1
0

quay: rework

This commit is contained in:
Konstantin Demin 2024-05-07 17:19:47 +03:00
parent e08bf015ee
commit 35c4aa99da
Signed by: krd
GPG Key ID: 1F33CB0BA4731BC6

View File

@ -1,11 +1,11 @@
upstream krdsh_quay_web { upstream krdsh_quay_web {
server unix:/home/user/quay-run-web/gunicorn_web.sock fail_timeout=0; server unix:/home/user/quay-run/gunicorn_web.sock fail_timeout=0;
} }
upstream krdsh_quay_registry { upstream krdsh_quay_registry {
server unix:/home/user/quay-run-registry/gunicorn_registry.sock fail_timeout=0; server unix:/home/user/quay-run/gunicorn_registry.sock fail_timeout=0;
} }
upstream krdsh_quay_secscan { upstream krdsh_quay_secscan {
server unix:/home/user/quay-run-secscan/gunicorn_secscan.sock fail_timeout=0; server unix:/home/user/quay-run/gunicorn_secscan.sock fail_timeout=0;
} }
map $http2:$http3 map $http2:$http3
@ -40,33 +40,30 @@ map $uri
{ {
default ""; default "";
# ~*^/v2/([^/]+)(?:/[^/]+)+/blobs/ $1; ~*^/v2/([^/]+)/.+/(?:blobs|manifests|tags)/ $1;
# ~*^/v2/([^/]+)/[^/]+/tags/ $1;
# ~*^/v2/([^/]+)/[^/]+/manifests/ $1;
~*^/v2/([^/]+)(?:/[^/]+)+/(?:blobs|manifests|tags)/ $1;
} }
## use $request_id to remove request limit ## use $request_id to remove (tight) request limit
map $krdsh_quay_namespace map $krdsh_quay_namespace
$krdsh_quay_http1_ns_bucket $krdsh_quay_http1_ns_bucket
{ {
default $krdsh_quay_http1_bucket; default $krdsh_quay_http1_bucket;
# ~*^(?:k2|krd)$ $request_id; ~*^(?:k2|krd)$ $request_id;
} }
map $krdsh_quay_namespace map $krdsh_quay_namespace
$krdsh_quay_http2_ns_bucket $krdsh_quay_http2_ns_bucket
{ {
default $krdsh_quay_http2_bucket; default $krdsh_quay_http2_bucket;
# ~*^(?:k2|krd)$ $request_id; ~*^(?:k2|krd)$ $request_id;
} }
map $krdsh_quay_namespace map $krdsh_quay_namespace
$krdsh_quay_http3_ns_bucket $krdsh_quay_http3_ns_bucket
{ {
default $krdsh_quay_http3_bucket; default $krdsh_quay_http3_bucket;
# ~*^(?:k2|krd)$ $request_id; ~*^(?:k2|krd)$ $request_id;
} }
map $cookie_patternfly map $cookie_patternfly
@ -78,28 +75,28 @@ map $cookie_patternfly
true new; true new;
} }
limit_req_zone $http_authorization zone=krdsh_quay_staticauth:10m rate=30r/s; limit_req_zone $http_authorization zone=krdsh_quay_staticauth:10m rate=30r/s;
limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_light:10m rate=60r/s; limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_light:10m rate=60r/s;
limit_req_zone $krdsh_quay_http2_bucket zone=krdsh_quay_http2_light:10m rate=600r/s; limit_req_zone $krdsh_quay_http2_bucket zone=krdsh_quay_http2_light:10m rate=600r/s;
limit_req_zone $krdsh_quay_http3_bucket zone=krdsh_quay_http3_light:10m rate=600r/s; limit_req_zone $krdsh_quay_http3_bucket zone=krdsh_quay_http3_light:10m rate=600r/s;
limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_light:10m rate=60r/s; limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_light:10m rate=60r/s;
limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_light:10m rate=600r/s; limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_light:10m rate=600r/s;
limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_light:10m rate=600r/s; limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_light:10m rate=600r/s;
limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_medium:10m rate=50r/s; limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_medium:10m rate=50r/s;
limit_req_zone $krdsh_quay_http2_bucket zone=krdsh_quay_http2_medium:10m rate=500r/s; limit_req_zone $krdsh_quay_http2_bucket zone=krdsh_quay_http2_medium:10m rate=500r/s;
limit_req_zone $krdsh_quay_http3_bucket zone=krdsh_quay_http3_medium:10m rate=500r/s; limit_req_zone $krdsh_quay_http3_bucket zone=krdsh_quay_http3_medium:10m rate=500r/s;
limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_medium:10m rate=50r/s; limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_medium:10m rate=50r/s;
limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_medium:10m rate=500r/s; limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_medium:10m rate=500r/s;
limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_medium:10m rate=500r/s; limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_medium:10m rate=500r/s;
limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_heavy:10m rate=5r/s; limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_heavy:10m rate=5r/s;
limit_req_zone $krdsh_quay_http2_bucket zone=krdsh_quay_http2_heavy:10m rate=50r/s; limit_req_zone $krdsh_quay_http2_bucket zone=krdsh_quay_http2_heavy:10m rate=50r/s;
limit_req_zone $krdsh_quay_http3_bucket zone=krdsh_quay_http3_heavy:10m rate=50r/s; limit_req_zone $krdsh_quay_http3_bucket zone=krdsh_quay_http3_heavy:10m rate=50r/s;
limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_heavy:10m rate=5r/s; limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_heavy:10m rate=5r/s;
limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_heavy:10m rate=50r/s; limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_heavy:10m rate=50r/s;
limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_heavy:10m rate=50r/s; limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_heavy:10m rate=50r/s;
server { server {
server_name quay.krd.sh; server_name quay.krd.sh;
@ -135,21 +132,23 @@ server {
root /var/www/empty; root /var/www/empty;
include snip.d/http-base-security-headers; include snip.d/http-base-security-headers;
include snip.d/proxy-common-headers; include snip.d/proxy-common-headers;
include snip.d/proxy-accept-encoding; include snip.d/proxy-accept-encoding;
include snip.d/proxy-connection-keepalive; include snip.d/proxy-connection-close;
include snip.d/proxy-early-data; include snip.d/proxy-early-data;
proxy_set_header Host $host;
proxy_set_header Transfer-Encoding $http_transfer_encoding; proxy_set_header Transfer-Encoding $http_transfer_encoding;
proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://$host/$1; proxy_redirect ~*^https?://$host(?:|:[0-9]+)/(.*)$ https://$host/$1;
error_page 502 /home/user/quay-run-static/static/502.html; error_page 502 /home/user/quay-run-static/static/502.html;
location /static/ { location /static/ {
root /home/user/quay-run-static; root /home/user/quay-run-static;
expires 1d;
gzip_static on; gzip_static on;
brotli_static on; brotli_static on;
zstd_static on; zstd_static on;
@ -161,12 +160,16 @@ server {
root /home/user/quay-run-static/static/patternfly; root /home/user/quay-run-static/static/patternfly;
index index.html; index index.html;
gzip_static on;
brotli_static on;
zstd_static on;
if ($krdsh_quay_ui = "old") { if ($krdsh_quay_ui = "old") {
proxy_pass http://krdsh_quay_web; proxy_pass http://krdsh_quay_web;
} }
if ($krdsh_quay_ui = "new") { if ($krdsh_quay_ui = "new") {
rewrite rewrite
^(?:/overview|/organization|/repository|/tag) ^/(?:overview|organization|repository|tag)
/index.html /index.html
break; break;
} }
@ -193,12 +196,12 @@ server {
} }
# Capture traffic that needs to go to web_app, see /web.py # Capture traffic that needs to go to web_app, see /web.py
location ~* ^(?:/config|/csrf_token|/oauth1|/oauth2|/webhooks|/keys|/.well-known|/customtrigger|/userfiles/) { location ~* ^/(?:config|csrf_token|oauth1|oauth2|webhooks|keys|.well-known|customtrigger|userfiles/) {
proxy_pass http://krdsh_quay_web; proxy_pass http://krdsh_quay_web;
} }
# Capture old UI paths that aren't present in new UI # Capture old UI paths that aren't present in new UI
location ~* ^(?:/user/|/search) { location ~* ^/(?:user/|search) {
proxy_pass http://krdsh_quay_web; proxy_pass http://krdsh_quay_web;
} }
@ -219,8 +222,15 @@ server {
proxy_pass http://krdsh_quay_secscan; proxy_pass http://krdsh_quay_secscan;
} }
# location ~ ^/v2/(?:.+)/_trust/tuf/ { # location ~ ^/v2/.+/_trust/tuf/ {
# proxy_pass http://tuf.krd.sh$uri; # proxy_pass https://tuf.krd.sh$uri;
#
# include snip.d/proxy-common-headers;
# include snip.d/proxy-accept-encoding;
# include snip.d/proxy-connection-close;
# include snip.d/proxy-early-data;
#
# proxy_set_header Host tuf.krd.sh;
# } # }
location /api/ { location /api/ {
