1
0

Compare commits

..

No commits in common. "8280426cea12fa9e72a82de0ce61d64055c6209e" and "35c4aa99dabec7473ad9a640480dde51ef5064ee" have entirely different histories.

15 changed files with 274 additions and 381 deletions

View File

@ -1,28 +1,3 @@
map $remote_addr
$krdsh_remote_type
{
default external;
## 127.0.0.0/8
~^127\..+$ internal;
## 10.0.0.0/8
# ~^10\..+$ internal;
## 172.16.0.0/12
# ~^172\.(?:1[6-9]|2[0-9]|3[01])\..+$ internal;
## 192.168.0.0/16
# ~^192\.168\..+$ internal;
## 192.0.2.0/24
~^192\.0\.2\..+$ internal;
## 198.51.0.0/24
# ~^198\.51\.0\..+$ internal;
## 198.18.0.0/15
# ~^198\.1[89]\..+$ internal;
## 203.0.113.0/24
# ~^203\.0\.113\..+$ internal;
## 240.0.0.0/4
~^2(?:4[0-9]|5[0-5])\..+$ internal;
}
map $scheme:$host map $scheme:$host
$krdsh_need_ssl $krdsh_need_ssl
{ {

View File

@ -6,4 +6,4 @@ function statics(r) {
r.return(307, s); r.return(307, s);
} }
export default { statics }; export default {statics};

View File

@ -1,7 +0,0 @@
function route_ui(r)
{
r.internalRedirect("@" + r.variables.krdsh_quay_ui_njs + "_ui");
}
export default { route_ui };

View File

@ -1,112 +0,0 @@
upstream krdsh_ci {
server 127.0.0.1:8000;
}
upstream krdsh_ci_grpc {
server 127.0.0.1:9000;
}
proxy_cache_path
/var/cache/angie/proxy/krdsh-ci
keys_zone=krdsh_cache_ci:10m
levels=1:2 inactive=1h;
server {
server_name ci.krd.sh;
include snip.d/listen-http;
access_log off;
log_not_found off;
root /var/www/empty;
include snip.d/https-alt-svc;
include snip.d/http-security-headers;
keepalive_timeout 0;
include snip.d/empty-favicon;
location /
{
return 301 https://$host$uri$is_args$args;
}
}
server {
server_name ci.krd.sh;
include snip.d/listen-https;
include snip.d/ssl-krd.sh;
access_log off;
log_not_found off;
root /var/www/empty;
include snip.d/http-security-headers;
include snip.d/proxy-common-headers;
include snip.d/proxy-accept-encoding;
include snip.d/proxy-connection-keepalive;
include snip.d/proxy-early-data;
proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://$host/$1;
location /
{
proxy_pass http://krdsh_ci;
## quirks
client_max_body_size 512M;
proxy_buffering off;
}
location @precache
{
proxy_pass http://krdsh_ci;
proxy_cache krdsh_cache_ci;
proxy_cache_key $uri;
expires 2h;
proxy_cache_valid 200 4h;
proxy_cache_valid 10s;
proxy_ignore_client_abort on;
proxy_ignore_headers Cache-Control Expires;
proxy_hide_header Cache-Control;
proxy_hide_header Expires;
## quirks
proxy_method GET;
proxy_temp_file_write_size 4m;
}
location /assets/
{
try_files /.non-existent-uri @precache;
}
}
server {
server_name ci.krd.sh;
include snip.d/listen-grpcs;
include snip.d/ssl-krd.sh;
access_log off;
log_not_found off;
root /var/www/empty;
include snip.d/http-security-headers;
include snip.d/grpc-accept-encoding;
location /
{
grpc_pass grpc://krdsh_ci_grpc;
}
}

