298 lines
11 KiB
Nginx Configuration File
298 lines
11 KiB
Nginx Configuration File
user nginx;
|
|
worker_processes auto;
|
|
|
|
# error log config comes from external file created by entrypoint, to toggle debug on/off.
|
|
include /etc/nginx/error.log.debug.warn;
|
|
|
|
pid /var/run/nginx.pid;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
map_hash_bucket_size 128;
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
# Use a debug-oriented logging format.
|
|
log_format debugging '$remote_addr - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent '
|
|
'"HOST: $host" "UPSTREAM: $upstream_addr" '
|
|
'"UPSTREAM-STATUS: $upstream_status" '
|
|
'"SSL-PROTO: $ssl_protocol" '
|
|
'"CONNECT-HOST: $connect_host" "CONNECT-PORT: $connect_port" "CONNECT-ADDR: $connect_addr" '
|
|
'"PROXY-HOST: $proxy_host" "UPSTREAM-REDIRECT: $upstream_http_location" "CACHE-STATUS: $upstream_cache_status" '
|
|
'"AUTH: $http_authorization" ' ;
|
|
|
|
log_format debug_proxy 'CONNECTPROXY: $remote_addr - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent '
|
|
'"HOST: $host" "UPSTREAM: $upstream_addr" '
|
|
'"UPSTREAM-STATUS: $upstream_status" '
|
|
'"SSL-PROTO: $ssl_protocol" '
|
|
'"CONNECT-HOST: $connect_host" "CONNECT-PORT: $connect_port" "CONNECT-ADDR: $connect_addr" "INTERCEPTED: $interceptedHost" '
|
|
'"PROXY-HOST: $proxy_host" "UPSTREAM-REDIRECT: $upstream_http_location" "CACHE-STATUS: $upstream_cache_status" '
|
|
'"AUTH: $http_authorization" ' ;
|
|
|
|
log_format tweaked '$upstream_cache_status [$time_local] "$uri" '
|
|
'$status $body_bytes_sent '
|
|
'"HOST:$host" '
|
|
'"PROXY-HOST:$proxy_host" "UPSTREAM:$upstream_addr" ';
|
|
|
|
keepalive_timeout 300;
|
|
gzip off;
|
|
|
|
# Entrypoint generates the proxy_cache_path here, so it is configurable externally.
|
|
include /etc/nginx/conf.d/cache_max_size.conf;
|
|
|
|
# Just in case you want to rewrite some hosts. Default maps directly.
|
|
map $host $targetHost {
|
|
hostnames;
|
|
default $host;
|
|
}
|
|
|
|
# A map to enable authentication to some specific docker registries.
|
|
# This is auto-generated by the entrypoint.sh based on environment variables
|
|
map $host $dockerAuth {
|
|
hostnames;
|
|
include /etc/nginx/docker.auth.map;
|
|
default "";
|
|
}
|
|
|
|
# @TODO: actually for auth.docker.io, if we want to support multiple authentications, we'll need to decide
|
|
# @TODO: based not only on the hostname, but also URI (/token) and query string (?scope)
|
|
# @TODO: I wonder if this would help gcr.io and quay.io with authentication also....
|
|
|
|
map $dockerAuth $finalAuth {
|
|
"" "$http_authorization"; # if empty, keep the original passed-in from the docker client.
|
|
default "Basic $dockerAuth"; # if not empty, add the Basic preamble to the auth
|
|
}
|
|
|
|
|
|
# Map to decide which hosts get directed to the caching portion.
|
|
# This is automatically generated from the list of cached registries, plus a few fixed hosts
|
|
# By default, we don't intercept, allowing free flow of non-registry traffic
|
|
map $connect_host $interceptedHost {
|
|
hostnames;
|
|
include /etc/nginx/docker.intercept.map;
|
|
default "$connect_addr"; # $connect_addr is 'IP address and port of the remote host, e.g. "192.168.1.5:12345". IP address is resolved from host name of CONNECT request line.'
