quay

2024-05-06 17:09:58 +03:00 · 2024-05-06 17:09:58 +03:00 · e08bf015ee
commit e08bf015ee
parent d8f2433a81
2 changed files with 354 additions and 0 deletions
--- a/site.avail/http-quay.krd.sh.conf
+++ b/site.avail/http-quay.krd.sh.conf
@ -0,0 +1,353 @@
+upstream krdsh_quay_web {
+    server unix:/home/user/quay-run-web/gunicorn_web.sock fail_timeout=0;
+}
+upstream krdsh_quay_registry {
+    server unix:/home/user/quay-run-registry/gunicorn_registry.sock fail_timeout=0;
+}
+upstream krdsh_quay_secscan {
+    server unix:/home/user/quay-run-secscan/gunicorn_secscan.sock fail_timeout=0;
+}
+
+map $http2:$http3
+    $krdsh_quay_http1_bucket
+{
+    default  $request_id;
+
+    ## current instanse is not behind LB/ingress,
+    ## so $proxy_protocol_addr is meaningless
+  # ":"  $proxy_protocol_addr;
+    ":"  $remote_addr;
+}
+
+map $http2
+    $krdsh_quay_http2_bucket
+{
+    default  $connection;
+
+    ""  $request_id;
+}
+
+map $http3
+    $krdsh_quay_http3_bucket
+{
+    default  $quic_connection;
+
+    ""  $request_id;
+}
+
+map $uri
+    $krdsh_quay_namespace
+{
+    default  "";
+
+    # ~*^/v2/([^/]+)(?:/[^/]+)+/blobs/  $1;
+    # ~*^/v2/([^/]+)/[^/]+/tags/       $1;
+    # ~*^/v2/([^/]+)/[^/]+/manifests/  $1;
+    ~*^/v2/([^/]+)(?:/[^/]+)+/(?:blobs|manifests|tags)/  $1;
+}
+
+## use $request_id to remove request limit
+map $krdsh_quay_namespace
+    $krdsh_quay_http1_ns_bucket
+{
+    default  $krdsh_quay_http1_bucket;
+
+  # ~*^(?:k2|krd)$  $request_id;
+}
+map $krdsh_quay_namespace
+    $krdsh_quay_http2_ns_bucket
+{
+    default  $krdsh_quay_http2_bucket;
+
+  # ~*^(?:k2|krd)$  $request_id;
+}
+map $krdsh_quay_namespace
+    $krdsh_quay_http3_ns_bucket
+{
+    default  $krdsh_quay_http3_bucket;
+
+  # ~*^(?:k2|krd)$  $request_id;
+}
+
+map $cookie_patternfly
+    $krdsh_quay_ui
+{
+    volatile;
+
+    default  old;
+    true     new;
+}
+
+limit_req_zone $http_authorization         zone=krdsh_quay_staticauth:10m rate=30r/s;
+
+limit_req_zone $krdsh_quay_http1_bucket    zone=krdsh_quay_http1_light:10m    rate=60r/s;
+limit_req_zone $krdsh_quay_http2_bucket    zone=krdsh_quay_http2_light:10m    rate=600r/s;
+limit_req_zone $krdsh_quay_http3_bucket    zone=krdsh_quay_http3_light:10m    rate=600r/s;
+limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_light:10m rate=60r/s;
+limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_light:10m rate=600r/s;
+limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_light:10m rate=600r/s;
+
+limit_req_zone $krdsh_quay_http1_bucket    zone=krdsh_quay_http1_medium:10m    rate=50r/s;
+limit_req_zone $krdsh_quay_http2_bucket    zone=krdsh_quay_http2_medium:10m    rate=500r/s;
+limit_req_zone $krdsh_quay_http3_bucket    zone=krdsh_quay_http3_medium:10m    rate=500r/s;
+limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_medium:10m rate=50r/s;
+limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_medium:10m rate=500r/s;
+limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_medium:10m rate=500r/s;
+
+limit_req_zone $krdsh_quay_http1_bucket    zone=krdsh_quay_http1_heavy:10m    rate=5r/s;
+limit_req_zone $krdsh_quay_http2_bucket    zone=krdsh_quay_http2_heavy:10m    rate=50r/s;
+limit_req_zone $krdsh_quay_http3_bucket    zone=krdsh_quay_http3_heavy:10m    rate=50r/s;
+limit_req_zone $krdsh_quay_http1_ns_bucket zone=krdsh_quay_http1_ns_heavy:10m rate=5r/s;
+limit_req_zone $krdsh_quay_http2_ns_bucket zone=krdsh_quay_http2_ns_heavy:10m rate=50r/s;