View File

@ -12,8 +12,7 @@ server {
include snip.d/empty-favicon; include snip.d/empty-favicon;
location / location / {
{
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
include snip.d/https-alt-svc; include snip.d/https-alt-svc;
@ -25,8 +24,8 @@ server {
location ~*/(?:InRelease|Release|Packages|Sources)$ location ~*/(?:InRelease|Release|Packages|Sources)$
~*/[^/]+/.*[^/]+\.(?:asc|dsc)$ ~*/[^/]+/.*[^/]+\.(?:asc|dsc)$
{ {
try_files $uri $uri/ =404;
default_type text/plain; default_type text/plain;
try_files $uri $uri/ =404;
} }
## /*/dists/*/Release.gpg ## /*/dists/*/Release.gpg
@ -39,8 +38,9 @@ server {
## various tarball file name extensions (sic!) ## various tarball file name extensions (sic!)
~*\.t(?:[agx]z|bz2?|[bz]2|bJ|zo|lz(?:|ma?)|zstd?|a?Z)$ ~*\.t(?:[agx]z|bz2?|[bz]2|bJ|zo|lz(?:|ma?)|zstd?|a?Z)$
{ {
gzip off;
brotli off;
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
include snip.d/disable-comp;
} }
} }
@ -58,8 +58,7 @@ server {
include snip.d/empty-favicon; include snip.d/empty-favicon;
location / location / {
{
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
include snip.d/https-alt-svc; include snip.d/https-alt-svc;
@ -69,23 +68,24 @@ server {
location ~*/(?:InRelease|Release|Packages|Sources)$ location ~*/(?:InRelease|Release|Packages|Sources)$
~*\.(?:asc|build|buildinfo|changes|dsc|list|log|sources)$ ~*\.(?:asc|build|buildinfo|changes|dsc|list|log|sources)$
{ {
try_files $uri $uri/ =404;
default_type text/plain; default_type text/plain;
try_files $uri $uri/ =404;
} }
location ~*\.(?:bz2|deb|gz|tar|udeb|xz|Z|zip|zstd?)$ location ~*\.(?:bz2|deb|gz|tar|udeb|xz|Z|zip|zstd?)$
## various tarball file name extensions (sic!) ## various tarball file name extensions (sic!)
~*\.t(?:[agx]z|bz2?|[bz]2|bJ|zo|lz(?:|ma?)|zstd?|a?Z)$ ~*\.t(?:[agx]z|bz2?|[bz]2|bJ|zo|lz(?:|ma?)|zstd?|a?Z)$
{ {
gzip off;
brotli off;
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
include snip.d/disable-comp;
} }
## "meta" usually doesn't contain sensitive data ## "meta" usually doesn't contain sensitive data
# include snip.d/deny-dotfiles; # include snip.d/deny-dotfiles;
location ~*^/[^/]+/\.meta/ location ~*^/[^/]+/\.meta/
{ {
try_files $uri $uri/ =404;
default_type text/plain; default_type text/plain;
try_files $uri $uri/ =404;
} }
} }