|
|
}
|
|
|
|
|
|
# These maps parse the original Host and URI from a /forcecache redirect.
|
|
map $request_uri $realHost {
|
|
~/forcecacheinsecure/([^:/]+)/originalwas(/.+) $1;
|
|
~/forcecachesecure/([^:/]+)/originalwas(/.+) $1;
|
|
default "DID_NOT_MATCH_HOST";
|
|
}
|
|
|
|
map $request_uri $realPath {
|
|
~/forcecacheinsecure/([^:/]+)/originalwas(/.+) $2;
|
|
~/forcecachesecure/([^:/]+)/originalwas(/.+) $2;
|
|
default "DID_NOT_MATCH_PATH";
|
|
}
|
|
|
|
|
|
# The proxy director layer, listens on 3128
|
|
server {
|
|
listen 3128;
|
|
server_name _;
|
|
|
|
# dont log the CONNECT proxy.
|
|
#access_log /var/log/nginx/access.log debug_proxy;
|
|
access_log off;
|
|
|
|
proxy_connect;
|
|
proxy_connect_address $interceptedHost;
|
|
proxy_max_temp_file_size 0;
|
|
|
|
# We need to resolve the real names of our proxied servers.
|
|
#resolver 8.8.8.8 4.2.2.2 ipv6=off; # Avoid ipv6 addresses for now
|
|
include /etc/nginx/resolvers.conf;
|
|
|
|
# forward proxy for non-CONNECT request
|
|
location / {
|
|
add_header "Content-type" "text/plain" always;
|
|
return 200 "docker-registry-proxy: The docker caching proxy is working!";
|
|
}
|
|
|
|
location /ca.crt {
|
|
alias /ca/ca.crt;
|
|
}
|
|
|
|
location /setup/systemd {
|
|
add_header "Content-type" "text/plain" always;
|
|
return 200 '
|
|
set -e
|
|
|
|
if [ ! -d /etc/systemd ]; then
|
|
echo "Not a systemd system"
|
|
exit 1
|
|
fi
|
|
|
|
mkdir -p /etc/systemd/system/docker.service.d
|
|
cat << EOD > /etc/systemd/system/docker.service.d/http-proxy.conf
|
|
[Service]
|
|
Environment="HTTPS_PROXY=$scheme://$http_host/"
|
|
EOD
|
|
|
|
# Get the CA certificate from the proxy and make it a trusted root.
|
|
curl $scheme://$http_host/ca.crt > /usr/share/ca-certificates/docker_registry_proxy.crt
|
|
if fgrep -q "docker_registry_proxy.crt" /etc/ca-certificates.conf ; then
|
|
echo "certificate refreshed"
|
|
else
|
|
echo "docker_registry_proxy.crt" >> /etc/ca-certificates.conf
|
|
fi
|
|
|
|
update-ca-certificates --fresh
|
|
|
|
# Reload systemd
|
|
systemctl daemon-reload
|
|
|
|
# Restart dockerd
|
|
systemctl restart docker.service
|
|
echo "Docker configured with HTTPS_PROXY=$scheme://$http_host/"
|
|
';
|
|
} # end location /setup/systemd
|
|
} # end server
|
|
|
|
|
|
# The caching layer
|
|
server {
|
|
# Listen on both 80 and 443, for all hostnames.
|
|
# actually could be 443 or 444, depending on debug. this is now generated by the entrypoint.
|
|
listen 80 default_server;
|
|
include /etc/nginx/caching.layer.listen;
|
|
server_name _;
|
|
|
|
# Do some tweaked logging.
|
|
access_log /var/log/nginx/access.log tweaked;
|
|
|
|
# Use the generated certificates, they contain names for all the proxied registries.
|
|
ssl_certificate /certs/fullchain.pem;
|
|
ssl_certificate_key /certs/web.key;
|
|
|
|
# We need to resolve the real names of our proxied servers.
|
|
#resolver 8.8.8.8 4.2.2.2 ipv6=off; # Avoid ipv6 addresses for now
|
|
include /etc/nginx/resolvers.conf;
