109bda3a6a
This will allow us to upgrade our cluster to the new SSL certificate, while still serving the older one for older clients
205 lines
4.7 KiB
Nginx Configuration File
205 lines
4.7 KiB
Nginx Configuration File
# vim: ft=nginx
|
|
|
|
keepalive_timeout 5;
|
|
|
|
if ($host = "www.quay.io") {
|
|
return 301 $proper_scheme://quay.io$request_uri;
|
|
}
|
|
|
|
# Disable the ability to be embedded into iframes
|
|
add_header X-Frame-Options DENY;
|
|
|
|
|
|
# Proxy Headers
|
|
proxy_set_header X-Forwarded-For $proper_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $proper_scheme;
|
|
proxy_set_header Host $host;
|
|
proxy_redirect off;
|
|
|
|
proxy_set_header Transfer-Encoding $http_transfer_encoding;
|
|
|
|
location / {
|
|
proxy_pass http://web_app_server;
|
|
}
|
|
|
|
location /realtime {
|
|
proxy_pass http://web_app_server;
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location ~ ^/_storage_proxy/([^/]+)/([^/]+)/([^/]+)/(.+) {
|
|
include resolver.conf;
|
|
|
|
auth_request /_storage_proxy_auth;
|
|
|
|
proxy_pass $2://$3/$4$is_args$args;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header Host $3;
|
|
|
|
add_header Host $3;
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
|
|
proxy_read_timeout 60s;
|
|
}
|
|
|
|
location = /_storage_proxy_auth {
|
|
proxy_pass http://web_app_server;
|
|
proxy_pass_request_body off;
|
|
proxy_set_header Content-Length "";
|
|
|
|
proxy_set_header X-Original-URI $request_uri;
|
|
|
|
proxy_read_timeout 10;
|
|
}
|
|
|
|
# At the begining and end of a push/pull, (/v1/repositories|/v2/auth/) is hit by the Docker
|
|
# client. By rate-limiting just this endpoint, we can avoid accidentally
|
|
# blocking pulls/pushes for images with many layers.
|
|
location ~ ^/(v1/repositories|v2/auth)/ {
|
|
proxy_buffering off;
|
|
|
|
proxy_request_buffering off;
|
|
|
|
proxy_pass http://registry_app_server;
|
|
proxy_read_timeout 2000;
|
|
proxy_temp_path /tmp 1 2;
|
|
|
|
limit_req zone=repositories burst=10;
|
|
}
|
|
|
|
location ~ ^/v2/_catalog(.*)$ {
|
|
proxy_pass http://registry_app_server;
|
|
proxy_read_timeout 10;
|
|
limit_req zone=catalog burst=5;
|
|
}
|
|
|
|
location /secscan/ {
|
|
proxy_pass http://jwtproxy_secscan;
|
|
}
|
|
|
|
{% if signing_enabled %}
|
|
location ~ ^/v2/(.+)/_trust/tuf/(.*)$ {
|
|
set $upstream_tuf {{ tuf_server }};
|
|
proxy_pass $upstream_tuf$uri;
|
|
proxy_set_header Host "{{ tuf_host }}";
|
|
}
|
|
{% endif %}
|
|
|
|
location ~ ^/cnr {
|
|
proxy_buffering off;
|
|
|
|
proxy_request_buffering off;
|
|
|
|
proxy_pass http://registry_app_server;
|
|
proxy_read_timeout 120;
|
|
proxy_temp_path /tmp 1 2;
|
|
|
|
limit_req zone=repositories burst=10;
|
|
}
|
|
|
|
location ~ ^/api {
|
|
proxy_pass http://web_app_server;
|
|
limit_req zone=api burst=25;
|
|
}
|
|
|
|
location ~ ^/api/suconfig {
|
|
proxy_pass http://web_app_server;
|
|
|
|
# For suconfig, set our read timeout as super large for both DB migrations
|
|
# and awaiting for secrets to be updated.
|
|
proxy_read_timeout 2000;
|
|
}
|
|
|
|
location ~ ^/v2 {
|
|
# If we're being accessed via v1.quay.io, pretend we don't support v2.
|
|
if ($host = "v1.quay.io") {
|
|
return 404;
|
|
}
|
|
|
|
if ($request_method = HEAD ) {
|
|
gzip off;
|
|
}
|
|
|
|
# Setting ANY header clears all inherited proxy_set_header directives
|
|
proxy_set_header X-Forwarded-For $proper_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $proper_scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_buffering off;
|
|
|
|
proxy_request_buffering off;
|
|
|
|
proxy_read_timeout 2000;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_pass http://registry_app_server;
|
|
proxy_temp_path /tmp 1 2;
|
|
|
|
client_max_body_size {{ maximum_layer_size }};
|
|
|
|
limit_req zone=registry burst=100;
|
|
}
|
|
|
|
location ~ ^/v1 {
|
|
# Setting ANY header clears all inherited proxy_set_header directives
|
|
proxy_set_header X-Forwarded-For $proper_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $proper_scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_buffering off;
|
|
|
|
proxy_request_buffering off;
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_pass http://registry_app_server;
|
|
proxy_temp_path /tmp 1 2;
|
|
|
|
client_max_body_size {{ maximum_layer_size }};
|
|
|
|
limit_req zone=registry burst=100;
|
|
}
|
|
|
|
location /v1/_ping {
|
|
add_header Content-Type text/plain;
|
|
add_header X-Docker-Registry-Version 0.6.0;
|
|
add_header X-Docker-Registry-Standalone 0;
|
|
return 200 'true';
|
|
}
|
|
|
|
location /c1/ {
|
|
proxy_buffering off;
|
|
|
|
proxy_request_buffering off;
|
|
|
|
proxy_pass http://verbs_app_server;
|
|
proxy_temp_path /tmp 1 2;
|
|
|
|
limit_req zone=verbs burst=10;
|
|
}
|
|
|
|
location /static/ {
|
|
# checks for static file, if not found proxy to app
|
|
alias {{static_dir}}/;
|
|
error_page 404 /404;
|
|
}
|
|
|
|
error_page 502 {{static_dir}}/502.html;
|
|
|
|
location ~ ^/b1/controller(/?)(.*) {
|
|
proxy_pass http://build_manager_controller_server/$2;
|
|
}
|
|
|
|
location ~ ^/b1/socket(/?)(.*) {
|
|
proxy_pass http://build_manager_websocket_server/$2;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_read_timeout 300;
|
|
}
|