View File

@ -1,14 +1,25 @@
upstream krdsh_git { upstream krdsh_git {
server 127.0.0.1:3000; server 127.0.0.1:3000;
} }
upstream krdsh_ci {
server 127.0.0.1:8000;
}
upstream krdsh_ci_grpc {
server 127.0.0.1:9000;
}
proxy_cache_path proxy_cache_path
/var/cache/angie/proxy/krdsh-git /var/cache/angie/proxy/krdsh-git
keys_zone=krdsh_cache_git:10m keys_zone=krdsh_cache_git:10m
levels=1:2 inactive=1h; levels=1:2 inactive=1h;
proxy_cache_path
/var/cache/angie/proxy/krdsh-ci
keys_zone=krdsh_cache_ci:10m
levels=1:2 inactive=1h;
server { server {
server_name git.krd.sh; server_name git.krd.sh ci.krd.sh;
include snip.d/listen-http; include snip.d/listen-http;
@ -24,8 +35,7 @@ server {
include snip.d/empty-favicon; include snip.d/empty-favicon;
location / location / {
{
return 301 https://$host$uri$is_args$args; return 301 https://$host$uri$is_args$args;
} }
} }
@ -48,40 +58,111 @@ server {
include snip.d/proxy-connection-keepalive; include snip.d/proxy-connection-keepalive;
include snip.d/proxy-early-data; include snip.d/proxy-early-data;
proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://$host/$1; proxy_redirect ~*^http://(ci|git)\.krd\.sh(?:|:[0-9]+)/(.*)$ https://$1.krd.sh/$2;
location / location / {
{
proxy_pass http://krdsh_git; proxy_pass http://krdsh_git;
## quirks ## quirks
client_max_body_size 512M; client_max_body_size 512M;
chunked_transfer_encoding off;
} }
location @precache location @precache {
{
proxy_pass http://krdsh_git; proxy_pass http://krdsh_git;
proxy_cache krdsh_cache_git; proxy_cache krdsh_cache_git;
proxy_cache_key $uri; proxy_cache_key $uri;
proxy_cache_valid 200 1h;
expires 2h; proxy_cache_valid 30s;
proxy_cache_valid 200 4h;
proxy_cache_valid 10s;
proxy_ignore_client_abort on; proxy_ignore_client_abort on;
proxy_ignore_headers Cache-Control Expires; proxy_ignore_headers Cache-Control;
proxy_hide_header Cache-Control; proxy_hide_header Cache-Control;
proxy_hide_header Expires; expires 2h;
## quirks ## quirks
chunked_transfer_encoding off;
proxy_method GET; proxy_method GET;
proxy_buffering on;
proxy_temp_file_write_size 4m; proxy_temp_file_write_size 4m;
} }
location /assets/ location /assets/ {
{
try_files /.non-existent-uri @precache; try_files /.non-existent-uri @precache;
# proxy_pass http://krdsh_git;
}
}
server {
server_name ci.krd.sh;
include snip.d/listen-https;
include snip.d/ssl-krd.sh;
access_log off;
log_not_found off;
root /var/www/empty;
include snip.d/http-security-headers;
include snip.d/proxy-common-headers;
include snip.d/proxy-accept-encoding;
include snip.d/proxy-connection-keepalive;
include snip.d/proxy-early-data;
proxy_redirect ~*^http://(ci|git)\.krd\.sh(?:|:[0-9]+)/(.*)$ https://$1.krd.sh/$2;
location / {
proxy_pass http://krdsh_ci;
## quirks
chunked_transfer_encoding off;
client_max_body_size 16M;
proxy_buffering off;
}
location @precache {
proxy_pass http://krdsh_ci;
proxy_cache krdsh_cache_ci;
proxy_cache_key $uri;
proxy_cache_valid 200 1h;
proxy_cache_valid 30s;
proxy_ignore_client_abort on;
proxy_ignore_headers Cache-Control;
proxy_hide_header Cache-Control;
expires 2h;
## quirks
chunked_transfer_encoding off;
proxy_method GET;
proxy_buffering on;
proxy_temp_file_write_size 4m;
}
location /assets/ {
try_files /.non-existent-uri @precache;
# proxy_pass http://krdsh_ci;
}
}
server {
server_name ci.krd.sh;
include snip.d/listen-grpcs;
include snip.d/ssl-krd.sh;
access_log off;
log_not_found off;
root /var/www/empty;
include snip.d/http-security-headers;
include snip.d/grpc-accept-encoding;
location / {
grpc_pass grpc://krdsh_ci_grpc;
} }
} }

