From 35c4aa99dabec7473ad9a640480dde51ef5064ee Mon Sep 17 00:00:00 2001 From: Konstantin Demin Date: Tue, 7 May 2024 17:19:47 +0300 Subject: [PATCH] quay: rework --- site.avail/http-quay.krd.sh.conf | 221 ++++++++++++++++--------------- 1 file changed, 114 insertions(+), 107 deletions(-) diff --git a/site.avail/http-quay.krd.sh.conf b/site.avail/http-quay.krd.sh.conf index b3ab68e..c380e57 100644 --- a/site.avail/http-quay.krd.sh.conf +++ b/site.avail/http-quay.krd.sh.conf @@ -1,11 +1,11 @@ upstream krdsh_quay_web { - server unix:/home/user/quay-run-web/gunicorn_web.sock fail_timeout=0; + server unix:/home/user/quay-run/gunicorn_web.sock fail_timeout=0; } upstream krdsh_quay_registry { - server unix:/home/user/quay-run-registry/gunicorn_registry.sock fail_timeout=0; + server unix:/home/user/quay-run/gunicorn_registry.sock fail_timeout=0; } upstream krdsh_quay_secscan { - server unix:/home/user/quay-run-secscan/gunicorn_secscan.sock fail_timeout=0; + server unix:/home/user/quay-run/gunicorn_secscan.sock fail_timeout=0; } map $http2:$http3 @@ -40,33 +40,30 @@ map $uri { default ""; - # ~*^/v2/([^/]+)(?:/[^/]+)+/blobs/ $1; - # ~*^/v2/([^/]+)/[^/]+/tags/ $1; - # ~*^/v2/([^/]+)/[^/]+/manifests/ $1; - ~*^/v2/([^/]+)(?:/[^/]+)+/(?:blobs|manifests|tags)/ $1; + ~*^/v2/([^/]+)/.+/(?:blobs|manifests|tags)/ $1; } -## use $request_id to remove request limit +## use $request_id to remove (tight) request limit map $krdsh_quay_namespace $krdsh_quay_http1_ns_bucket { default $krdsh_quay_http1_bucket; - # ~*^(?:k2|krd)$ $request_id; + ~*^(?:k2|krd)$ $request_id; } map $krdsh_quay_namespace $krdsh_quay_http2_ns_bucket { default $krdsh_quay_http2_bucket; - # ~*^(?:k2|krd)$ $request_id; + ~*^(?:k2|krd)$ $request_id; } map $krdsh_quay_namespace $krdsh_quay_http3_ns_bucket { default $krdsh_quay_http3_bucket; - # ~*^(?:k2|krd)$ $request_id; + ~*^(?:k2|krd)$ $request_id; } map $cookie_patternfly @@ -78,28 +75,28 @@ map $cookie_patternfly true new; } -limit_req_zone $http_authorization zone=krdsh_quay_staticauth:10m rate=30r/s; +limit_req_zone $http_authorization zone=krdsh_quay_staticauth:10m rate=30r/s; -limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_light:10m rate=60r/s; -limit_req_zone $krdsh_quay_http2_bucket zone=krdsh_quay_http2_light:10m rate=600r/s; -limit_req_zone $krdsh_quay_http3_bucket zone=krdsh_quay_http3_light:10m rate=600r/s; -limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_light:10m rate=60r/s; -limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_light:10m rate=600r/s; -limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_light:10m rate=600r/s; +limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_light:10m rate=60r/s; +limit_req_zone $krdsh_quay_http2_bucket zone=krdsh_quay_http2_light:10m rate=600r/s; +limit_req_zone $krdsh_quay_http3_bucket zone=krdsh_quay_http3_light:10m rate=600r/s; +limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_light:10m rate=60r/s; +limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_light:10m rate=600r/s; +limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_light:10m rate=600r/s; -limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_medium:10m rate=50r/s; -limit_req_zone $krdsh_quay_http2_bucket zone=krdsh_quay_http2_medium:10m rate=500r/s; -limit_req_zone $krdsh_quay_http3_bucket zone=krdsh_quay_http3_medium:10m rate=500r/s; -limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_medium:10m rate=50r/s; -limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_medium:10m rate=500r/s; -limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_medium:10m rate=500r/s; +limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_medium:10m