+limit_req_zone $krdsh_quay_http3_ns_bucket zone=krdsh_quay_http3_ns_heavy:10m rate=50r/s;
+
+server {
+    server_name quay.krd.sh;
+
+    include snip.d/listen-http;
+
+    access_log off;
+    log_not_found off;
+
+    root /var/www/empty;
+
+    include snip.d/https-alt-svc;
+    include snip.d/http-base-security-headers;
+
+    keepalive_timeout 0;
+
+    include snip.d/empty-favicon;
+
+    location / {
+        return 301 https://$host$uri$is_args$args;
+    }
+}
+
+server {
+    server_name quay.krd.sh;
+
+    include snip.d/listen-https;
+    include snip.d/ssl-krd.sh;
+
+    access_log off;
+    log_not_found off;
+
+    root /var/www/empty;
+
+    include snip.d/http-base-security-headers;
+
+    include snip.d/proxy-common-headers;
+    include snip.d/proxy-accept-encoding;
+    include snip.d/proxy-connection-keepalive;
+    include snip.d/proxy-early-data;
+
+    proxy_set_header  Transfer-Encoding  $http_transfer_encoding;
+
+    proxy_redirect  ~*^http://$host(?:|:[0-9]+)/(.*)$  https://$host/$1;
+
+    error_page 502 /home/user/quay-run-static/static/502.html;
+
+    location /static/ {
+        root /home/user/quay-run-static;
+
+        gzip_static    on;
+        brotli_static  on;
+        zstd_static    on;
+
+        error_page  404  /404;
+    }
+
+    location / {
+        root /home/user/quay-run-static/static/patternfly;
+        index index.html;
+
+        if ($krdsh_quay_ui = "old") {
+            proxy_pass http://krdsh_quay_web;
+        }
+        if ($krdsh_quay_ui = "new") {
+            rewrite
+              ^(?:/overview|/organization|/repository|/tag)
+              /index.html
+            break;
+        }
+    }
+
+    location /angular {
+        # Expire cookie and switch to old UI
+        add_header Set-Cookie "patternfly=deleted; path=/; Expires=Thu, Jan 01 1970 00:00:00 UTC";
+        return 302 /$is_args$args;
+    }
+
+    location /react {
+        # Set cookie and witch to new UI
+        add_header Set-Cookie "patternfly=true; path=/; SameSite=Lax; HttpOnly;" always;
+        return 302 /$is_args$args;
+    }
+
+    limit_req_status    429;
+    limit_req_log_level warn;
+
+    # Temporarily force signin for old and new UI to route to web app
+    location /signin {
+        proxy_pass http://krdsh_quay_web/;
+    }
+
+    # Capture traffic that needs to go to web_app, see /web.py
+    location ~* ^(?:/config|/csrf_token|/oauth1|/oauth2|/webhooks|/keys|/.well-known|/customtrigger|/userfiles/) {
+        proxy_pass http://krdsh_quay_web;
+    }
+
+    # Capture old UI paths that aren't present in new UI
+    location ~* ^(?:/user/|/search) {
+        proxy_pass http://krdsh_quay_web;
+    }
+
+    location /push {
+        proxy_pass http://krdsh_quay_web;
+
+        client_max_body_size 5M;
+    }
+
+    location /realtime {
+        proxy_pass http://krdsh_quay_web;
+
+        proxy_buffering off;
+        proxy_request_buffering off;
+    }
+
+    location /secscan/ {
+        proxy_pass http://krdsh_quay_secscan;
+    }
+
+    # location ~ ^/v2/(?:.+)/_trust/tuf/ {
+    #     proxy_pass http://tuf.krd.sh$uri;
+    # }
+
+    location /api/ {
+        proxy_pass http://krdsh_quay_web;
+
+        limit_req zone=krdsh_quay_http1_heavy burst=25 nodelay;
+        limit_req zone=krdsh_quay_http2_heavy burst=100 nodelay;
+        limit_req zone=krdsh_quay_http3_heavy burst=100 nodelay;