View File

@ -26,8 +26,7 @@ server {
include snip.d/empty-favicon; include snip.d/empty-favicon;
location / location / {
{
return 301 https://$host$uri$is_args$args; return 301 https://$host$uri$is_args$args;
} }
@ -35,11 +34,11 @@ server {
location ~*^/repository/apt_[^/]+/(?:dists|pool)/ location ~*^/repository/apt_[^/]+/(?:dists|pool)/
{ {
gzip off;
brotli off;
proxy_pass http://krdsh_nexus; proxy_pass http://krdsh_nexus;
proxy_method GET; proxy_method GET;
include snip.d/disable-comp;
} }
## allow proxy repositories only for non-public usage ## allow proxy repositories only for non-public usage
@ -52,9 +51,53 @@ server {
deny all; deny all;
proxy_pass http://krdsh_nexus; proxy_pass http://krdsh_nexus;
proxy_method GET; proxy_method GET;
} }
## quirks
chunked_transfer_encoding off;
}
server {
server_name nexus-asis.krd.sh;
include snip.d/listen-https;
include snip.d/ssl-krd.sh;
access_log off;
log_not_found off;
root /var/www/empty;
include snip.d/http-security-headers;
include snip.d/proxy-common-headers;
include snip.d/proxy-accept-encoding;
include snip.d/proxy-connection-keepalive;
include snip.d/proxy-early-data;
proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://$host/$1;
location / {
proxy_pass http://krdsh_nexus;
## quirks
client_max_body_size 1024M;
}
## allow proxy repositories only for non-public usage
location ~*^/repository/proxy_[^/]+/
{
allow 127.0.0.0/8;
allow 192.0.2.0/24;
allow 240.0.0.0/4;
deny all;
proxy_pass http://krdsh_nexus;
}
## quirks
chunked_transfer_encoding off;
} }
server { server {
@ -77,12 +120,10 @@ server {
proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://$host/$1; proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://$host/$1;
location / location / {
{
proxy_pass http://krdsh_nexus; proxy_pass http://krdsh_nexus;
## quirks ## quirks
client_max_body_size 10G; client_max_body_size 1024M;
} }
## allow proxy repositories only for non-public usage ## allow proxy repositories only for non-public usage
@ -99,10 +140,12 @@ server {
js_import njs/nexus.js; js_import njs/nexus.js;
location /static/ location /static/ {
{
js_content nexus.statics; js_content nexus.statics;
} }
## quirks
chunked_transfer_encoding off;
} }
server { server {
@ -143,9 +186,8 @@ server {
include snip.d/proxy-connection-close; include snip.d/proxy-connection-close;
include snip.d/proxy-early-data; include snip.d/proxy-early-data;
proxy_ignore_headers Cache-Control Expires; proxy_ignore_headers Cache-Control;
proxy_hide_header Cache-Control; proxy_hide_header Cache-Control;
proxy_hide_header Expires;
proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://nexus.krd.sh/$1; proxy_redirect ~*^http://$host(?:|:[0-9]+)/(.*)$ https://nexus.krd.sh/$1;
@ -161,16 +203,18 @@ server {
proxy_pass http://krdsh_nexus; proxy_pass http://krdsh_nexus;
proxy_cache krdsh_cache_nexus; proxy_cache krdsh_cache_nexus;
proxy_cache_key $uri$is_args$args;
proxy_cache_key $uri; proxy_cache_valid 200 1h;
proxy_cache_valid 30s;
expires 2h;
proxy_cache_valid 200 4h;
proxy_cache_valid 10s;
proxy_ignore_client_abort on; proxy_ignore_client_abort on;
expires 2h;
## quirks ## quirks
proxy_method GET; proxy_method GET;
proxy_buffering on;
proxy_temp_file_write_size 4m; proxy_temp_file_write_size 4m;
} }
## quirks
chunked_transfer_encoding off;
} }

View File

@ -14,8 +14,7 @@ server {
root /var/www/empty; root /var/www/empty;
location / location / {
{
try_files /.non-existent-uri @redirect; try_files /.non-existent-uri @redirect;
} }
@ -43,33 +42,29 @@ server {
include snip.d/proxy-accept-encoding; include snip.d/proxy-accept-encoding;
include snip.d/proxy-connection-close; include snip.d/proxy-connection-close;
location @redirect location @redirect {
{
return 301 https://nodejs.org$request_uri; return 301 https://nodejs.org$request_uri;
} }
location @download location @download {
{
proxy_pass https://nodejs.org$uri$is_args$args; proxy_pass https://nodejs.org$uri$is_args$args;
proxy_redirect https://nodejs.org $scheme://$server_name; proxy_redirect https://nodejs.org $scheme://$server_name;
proxy_cache nodejs_org; proxy_cache nodejs_org;
proxy_cache_key $uri$is_args$args;
proxy_cache_key $uri;
expires 30m;
proxy_cache_valid 200 1h; proxy_cache_valid 200 1h;
proxy_cache_valid 30s; proxy_cache_valid 30s;
proxy_ignore_client_abort on; proxy_ignore_client_abort on;
proxy_ignore_headers Cache-Control Expires; proxy_ignore_headers Cache-Control;
proxy_hide_header Cache-Control; proxy_hide_header Cache-Control;
proxy_hide_header Expires; expires 30m;
## quirks ## quirks
chunked_transfer_encoding off; chunked_transfer_encoding off;
proxy_method GET; proxy_method GET;
proxy_buffering on;
proxy_temp_file_write_size 4m; proxy_temp_file_write_size 4m;
} }
} }

