By rate-limiting just this endpoint, we can avoid accidentally # blocking pulls/pushes for images with many layers. location ~ ^/(v1/repositories|v2/auth)/ { proxy_buffering off; proxy_request_buffering off; proxy_pass http://registry_app_server; proxy_read_timeout 2000; proxy_temp_path /tmp 1 2; limit_req zone=repositories burst=10; } location ~ ^/v2/_catalog(.*)$ { proxy_pass http://registry_app_server; proxy_read_timeout 10; limit_req zone=catalog burst=5; } location /secscan/ { proxy_pass http://jwtproxy_secscan; } {% if signing_enabled %} location ~ ^/v2/(.+)/_trust/tuf/(.*)$ { set $upstream_tuf {{ tuf_server }}; proxy_pass $upstream_tuf$uri; proxy_set_header Host "{{ tuf_host }}"; } {% endif %} location ~ ^/cnr { proxy_buffering off; proxy_request_buffering off; proxy_pass http://registry_app_server; proxy_read_timeout 120; proxy_temp_path /tmp 1 2; limit_req zone=repositories burst=10; } location ~ ^/api { proxy_pass http://web_app_server; limit_req zone=api burst=25; } location ~ ^/api/suconfig { proxy_pass http://web_app_server; # For suconfig, set our read timeout as super large for both DB migrations # and awaiting for secrets to be updated. proxy_read_timeout 2000; } location ~ ^/v2 { # If we're being accessed via v1.quay.io, pretend we don't support v2. if ($host = "v1.quay.io") { return 404; } if ($request_method = HEAD ) { gzip off; } # Setting ANY header clears all inherited proxy_set_header directives proxy_set_header X-Forwarded-For $proper_forwarded_for; proxy_set_header X-Forwarded-Proto $proper_scheme; proxy_set_header Host $host; proxy_buffering off; proxy_request_buffering off; proxy_read_timeout 2000; proxy_http_version 1.1; proxy_pass http://registry_app_server; proxy_temp_path /tmp 1 2; client_max_body_size {{ maximum_layer_size }}; limit_req zone=registry burst=100; } location ~ ^/v1 { # Setting ANY header clears all inherited proxy_set_header directives proxy_set_header X-Forwarded-For $proper_forwarded_for; proxy_set_header X-Forwarded-Proto $proper_scheme; proxy_set_header Host $host; proxy_buffering off; proxy_request_buffering off; proxy_http_version 1.1; proxy_pass http://registry_app_server; proxy_temp_path /tmp 1 2; client_max_body_size {{ maximum_layer_size }}; limit_req zone=registry burst=100; } location /v1/_ping { add_header Content-Type text/plain; add_header X-Docker-Registry-Version 0.6.0; add_header X-Docker-Registry-Standalone 0; return 200 'true'; } location /c1/ { proxy_buffering off; proxy_request_buffering off; proxy_pass http://verbs_app_server; proxy_temp_path /tmp 1 2; limit_req zone=verbs burst=10; } location /static/ { # checks for static file, if not found proxy to app alias {{static_dir}}/; error_page 404 /404; } error_page 502 {{static_dir}}/502.html; location ~ ^/b1/controller(/?)(.*) { proxy_pass http://build_manager_controller_server/$2; } location ~ ^/b1/socket(/?)(.*) { proxy_pass http://build_manager_websocket_server/$2; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 300; }