@ -241,7 +251,71 @@ server {
## Docker Registry V2 ## Docker Registry V2
location ~ ^/v2 { location = /v2/auth {
proxy_pass http://krdsh_quay_registry;
limit_req zone=krdsh_quay_staticauth burst=10 nodelay;
keepalive_timeout 0;
}
location ~* ^/v2/_catalog {
proxy_pass http://krdsh_quay_registry;
proxy_read_timeout 10;
keepalive_timeout 0;
limit_req zone=krdsh_quay_http1_heavy burst=1 nodelay;
limit_req zone=krdsh_quay_http2_heavy burst=5 nodelay;
limit_req zone=krdsh_quay_http3_heavy burst=5 nodelay;
}
location ~* ^/v2/.+/blobs/ {
proxy_pass http://krdsh_quay_registry;
# if ($request_method = HEAD) {
# gzip off;
# brotli off;
# zstd off;
# }
proxy_buffering off;
proxy_request_buffering off;
proxy_read_timeout 2000;
proxy_send_timeout 2000;
client_max_body_size 10240M;
http2_chunk_size 32k;
limit_req zone=krdsh_quay_http1_ns_medium burst=50 nodelay;
limit_req zone=krdsh_quay_http2_ns_medium burst=100 nodelay;
limit_req zone=krdsh_quay_http3_ns_medium burst=100 nodelay;
keepalive_timeout 0;
}
location ~* ^/v2/.+/tags/ {
proxy_pass http://krdsh_quay_registry;
limit_req zone=krdsh_quay_http1_ns_heavy burst=2 nodelay;
limit_req zone=krdsh_quay_http2_ns_heavy burst=2 nodelay;
limit_req zone=krdsh_quay_http3_ns_heavy burst=2 nodelay;
keepalive_timeout 0;
}
location ~* ^/v2/.+/manifests/ {
proxy_pass http://krdsh_quay_registry;
limit_req zone=krdsh_quay_http1_ns_medium burst=10 nodelay;
limit_req zone=krdsh_quay_http2_ns_medium burst=50 nodelay;
limit_req zone=krdsh_quay_http3_ns_medium burst=50 nodelay;
keepalive_timeout 0;
}
location /v2/ {
proxy_pass http://krdsh_quay_registry; proxy_pass http://krdsh_quay_registry;
# if ($request_method = HEAD) { # if ($request_method = HEAD) {
@ -257,70 +331,6 @@ server {
keepalive_timeout 0; keepalive_timeout 0;
} }
location = /v2/auth {
proxy_pass http://krdsh_quay_registry;
limit_req zone=krdsh_quay_staticauth burst=2 nodelay;
keepalive_timeout 0;
}
location ~ ^/v2/_catalog(?:.*)$ {
proxy_pass http://krdsh_quay_registry;
proxy_read_timeout 10;
keepalive_timeout 0;
limit_req zone=krdsh_quay_http1_heavy burst=1 nodelay;
limit_req zone=krdsh_quay_http2_heavy burst=5 nodelay;
limit_req zone=krdsh_quay_http3_heavy burst=5 nodelay;
}
location ~ ^/v2/(?:[^/]+)(?:/[^/]+)+/blobs/ {
proxy_pass http://krdsh_quay_registry;
# if ($request_method = HEAD) {
# gzip off;
# brotli off;
# zstd off;
# }
proxy_buffering off;
proxy_request_buffering off;
proxy_read_timeout 2000;
proxy_send_timeout 2000;
client_max_body_size 20g;
http2_chunk_size 32k;
limit_req zone=krdsh_quay_http1_ns_medium burst=50 nodelay;
limit_req zone=krdsh_quay_http2_ns_medium burst=100 nodelay;
limit_req zone=krdsh_quay_http3_ns_medium burst=100 nodelay;
keepalive_timeout 0;
}
location ~ ^/v2/(?:[^/]+)/[^/]+/tags/ {
proxy_pass http://krdsh_quay_registry;
limit_req zone=krdsh_quay_http1_ns_heavy burst=2 nodelay;
limit_req zone=krdsh_quay_http2_ns_heavy burst=2 nodelay;
limit_req zone=krdsh_quay_http3_ns_heavy burst=2 nodelay;
keepalive_timeout 0;
}
location ~ ^/v2/(?:[^/]+)/[^/]+/manifests/ {
proxy_pass http://krdsh_quay_registry;
limit_req zone=krdsh_quay_http1_ns_medium burst=10 nodelay;
limit_req zone=krdsh_quay_http2_ns_medium burst=50 nodelay;
limit_req zone=krdsh_quay_http3_ns_medium burst=50 nodelay;
keepalive_timeout 0;
}
## Docker Registry V1 ## Docker Registry V1
## KrD: seems to be legacy ## KrD: seems to be legacy
@ -330,7 +340,7 @@ server {
proxy_buffering off; proxy_buffering off;
proxy_request_buffering off; proxy_request_buffering off;
client_max_body_size 20g; client_max_body_size 10240M;
limit_req zone=krdsh_quay_http1_heavy burst=5 nodelay; limit_req zone=krdsh_quay_http1_heavy burst=5 nodelay;
limit_req zone=krdsh_quay_http2_heavy burst=25 nodelay; limit_req zone=krdsh_quay_http2_heavy burst=25 nodelay;
@ -347,7 +357,4 @@ server {
return 200 "true"; return 200 "true";
} }
## quirks
chunked_transfer_encoding off;
} }