View File

@ -8,11 +8,6 @@ upstream krdsh_quay_secscan {
server unix:/home/user/quay-run/gunicorn_secscan.sock fail_timeout=0; server unix:/home/user/quay-run/gunicorn_secscan.sock fail_timeout=0;
} }
proxy_cache_path
/var/cache/angie/proxy/krdsh-quay
keys_zone=krdsh_cache_quay:10m
levels=1:2;
map $http2:$http3 map $http2:$http3
$krdsh_quay_http1_bucket $krdsh_quay_http1_bucket
{ {
@ -21,7 +16,6 @@ map $http2:$http3
## current instanse is not behind LB/ingress, ## current instanse is not behind LB/ingress,
## so $proxy_protocol_addr is meaningless ## so $proxy_protocol_addr is meaningless
# ":" $proxy_protocol_addr; # ":" $proxy_protocol_addr;
":" $remote_addr; ":" $remote_addr;
} }
@ -46,62 +40,41 @@ map $uri
{ {
default ""; default "";
## ~*^/v2/([^/]+)(?:/[^/]+)+/blobs/ $1;
## ~*^/v2/([^/]+)/[^/]+/tags/ $1;
## ~*^/v2/([^/]+)/[^/]+/manifests/ $1;
~*^/v2/([^/]+)/.+/(?:blobs|manifests|tags)/ $1; ~*^/v2/([^/]+)/.+/(?:blobs|manifests|tags)/ $1;
} }
## use $request_id to remove (tight) request limit ## use $request_id to remove (tight) request limit
map $krdsh_quay_namespace:$krdsh_remote_type map $krdsh_quay_namespace
$krdsh_quay_http1_ns_bucket $krdsh_quay_http1_ns_bucket
{ {
default $krdsh_quay_http1_bucket; default $krdsh_quay_http1_bucket;
~*^(?:k2|krd): $request_id; ~*^(?:k2|krd)$ $request_id;
## remove limits for internal usage
~^[^:]+:internal$ $request_id;
} }
map $krdsh_quay_namespace:$krdsh_remote_type map $krdsh_quay_namespace
$krdsh_quay_http2_ns_bucket $krdsh_quay_http2_ns_bucket
{ {
default $krdsh_quay_http2_bucket; default $krdsh_quay_http2_bucket;
~*^(?:k2|krd): $request_id; ~*^(?:k2|krd)$ $request_id;
## remove limits for internal usage
~^[^:]+:internal$ $request_id;
} }
map $krdsh_quay_namespace:$krdsh_remote_type map $krdsh_quay_namespace
$krdsh_quay_http3_ns_bucket $krdsh_quay_http3_ns_bucket
{ {
default $krdsh_quay_http3_bucket; default $krdsh_quay_http3_bucket;
~*^(?:k2|krd): $request_id; ~*^(?:k2|krd)$ $request_id;
## remove limits for internal usage
~^[^:]+:internal$ $request_id;
} }
map $cookie_patternfly map $cookie_patternfly
$krdsh_quay_ui $krdsh_quay_ui
{ {
volatile;
default old; default old;
true new; true new;
} }
map $request_method:$uri
$krdsh_quay_nocache
{
default 1;
## cache requests:
## - ^/api/v1/repository/.+/tag/$
## - ^/api/v1/repository/.+/manifest/.+$
~*^(?:GET|HEAD):/api/v1/repository/(?:krd|k2|library|docker_io|quay_io|gcr_io|ghcr_io|registry_k8s_io)/.+/(?:tag/|manifest/.+)$ "";
}
limit_req_zone $http_authorization zone=krdsh_quay_staticauth:10m rate=30r/s; limit_req_zone $http_authorization zone=krdsh_quay_staticauth:10m rate=30r/s;
limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_light:10m rate=60r/s; limit_req_zone $krdsh_quay_http1_bucket zone=krdsh_quay_http1_light:10m rate=60r/s;
@ -142,8 +115,7 @@ server {
include snip.d/empty-favicon; include snip.d/empty-favicon;
location / location / {
{
return 301 https://$host$uri$is_args$args; return 301 https://$host$uri$is_args$args;
} }
} }
@ -172,13 +144,7 @@ server {
error_page 502 /home/user/quay-run-static/static/502.html; error_page 502 /home/user/quay-run-static/static/502.html;
limit_req_status 429; location /static/ {
limit_req_log_level warn;
js_import njs/quay.js;
