2024-05-06 17:09:58 +03:00
|
|
|
upstream krdsh_quay_web {
|
2024-05-07 17:19:47 +03:00
|
|
|
server unix:/home/user/quay-run/gunicorn_web.sock fail_timeout=0;
|
2024-05-06 17:09:58 +03:00
|
|
|
}
|
|
|
|
upstream krdsh_quay_registry {
|
2024-05-07 17:19:47 +03:00
|
|
|
server unix:/home/user/quay-run/gunicorn_registry.sock fail_timeout=0;
|
2024-05-06 17:09:58 +03:00
|
|
|
}
|
|
|
|
upstream krdsh_quay_secscan {
|
2024-05-07 17:19:47 +03:00
|
|
|
server unix:/home/user/quay-run/gunicorn_secscan.sock fail_timeout=0;
|
2024-05-06 17:09:58 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
map $http2:$http3
|
|
|
|
$krdsh_quay_http1_bucket
|
|
|
|
{
|
|
|
|
default $request_id;
|
|
|
|
|
|
|
|
## current instanse is not behind LB/ingress,
|
|
|
|
## so $proxy_protocol_addr is meaningless
|
|
|
|
# ":" $proxy_protocol_addr;
|
|
|
|
":" $remote_addr;
|
|
|
|
}
|
|
|
|
|
|
|
|
map $http2
|
|
|
|
$krdsh_quay_http2_bucket
|
|
|
|
{
|
|
|
|
default $connection;
|
|
|
|
|
|
|
|
"" $request_id;
|
|
|
|
}
|
|
|
|
|
|
|
|
map $http3
|
|
|
|
$krdsh_quay_http3_bucket
|
|
|
|
{
|
|
|
|
default $quic_connection;
|
|
|
|
|
|
|
|
"" $request_id;
|
|
|
|
}
|
|
|
|
|
|
|
|
map $uri
|
|
|
|
$krdsh_quay_namespace
|
|
|
|
{
|
|
|
|
default "";
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
~*^/v2/([^/]+)/.+/(?:blobs|manifests|tags)/ $1;
|
2024-05-06 17:09:58 +03:00
|
|
|
}
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
## use $request_id to remove (tight) request limit
|
2024-05-06 17:09:58 +03:00
|
|
|
map $krdsh_quay_namespace
|
|
|
|
$krdsh_quay_http1_ns_bucket
|
|
|
|
{
|
|
|
|
default $krdsh_quay_http1_bucket;
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
~*^(?:k2|krd)$ $request_id;
|
2024-05-06 17:09:58 +03:00
|
|
|
}
|
|
|
|
map $krdsh_quay_namespace
|
|
|
|
$krdsh_quay_http2_ns_bucket
|
|
|
|
{
|
|
|
|
default $krdsh_quay_http2_bucket;
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
~*^(?:k2|krd)$ $request_id;
|
2024-05-06 17:09:58 +03:00
|
|
|
}
|
|
|
|
map $krdsh_quay_namespace
|
|
|
|
$krdsh_quay_http3_ns_bucket
|
|
|
|
{
|
|
|
|
default $krdsh_quay_http3_bucket;
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
~*^(?:k2|krd)$ $request_id;
|
2024-05-06 17:09:58 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
map $cookie_patternfly
|
|
|
|
$krdsh_quay_ui
|
|
|
|
{
|
|
|
|
volatile;
|
|
|
|
|
|
|
|
default old;
|
|
|
|
true new;
|
|
|
|
}
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
limit_req_zone $http_authorization zone=krdsh_quay_staticauth:10m rate=30r/s;
|
|
|
|
|
|
|
|
limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_light:10m rate=60r/s;
|
|
|
|
limit_req_zone $krdsh_quay_http2_bucket zone=krdsh_quay_http2_light:10m rate=600r/s;
|
|
|
|
limit_req_zone $krdsh_quay_http3_bucket zone=krdsh_quay_http3_light:10m rate=600r/s;
|
|
|
|
limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_light:10m rate=60r/s;
|
|
|
|
limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_light:10m rate=600r/s;
|
|
|
|
limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_light:10m rate=600r/s;
|
|
|
|
|
|
|
|
limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_medium:10m rate=50r/s;
|
|
|
|