+
+        keepalive_timeout 0;
+    }
+
+    location /api/suconfig {
+        proxy_pass http://krdsh_quay_web;
+
+        proxy_read_timeout 2000;
+    }
+
+    ## Docker Registry V2
+
+    location ~ ^/v2 {
+        proxy_pass http://krdsh_quay_registry;
+
+        # if ($request_method = HEAD) {
+        #     gzip   off;
+        #     brotli off;
+        #     zstd   off;
+        # }
+
+        limit_req zone=krdsh_quay_http1_light burst=20 nodelay;
+        limit_req zone=krdsh_quay_http2_light burst=80 nodelay;
+        limit_req zone=krdsh_quay_http3_light burst=80 nodelay;
+
+        keepalive_timeout 0;
+    }
+
+    location = /v2/auth {
+        proxy_pass http://krdsh_quay_registry;
+
+        limit_req zone=krdsh_quay_staticauth burst=2 nodelay;
+
+        keepalive_timeout 0;
+    }
+
+    location ~ ^/v2/_catalog(?:.*)$ {
+        proxy_pass http://krdsh_quay_registry;
+
+        proxy_read_timeout 10;
+        keepalive_timeout 0;
+
+        limit_req zone=krdsh_quay_http1_heavy burst=1 nodelay;
+        limit_req zone=krdsh_quay_http2_heavy burst=5 nodelay;
+        limit_req zone=krdsh_quay_http3_heavy burst=5 nodelay;
+    }
+
+    location ~ ^/v2/(?:[^/]+)(?:/[^/]+)+/blobs/ {
+        proxy_pass http://krdsh_quay_registry;
+
+        # if ($request_method = HEAD) {
+        #     gzip   off;
+        #     brotli off;
+        #     zstd   off;
+        # }
+
+        proxy_buffering off;
+        proxy_request_buffering off;
+
+        proxy_read_timeout  2000;
+        proxy_send_timeout  2000;
+
+        client_max_body_size 20g;
+        http2_chunk_size 32k;
+
+        limit_req zone=krdsh_quay_http1_ns_medium burst=50 nodelay;
+        limit_req zone=krdsh_quay_http2_ns_medium burst=100 nodelay;
+        limit_req zone=krdsh_quay_http3_ns_medium burst=100 nodelay;
+
+        keepalive_timeout 0;
+    }
+
+    location ~ ^/v2/(?:[^/]+)/[^/]+/tags/ {
+        proxy_pass http://krdsh_quay_registry;
+
+        limit_req zone=krdsh_quay_http1_ns_heavy burst=2 nodelay;
+        limit_req zone=krdsh_quay_http2_ns_heavy burst=2 nodelay;
+        limit_req zone=krdsh_quay_http3_ns_heavy burst=2 nodelay;
+
+        keepalive_timeout 0;
+    }
+
+    location ~ ^/v2/(?:[^/]+)/[^/]+/manifests/ {
+        proxy_pass http://krdsh_quay_registry;
+
+        limit_req zone=krdsh_quay_http1_ns_medium burst=10 nodelay;
+        limit_req zone=krdsh_quay_http2_ns_medium burst=50 nodelay;
+        limit_req zone=krdsh_quay_http3_ns_medium burst=50 nodelay;
+
+        keepalive_timeout 0;
+    }
+
+    ## Docker Registry V1
+    ## KrD: seems to be legacy
+
+    location /v1/ {
+        proxy_pass http://krdsh_quay_registry;
+
+        proxy_buffering off;
+        proxy_request_buffering off;
+
+        client_max_body_size 20g;
+
+        limit_req zone=krdsh_quay_http1_heavy burst=5 nodelay;
+        limit_req zone=krdsh_quay_http2_heavy burst=25 nodelay;
+        limit_req zone=krdsh_quay_http3_heavy burst=25 nodelay;
+
+        keepalive_timeout 0;
+    }
+
+    location = /v1/_ping {
+        default_type text/plain;
+
+        add_header  X-Docker-Registry-Version     0.6.0;
+        add_header  X-Docker-Registry-Standalone  0;
+
+        return 200 "true";
+    }
+
+    ## quirks
+    chunked_transfer_encoding off;
+}
--- a/site.d/http-180-quay.krd.sh.conf
+++ b/site.d/http-180-quay.krd.sh.conf
@ -0,0 +1 @@
+../site.avail/http-quay.krd.sh.conf