location /static/
{
root /home/user/quay-run-static; root /home/user/quay-run-static;
expires 1d; expires 1d;
@ -190,12 +156,7 @@ server {
error_page 404 /404; error_page 404 /404;
} }
location @old_ui location / {
{
proxy_pass http://krdsh_quay_web;
}
location @new_ui
{
root /home/user/quay-run-static/static/patternfly; root /home/user/quay-run-static/static/patternfly;
index index.html; index index.html;
@ -203,123 +164,86 @@ server {
brotli_static on; brotli_static on;
zstd_static on; zstd_static on;
rewrite if ($krdsh_quay_ui = "old") {
^/(?:overview|organization|repository|tag) proxy_pass http://krdsh_quay_web;
/index.html }
break; if ($krdsh_quay_ui = "new") {
} rewrite
location / ^/(?:overview|organization|repository|tag)
{ /index.html
js_content quay.route_ui; break;
}
js_var $krdsh_quay_ui_njs "$krdsh_quay_ui";
} }
location /angular location /angular {
{
# Expire cookie and switch to old UI # Expire cookie and switch to old UI
add_header Set-Cookie "patternfly=deleted; path=/; Expires=Thu, Jan 01 1970 00:00:00 UTC"; add_header Set-Cookie "patternfly=deleted; path=/; Expires=Thu, Jan 01 1970 00:00:00 UTC";
return 302 /$is_args$args; return 302 /$is_args$args;
} }
location /react location /react {
{
# Set cookie and witch to new UI # Set cookie and witch to new UI
add_header Set-Cookie "patternfly=true; path=/; SameSite=Lax; HttpOnly;" always; add_header Set-Cookie "patternfly=true; path=/; SameSite=Lax; HttpOnly;" always;
return 302 /$is_args$args; return 302 /$is_args$args;
} }
limit_req_status 429;
limit_req_log_level warn;
# Temporarily force signin for old and new UI to route to web app # Temporarily force signin for old and new UI to route to web app
location /signin location /signin {
{
proxy_pass http://krdsh_quay_web/; proxy_pass http://krdsh_quay_web/;
} }
# Capture traffic that needs to go to web_app, see /web.py # Capture traffic that needs to go to web_app, see /web.py
location ~* ^/(?:config|csrf_token|oauth1|oauth2|webhooks|keys|.well-known|customtrigger|userfiles/) location ~* ^/(?:config|csrf_token|oauth1|oauth2|webhooks|keys|.well-known|customtrigger|userfiles/) {
{
proxy_pass http://krdsh_quay_web; proxy_pass http://krdsh_quay_web;
} }
# Capture old UI paths that aren't present in new UI # Capture old UI paths that aren't present in new UI
location ~* ^/(?:user/|search) location ~* ^/(?:user/|search) {
{
proxy_pass http://krdsh_quay_web; proxy_pass http://krdsh_quay_web;
} }
location /push location /push {
{
proxy_pass http://krdsh_quay_web; proxy_pass http://krdsh_quay_web;
client_max_body_size 5M; client_max_body_size 5M;
} }
location /realtime location /realtime {
{
proxy_pass http://krdsh_quay_web; proxy_pass http://krdsh_quay_web;
proxy_buffering off; proxy_buffering off;
proxy_request_buffering off; proxy_request_buffering off;
} }
location /secscan/ location /secscan/ {
{
proxy_pass http://krdsh_quay_secscan; proxy_pass http://krdsh_quay_secscan;
} }