rate=50r/s; +limit_req_zone $krdsh_quay_http2_bucket zone=krdsh_quay_http2_medium:10m rate=500r/s; +limit_req_zone $krdsh_quay_http3_bucket zone=krdsh_quay_http3_medium:10m rate=500r/s; +limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_medium:10m rate=50r/s; +limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_medium:10m rate=500r/s; +limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_medium:10m rate=500r/s; -limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_heavy:10m rate=5r/s; -limit_req_zone $krdsh_quay_http2_bucket zone=krdsh_quay_http2_heavy:10m rate=50r/s; -limit_req_zone $krdsh_quay_http3_bucket zone=krdsh_quay_http3_heavy:10m rate=50r/s; -limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_heavy:10m rate=5r/s; -limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_heavy:10m rate=50r/s; -limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_heavy:10m rate=50r/s; +limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_heavy:10m rate=5r/s; +limit_req_zone $krdsh_quay_http2_bucket zone=krdsh_quay_http2_heavy:10m rate=50r/s; +limit_req_zone $krdsh_quay_http3_bucket zone=krdsh_quay_http3_heavy:10m rate=50r/s; +limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_heavy:10m rate=5r/s; +limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_heavy:10m rate=50r/s; +limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_heavy:10m rate=50r/s; server { server_name quay.krd.sh; @@ -135,21 +132,23 @@ server { root /var/www/empty; include snip.d/http-base-security-headers; - include snip.d/proxy-common-headers; include snip.d/proxy-accept-encoding; - include snip.d/proxy-connection-keepalive; + include snip.d/proxy-connection-close; include snip.d/proxy-early-data; + proxy_set_header Host $host; proxy_set_header Transfer-Encoding $http_transfer_encoding; - proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://$host/$1; + proxy_redirect ~*^https?://$host(?:|:[0-9]+)/(.*)$ https://$host/$1; error_page 502 /home/user/quay-run-static/static/502.html; location /static/ { root /home/user/quay-run-static; + expires 1d; + gzip_static on; brotli_static on; zstd_static on; @@ -161,12 +160,16 @@ server { root /home/user/quay-run-static/static/patternfly; index index.html; + gzip_static on; + brotli_static on; + zstd_static on; + if ($krdsh_quay_ui = "old") { proxy_pass http://krdsh_quay_web; } if ($krdsh_quay_ui = "new") { rewrite - ^(?:/overview|/organization|/repository|/tag) + ^/(?:overview|organization|repository|tag) /index.html break; } @@ -193,12 +196,12 @@ server { } # Capture traffic that needs to go to web_app, see /web.py - location ~* ^(?:/config|/csrf_token|/oauth1|/oauth2|/webhooks|/keys|/.well-known|/customtrigger|/userfiles/) { + location ~* ^/(?:config|csrf_token|oauth1|oauth2|webhooks|keys|.well-known|customtrigger|userfiles/) { proxy_pass http://krdsh_quay_web; } # Capture old UI paths that aren't present in new UI - location ~* ^(?:/user/|/search) { + location ~* ^/(?:user/|search) { proxy_pass http://krdsh_quay_web; } @@ -219,8 +222,15 @@ server { proxy_pass http://krdsh_quay_secscan; } - # location ~ ^/v2/(?:.+)/_trust/tuf/ { - # proxy_pass http://tuf.krd.sh$uri; + # location ~ ^/v2/.+/_trust/tuf/ { + # proxy_pass https://tuf.krd.sh$uri; + # + # include snip.d/proxy-common-headers; + # include snip.d/proxy-accept-encoding; + # include snip.d/proxy-connection-close; + # include snip.d/proxy-early-data; + # + # proxy_set_header Host tuf.krd.sh; # } location /api/ { @@ -241,7 +251,71 @@ server { ## Docker Registry V2 - location ~ ^/v2 { + location = /v2/auth { + proxy_pass http://krdsh_quay_registry; + + limit_req zone=krdsh_quay_staticauth burst=10 nodelay; + + keepalive_timeout 0; + } + + location ~* ^/v2/_catalog { + proxy_pass http://krdsh_quay_registry; + + proxy_read_timeout 10; + keepalive_timeout 0; + + limit_req zone=krdsh_quay_http1_heavy burst=1 nodelay; + limit_req zone=krdsh_quay_http2_heavy burst=5 nodelay; + limit_req zone=krdsh_quay_http3_heavy burst=5 nodelay; + } + + location ~* ^/v2/.