limit_req_zone $krdsh_quay_http2_bucket zone=krdsh_quay_http2_medium:10m rate=500r/s;
|
|
|
|
limit_req_zone $krdsh_quay_http3_bucket zone=krdsh_quay_http3_medium:10m rate=500r/s;
|
|
|
|
limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_medium:10m rate=50r/s;
|
|
|
|
limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_medium:10m rate=500r/s;
|
|
|
|
limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_medium:10m rate=500r/s;
|
|
|
|
|
|
|
|
limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_heavy:10m rate=5r/s;
|
|
|
|
limit_req_zone $krdsh_quay_http2_bucket zone=krdsh_quay_http2_heavy:10m rate=50r/s;
|
|
|
|
limit_req_zone $krdsh_quay_http3_bucket zone=krdsh_quay_http3_heavy:10m rate=50r/s;
|
|
|
|
limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_heavy:10m rate=5r/s;
|
|
|
|
limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_heavy:10m rate=50r/s;
|
|
|
|
limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_heavy:10m rate=50r/s;
|
2024-05-06 17:09:58 +03:00
|
|
|
|
|
|
|
server {
|
|
|
|
server_name quay.krd.sh;
|
|
|
|
|
|
|
|
include snip.d/listen-http;
|
|
|
|
|
|
|
|
access_log off;
|
|
|
|
log_not_found off;
|
|
|
|
|
|
|
|
root /var/www/empty;
|
|
|
|
|
|
|
|
include snip.d/https-alt-svc;
|
|
|
|
include snip.d/http-base-security-headers;
|
|
|
|
|
|
|
|
keepalive_timeout 0;
|
|
|
|
|
|
|
|
include snip.d/empty-favicon;
|
|
|
|
|
|
|
|
location / {
|
|
|
|
return 301 https://$host$uri$is_args$args;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
|
|
|
server_name quay.krd.sh;
|
|
|
|
|
|
|
|
include snip.d/listen-https;
|
|
|
|
include snip.d/ssl-krd.sh;
|
|
|
|
|
|
|
|
access_log off;
|
|
|
|
log_not_found off;
|
|
|
|
|
|
|
|
root /var/www/empty;
|
|
|
|
|
|
|
|
include snip.d/http-base-security-headers;
|
|
|
|
include snip.d/proxy-common-headers;
|
|
|
|
include snip.d/proxy-accept-encoding;
|
2024-05-07 17:19:47 +03:00
|
|
|
include snip.d/proxy-connection-close;
|
2024-05-06 17:09:58 +03:00
|
|
|
include snip.d/proxy-early-data;
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
proxy_set_header Host $host;
|
2024-05-06 17:09:58 +03:00
|
|
|
proxy_set_header Transfer-Encoding $http_transfer_encoding;
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
proxy_redirect ~*^https?://$host(?:|:[0-9]+)/(.*)$ https://$host/$1;
|
2024-05-06 17:09:58 +03:00
|
|
|
|
|
|
|
error_page 502 /home/user/quay-run-static/static/502.html;
|
|
|
|
|
|
|
|
location /static/ {
|
|
|
|
root /home/user/quay-run-static;
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
expires 1d;
|
|
|
|
|
2024-05-06 17:09:58 +03:00
|
|
|
gzip_static on;
|
|
|
|
brotli_static on;
|
|
|
|
zstd_static on;
|
|
|
|
|
|
|
|
error_page 404 /404;
|
|
|
|
}
|
|
|
|
|
|
|
|
location / {
|
|
|
|
root /home/user/quay-run-static/static/patternfly;
|
|
|
|
index index.html;
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
gzip_static on;
|
|
|
|
brotli_static on;
|
|
|
|
zstd_static on;
|
|
|
|
|
2024-05-06 17:09:58 +03:00
|
|
|
if ($krdsh_quay_ui = "old") {
|
|
|
|
proxy_pass http://krdsh_quay_web;
|
|
|
|
}
|
|
|
|
if ($krdsh_quay_ui = "new") {
|
|
|
|
rewrite
|
2024-05-07 17:19:47 +03:00
|
|
|
^/(?:overview|organization|repository|tag)