# location ~ ^/v2/.+/_trust/tuf/ { # location ~ ^/v2/.+/_trust/tuf/ {
# proxy_pass https://tuf.krd.sh$uri; # proxy_pass https://tuf.krd.sh$uri;
#
# include snip.d/proxy-common-headers; # include snip.d/proxy-common-headers;
# include snip.d/proxy-accept-encoding; # include snip.d/proxy-accept-encoding;
# include snip.d/proxy-connection-close; # include snip.d/proxy-connection-close;
# include snip.d/proxy-early-data; # include snip.d/proxy-early-data;
#
# proxy_set_header Host $host; # proxy_set_header Host tuf.krd.sh;
# } # }
location ~* ^/api/v1/repository(?:/.+/tag/|/.+/manifest/.+)$ location /api/ {
{
limit_req zone=krdsh_quay_http1_medium burst=50 nodelay;
limit_req zone=krdsh_quay_http2_medium burst=100 nodelay;
limit_req zone=krdsh_quay_http3_medium burst=100 nodelay;
proxy_pass http://krdsh_quay_web; proxy_pass http://krdsh_quay_web;
keepalive_timeout 0;
proxy_cache krdsh_cache_quay;
proxy_cache_key $uri$is_args$args;
proxy_cache_bypass $http_pragma $http_authorization $krdsh_quay_nocache;
proxy_no_cache $http_pragma $http_authorization $krdsh_quay_nocache;
expires 30s;
proxy_cache_valid 200 1m;
proxy_cache_valid 10s;
proxy_ignore_client_abort on;
proxy_ignore_headers Cache-Control Expires Set-Cookie Vary;
proxy_hide_header Cache-Control;
proxy_hide_header Expires;
proxy_hide_header Set-Cookie;
proxy_hide_header Vary;
## quirks
proxy_temp_file_write_size 4m;
}
location /api/
{
limit_req zone=krdsh_quay_http1_heavy burst=25 nodelay; limit_req zone=krdsh_quay_http1_heavy burst=25 nodelay;
limit_req zone=krdsh_quay_http2_heavy burst=100 nodelay; limit_req zone=krdsh_quay_http2_heavy burst=100 nodelay;
limit_req zone=krdsh_quay_http3_heavy burst=100 nodelay; limit_req zone=krdsh_quay_http3_heavy burst=100 nodelay;
proxy_pass http://krdsh_quay_web;
keepalive_timeout 0; keepalive_timeout 0;
} }
location /api/suconfig location /api/suconfig {
{
proxy_pass http://krdsh_quay_web; proxy_pass http://krdsh_quay_web;
proxy_read_timeout 2000; proxy_read_timeout 2000;
@ -327,36 +251,33 @@ server {
## Docker Registry V2 ## Docker Registry V2
location = /v2/auth location = /v2/auth {
{
limit_req zone=krdsh_quay_staticauth burst=10 nodelay;
proxy_pass http://krdsh_quay_registry; proxy_pass http://krdsh_quay_registry;
limit_req zone=krdsh_quay_staticauth burst=10 nodelay;
keepalive_timeout 0; keepalive_timeout 0;
} }
location ~* ^/v2/_catalog location ~* ^/v2/_catalog {
{ proxy_pass http://krdsh_quay_registry;
proxy_read_timeout 10;
keepalive_timeout 0;
limit_req zone=krdsh_quay_http1_heavy burst=1 nodelay; limit_req zone=krdsh_quay_http1_heavy burst=1 nodelay;
limit_req zone=krdsh_quay_http2_heavy burst=5 nodelay; limit_req zone=krdsh_quay_http2_heavy burst=5 nodelay;
limit_req zone=krdsh_quay_http3_heavy burst=5 nodelay; limit_req zone=krdsh_quay_http3_heavy burst=5 nodelay;
proxy_pass http://krdsh_quay_registry;
keepalive_timeout 0;
proxy_read_timeout 10;
} }
location ~* ^/v2/.+/blobs/ location ~* ^/v2/.+/blobs/ {
{
limit_req zone=krdsh_quay_http1_ns_medium burst=50 nodelay;
limit_req zone=krdsh_quay_http2_ns_medium burst=100 nodelay;
limit_req zone=krdsh_quay_http3_ns_medium burst=100 nodelay;
proxy_pass http://krdsh_quay_registry; proxy_pass http://krdsh_quay_registry;
keepalive_timeout 0; # if ($request_method = HEAD) {
# gzip off;
# brotli off;
# zstd off;
# }
proxy_buffering off; proxy_buffering off;
proxy_request_buffering off; proxy_request_buffering off;
@ -364,76 +285,76 @@ server {
proxy_read_timeout 2000; proxy_read_timeout 2000;