+/blobs/ { + proxy_pass http://krdsh_quay_registry; + + # if ($request_method = HEAD) { + # gzip off; + # brotli off; + # zstd off; + # } + + proxy_buffering off; + proxy_request_buffering off; + + proxy_read_timeout 2000; + proxy_send_timeout 2000; + + client_max_body_size 10240M; + http2_chunk_size 32k; + + limit_req zone=krdsh_quay_http1_ns_medium burst=50 nodelay; + limit_req zone=krdsh_quay_http2_ns_medium burst=100 nodelay; + limit_req zone=krdsh_quay_http3_ns_medium burst=100 nodelay; + + keepalive_timeout 0; + } + + location ~* ^/v2/.+/tags/ { + proxy_pass http://krdsh_quay_registry; + + limit_req zone=krdsh_quay_http1_ns_heavy burst=2 nodelay; + limit_req zone=krdsh_quay_http2_ns_heavy burst=2 nodelay; + limit_req zone=krdsh_quay_http3_ns_heavy burst=2 nodelay; + + keepalive_timeout 0; + } + + location ~* ^/v2/.+/manifests/ { + proxy_pass http://krdsh_quay_registry; + + limit_req zone=krdsh_quay_http1_ns_medium burst=10 nodelay; + limit_req zone=krdsh_quay_http2_ns_medium burst=50 nodelay; + limit_req zone=krdsh_quay_http3_ns_medium burst=50 nodelay; + + keepalive_timeout 0; + } + + location /v2/ { proxy_pass http://krdsh_quay_registry; # if ($request_method = HEAD) { @@ -257,70 +331,6 @@ server { keepalive_timeout 0; } - location = /v2/auth { - proxy_pass http://krdsh_quay_registry; - - limit_req zone=krdsh_quay_staticauth burst=2 nodelay; - - keepalive_timeout 0; - } - - location ~ ^/v2/_catalog(?:.*)$ { - proxy_pass http://krdsh_quay_registry; - - proxy_read_timeout 10; - keepalive_timeout 0; - - limit_req zone=krdsh_quay_http1_heavy burst=1 nodelay; - limit_req zone=krdsh_quay_http2_heavy burst=5 nodelay; - limit_req zone=krdsh_quay_http3_heavy burst=5 nodelay; - } - - location ~ ^/v2/(?:[^/]+)(?:/[^/]+)+/blobs/ { - proxy_pass http://krdsh_quay_registry; - - # if ($request_method = HEAD) { - # gzip off; - # brotli off; - # zstd off; - # } - - proxy_buffering off; - proxy_request_buffering off; - - proxy_read_timeout 2000; - proxy_send_timeout 2000; - - client_max_body_size 20g; - http2_chunk_size 32k; - - limit_req zone=krdsh_quay_http1_ns_medium burst=50 nodelay; - limit_req zone=krdsh_quay_http2_ns_medium burst=100 nodelay; - limit_req zone=krdsh_quay_http3_ns_medium burst=100 nodelay; - - keepalive_timeout 0; - } - - location ~ ^/v2/(?:[^/]+)/[^/]+/tags/ { - proxy_pass http://krdsh_quay_registry; - - limit_req zone=krdsh_quay_http1_ns_heavy burst=2 nodelay; - limit_req zone=krdsh_quay_http2_ns_heavy burst=2 nodelay; - limit_req zone=krdsh_quay_http3_ns_heavy burst=2 nodelay; - - keepalive_timeout 0; - } - - location ~ ^/v2/(?:[^/]+)/[^/]+/manifests/ { - proxy_pass http://krdsh_quay_registry; - - limit_req zone=krdsh_quay_http1_ns_medium burst=10 nodelay; - limit_req zone=krdsh_quay_http2_ns_medium burst=50 nodelay; - limit_req zone=krdsh_quay_http3_ns_medium burst=50 nodelay; - - keepalive_timeout 0; - } - ## Docker Registry V1 ## KrD: seems to be legacy @@ -330,7 +340,7 @@ server { proxy_buffering off; proxy_request_buffering off; - client_max_body_size 20g; + client_max_body_size 10240M; limit_req zone=krdsh_quay_http1_heavy burst=5 nodelay; limit_req zone=krdsh_quay_http2_heavy burst=25 nodelay; @@ -347,7 +357,4 @@ server { return 200 "true"; } - - ## quirks - chunked_transfer_encoding off; }