|
2024-05-06 17:09:58 +03:00
|
|
|
/index.html
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
location /angular {
|
|
|
|
# Expire cookie and switch to old UI
|
|
|
|
add_header Set-Cookie "patternfly=deleted; path=/; Expires=Thu, Jan 01 1970 00:00:00 UTC";
|
|
|
|
return 302 /$is_args$args;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /react {
|
|
|
|
# Set cookie and witch to new UI
|
|
|
|
add_header Set-Cookie "patternfly=true; path=/; SameSite=Lax; HttpOnly;" always;
|
|
|
|
return 302 /$is_args$args;
|
|
|
|
}
|
|
|
|
|
|
|
|
limit_req_status 429;
|
|
|
|
limit_req_log_level warn;
|
|
|
|
|
|
|
|
# Temporarily force signin for old and new UI to route to web app
|
|
|
|
location /signin {
|
|
|
|
proxy_pass http://krdsh_quay_web/;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Capture traffic that needs to go to web_app, see /web.py
|
2024-05-07 17:19:47 +03:00
|
|
|
location ~* ^/(?:config|csrf_token|oauth1|oauth2|webhooks|keys|.well-known|customtrigger|userfiles/) {
|
2024-05-06 17:09:58 +03:00
|
|
|
proxy_pass http://krdsh_quay_web;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Capture old UI paths that aren't present in new UI
|
2024-05-07 17:19:47 +03:00
|
|
|
location ~* ^/(?:user/|search) {
|
2024-05-06 17:09:58 +03:00
|
|
|
proxy_pass http://krdsh_quay_web;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /push {
|
|
|
|
proxy_pass http://krdsh_quay_web;
|
|
|
|
|
|
|
|
client_max_body_size 5M;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /realtime {
|
|
|
|
proxy_pass http://krdsh_quay_web;
|
|
|
|
|
|
|
|
proxy_buffering off;
|
|
|
|
proxy_request_buffering off;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /secscan/ {
|
|
|
|
proxy_pass http://krdsh_quay_secscan;
|
|
|
|
}
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
# location ~ ^/v2/.+/_trust/tuf/ {
|
|
|
|
# proxy_pass https://tuf.krd.sh$uri;
|
|
|
|
#
|
|
|
|
# include snip.d/proxy-common-headers;
|
|
|
|
# include snip.d/proxy-accept-encoding;
|
|
|
|
# include snip.d/proxy-connection-close;
|
|
|
|
# include snip.d/proxy-early-data;
|
|
|
|
#
|
|
|
|
# proxy_set_header Host tuf.krd.sh;
|
2024-05-06 17:09:58 +03:00
|
|
|
# }
|
|
|
|
|
|
|
|
location /api/ {
|
|
|
|
proxy_pass http://krdsh_quay_web;
|
|
|
|
|
|
|
|
limit_req zone=krdsh_quay_http1_heavy burst=25 nodelay;
|
|
|
|
limit_req zone=krdsh_quay_http2_heavy burst=100 nodelay;
|
|
|
|
limit_req zone=krdsh_quay_http3_heavy burst=100 nodelay;
|
|
|
|
|
|
|
|
keepalive_timeout 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /api/suconfig {
|
|
|
|
proxy_pass http://krdsh_quay_web;
|
|
|
|
|
|
|
|
proxy_read_timeout 2000;
|
|
|
|
}
|
|
|
|
|
|
|
|
## Docker Registry V2
|
|
|
|
|
|
|
|
location = /v2/auth {
|
|
|
|
proxy_pass http://krdsh_quay_registry;
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
limit_req zone=krdsh_quay_staticauth burst=10 nodelay;
|
2024-05-06 17:09:58 +03:00
|
|
|
|
|
|
|
keepalive_timeout 0;
|
|
|
|
}
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
location ~* ^/v2/_catalog {
|
2024-05-06 17:09:58 +03:00
|
|
|
proxy_pass http://krdsh_quay_registry;
|
|
|
|
|
|
|
|
proxy_read_timeout 10;
|
|
|
|
keepalive_timeout 0;
|
|
|
|
|
|