proxy_send_timeout 2000; proxy_send_timeout 2000;
client_max_body_size 10G; client_max_body_size 10240M;
http2_chunk_size 32k; http2_chunk_size 32k;
include snip.d/disable-comp; limit_req zone=krdsh_quay_http1_ns_medium burst=50 nodelay;
limit_req zone=krdsh_quay_http2_ns_medium burst=100 nodelay;
limit_req zone=krdsh_quay_http3_ns_medium burst=100 nodelay;
keepalive_timeout 0;
} }
location ~* ^/v2/.+/tags/ location ~* ^/v2/.+/tags/ {
{ proxy_pass http://krdsh_quay_registry;
limit_req zone=krdsh_quay_http1_ns_heavy burst=2 nodelay; limit_req zone=krdsh_quay_http1_ns_heavy burst=2 nodelay;
limit_req zone=krdsh_quay_http2_ns_heavy burst=2 nodelay; limit_req zone=krdsh_quay_http2_ns_heavy burst=2 nodelay;
limit_req zone=krdsh_quay_http3_ns_heavy burst=2 nodelay; limit_req zone=krdsh_quay_http3_ns_heavy burst=2 nodelay;
proxy_pass http://krdsh_quay_registry;
keepalive_timeout 0; keepalive_timeout 0;
} }
location ~* ^/v2/.+/manifests/ location ~* ^/v2/.+/manifests/ {
{ proxy_pass http://krdsh_quay_registry;
limit_req zone=krdsh_quay_http1_ns_medium burst=10 nodelay; limit_req zone=krdsh_quay_http1_ns_medium burst=10 nodelay;
limit_req zone=krdsh_quay_http2_ns_medium burst=50 nodelay; limit_req zone=krdsh_quay_http2_ns_medium burst=50 nodelay;
limit_req zone=krdsh_quay_http3_ns_medium burst=50 nodelay; limit_req zone=krdsh_quay_http3_ns_medium burst=50 nodelay;
proxy_pass http://krdsh_quay_registry;
keepalive_timeout 0; keepalive_timeout 0;
} }
location /v2/ location /v2/ {
{ proxy_pass http://krdsh_quay_registry;
# if ($request_method = HEAD) {
# gzip off;
# brotli off;
# zstd off;
# }
limit_req zone=krdsh_quay_http1_light burst=20 nodelay; limit_req zone=krdsh_quay_http1_light burst=20 nodelay;
limit_req zone=krdsh_quay_http2_light burst=80 nodelay; limit_req zone=krdsh_quay_http2_light burst=80 nodelay;
limit_req zone=krdsh_quay_http3_light burst=80 nodelay; limit_req zone=krdsh_quay_http3_light burst=80 nodelay;
proxy_pass http://krdsh_quay_registry;
keepalive_timeout 0; keepalive_timeout 0;
} }
## Docker Registry V1 ## Docker Registry V1
## KrD: seems to be legacy ## KrD: seems to be legacy
location /v1/ location /v1/ {
{ proxy_pass http://krdsh_quay_registry;
return 444;
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 10240M;
limit_req zone=krdsh_quay_http1_heavy burst=5 nodelay;
limit_req zone=krdsh_quay_http2_heavy burst=25 nodelay;
limit_req zone=krdsh_quay_http3_heavy burst=25 nodelay;
keepalive_timeout 0;
} }
# location /v1/ location = /v1/_ping {
# { default_type text/plain;
# limit_req zone=krdsh_quay_http1_heavy burst=5 nodelay;
# limit_req zone=krdsh_quay_http2_heavy burst=25 nodelay;
# limit_req zone=krdsh_quay_http3_heavy burst=25 nodelay;
# proxy_pass http://krdsh_quay_registry; add_header X-Docker-Registry-Version 0.6.0;
add_header X-Docker-Registry-Standalone 0;
# proxy_buffering off; return 200 "true";
# proxy_request_buffering off; }
# client_max_body_size 10G;
# keepalive_timeout 0;
# }
# location = /v1/_ping
# {
# default_type text/plain;
# add_header X-Docker-Registry-Version 0.6.0;
# add_header X-Docker-Registry-Standalone 0;
# return 200 "true";
# }
} }

View File

@ -1 +0,0 @@
../site.avail/http-ci.krd.sh.conf

View File

@ -1,3 +0,0 @@
gzip off;
brotli off;
zstd off;