|
|
limit_req zone=krdsh_quay_http1_heavy burst=1 nodelay;
|
|
|
|
limit_req zone=krdsh_quay_http2_heavy burst=5 nodelay;
|
|
|
|
limit_req zone=krdsh_quay_http3_heavy burst=5 nodelay;
|
|
|
|
}
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
location ~* ^/v2/.+/blobs/ {
|
2024-05-06 17:09:58 +03:00
|
|
|
proxy_pass http://krdsh_quay_registry;
|
|
|
|
|
|
|
|
# if ($request_method = HEAD) {
|
|
|
|
# gzip off;
|
|
|
|
# brotli off;
|
|
|
|
# zstd off;
|
|
|
|
# }
|
|
|
|
|
|
|
|
proxy_buffering off;
|
|
|
|
proxy_request_buffering off;
|
|
|
|
|
|
|
|
proxy_read_timeout 2000;
|
|
|
|
proxy_send_timeout 2000;
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
client_max_body_size 10240M;
|
2024-05-06 17:09:58 +03:00
|
|
|
http2_chunk_size 32k;
|
|
|
|
|
|
|
|
limit_req zone=krdsh_quay_http1_ns_medium burst=50 nodelay;
|
|
|
|
limit_req zone=krdsh_quay_http2_ns_medium burst=100 nodelay;
|
|
|
|
limit_req zone=krdsh_quay_http3_ns_medium burst=100 nodelay;
|
|
|
|
|
|
|
|
keepalive_timeout 0;
|
|
|
|
}
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
location ~* ^/v2/.+/tags/ {
|
2024-05-06 17:09:58 +03:00
|
|
|
proxy_pass http://krdsh_quay_registry;
|
|
|
|
|
|
|
|
limit_req zone=krdsh_quay_http1_ns_heavy burst=2 nodelay;
|
|
|
|
limit_req zone=krdsh_quay_http2_ns_heavy burst=2 nodelay;
|
|
|
|
limit_req zone=krdsh_quay_http3_ns_heavy burst=2 nodelay;
|
|
|
|
|
|
|
|
keepalive_timeout 0;
|
|
|
|
}
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
location ~* ^/v2/.+/manifests/ {
|
2024-05-06 17:09:58 +03:00
|
|
|
proxy_pass http://krdsh_quay_registry;
|
|
|
|
|
|
|
|
limit_req zone=krdsh_quay_http1_ns_medium burst=10 nodelay;
|
|
|
|
limit_req zone=krdsh_quay_http2_ns_medium burst=50 nodelay;
|
|
|
|
limit_req zone=krdsh_quay_http3_ns_medium burst=50 nodelay;
|
|
|
|
|
|
|
|
keepalive_timeout 0;
|
|
|
|
}
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
location /v2/ {
|
|
|
|
proxy_pass http://krdsh_quay_registry;
|
|
|
|
|
|
|
|
# if ($request_method = HEAD) {
|
|
|
|
# gzip off;
|
|
|
|
# brotli off;
|
|
|
|
# zstd off;
|
|
|
|
# }
|
|
|
|
|
|
|
|
limit_req zone=krdsh_quay_http1_light burst=20 nodelay;
|
|
|
|
limit_req zone=krdsh_quay_http2_light burst=80 nodelay;
|
|
|
|
limit_req zone=krdsh_quay_http3_light burst=80 nodelay;
|
|
|
|
|
|
|
|
keepalive_timeout 0;
|
|
|
|
}
|
|
|
|
|
2024-05-06 17:09:58 +03:00
|
|
|
## Docker Registry V1
|
|
|
|
## KrD: seems to be legacy
|
|
|
|
|
|
|
|
location /v1/ {
|
|
|
|
proxy_pass http://krdsh_quay_registry;
|
|
|
|
|
|
|
|
proxy_buffering off;
|
|
|
|
proxy_request_buffering off;
|
|
|
|
|
2024-05-07 17:19:47 +03:00
|
|
|
client_max_body_size 10240M;
|
2024-05-06 17:09:58 +03:00
|
|
|
|
|
|
|
limit_req zone=krdsh_quay_http1_heavy burst=5 nodelay;
|
|
|
|
limit_req zone=krdsh_quay_http2_heavy burst=25 nodelay;
|
|
|
|
limit_req zone=krdsh_quay_http3_heavy burst=25 nodelay;
|
|
|
|
|
|
|
|
keepalive_timeout 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
location = /v1/_ping {
|
|
|
|
default_type text/plain;
|
|
|
|
|
|
|
|
add_header X-Docker-Registry-Version 0.6.0;
|
|
|
|
add_header X-Docker-Registry-Standalone 0;
|
|
|
|
|
|
|
|
return 200 "true";
|
|
|
|
}
|
|
|
|
}
|