|
|
|
|
# Docker needs this. Don't ask.
|
|
chunked_transfer_encoding on;
|
|
|
|
# Block POST/PUT/DELETE. Don't use this proxy for pushing.
|
|
if ($request_method = POST) {
|
|
return 405 "POST method is not allowed";
|
|
}
|
|
if ($request_method = PUT) {
|
|
return 405 "PUT method is not allowed";
|
|
}
|
|
if ($request_method = DELETE) {
|
|
return 405 "DELETE method is not allowed";
|
|
}
|
|
|
|
proxy_read_timeout 900;
|
|
|
|
# Use cache locking, with a huge timeout, so that multiple Docker clients asking for the same blob at the same time
|
|
# will wait for the first to finish instead of doing multiple upstream requests.
|
|
proxy_cache_lock on;
|
|
proxy_cache_lock_timeout 880s;
|
|
|
|
# Cache all 200, 206 for 60 days.
|
|
proxy_cache_valid 200 206 60d;
|
|
|
|
# Some extra settings to maximize cache hits and efficiency
|
|
proxy_force_ranges on;
|
|
proxy_ignore_client_abort on;
|
|
proxy_cache_revalidate on;
|
|
|
|
# Hide/ignore headers from caching. S3 especially likes to send Expires headers in the past in some situations.
|
|
proxy_hide_header Set-Cookie;
|
|
proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
|
|
|
|
# Add the authentication info, if the map matched the target domain.
|
|
proxy_set_header Authorization $finalAuth;
|
|
|
|
# Use SNI during the TLS handshake with the upstream.
|
|
proxy_ssl_server_name on;
|
|
|
|
# This comes from a include file generated by the entrypoint.
|
|
include /etc/nginx/docker.verify.ssl.conf;
|
|
|
|
# Block API v1. We dont know how to handle these.
|
|
# Docker-client should start with v2 and fallback to v1 if something fails, for example, if authentication failed to a protected v2 resource.
|
|
location /v1 {
|
|
return 405 "docker-registry-proxy: docker is trying to use v1 API. Either the image does not exist upstream, or you need to configure docker-registry-proxy to authenticate against $host";
|
|
}
|
|
|
|
# For blob requests by digest, do cache, and treat redirects.
|
|
location ~ ^/v2/(.*)/blobs/sha256:(.*) {
|
|
proxy_pass https://$targetHost;
|
|
proxy_cache cache;
|
|
proxy_cache_key $uri;
|
|
proxy_intercept_errors on;
|
|
error_page 301 302 307 = @handle_redirects;
|
|
}
|
|
|
|
# For manifest requests by digest, do cache, and treat redirects.
|
|
location ~ ^/v2/(.*)/manifests/sha256:(.*) {
|
|
proxy_pass https://$targetHost;
|
|
proxy_cache cache;
|
|
proxy_cache_key $uri;
|
|
proxy_intercept_errors on;
|
|
error_page 301 302 307 = @handle_redirects;
|
|
}
|
|
|
|
# Cache manifest requests that are not by digest (e.g. tags)
|
|
# Since these are mutable, we invalidate them immediately and keep them only in case the backend is down
|
|
location ~ ^/v2/(.*)/manifests/ {
|
|
proxy_pass https://$targetHost;
|
|
proxy_cache cache;
|
|
proxy_cache_key $uri;
|
|
proxy_intercept_errors on;
|
|
proxy_cache_use_stale error timeout http_500 http_502 http_504 http_403;
|
|
proxy_cache_valid 1s;
|
|
error_page 301 302 307 = @handle_redirects;
|
|
}
|
|
|
|
# Cache blobs requests that are not by digest
|
|
# Since these are mutable, we invalidate them immediately and keep them only in case the backend is down
|
|
location ~ ^/v2/(.*)/blobs/ {
|
|
proxy_pass https://$targetHost;
|
|
proxy_cache cache;
|
|
proxy_cache_key $uri;
|
|
proxy_intercept_errors on;
|
|
proxy_cache_use_stale error timeout http_500 http_502 http_504 http_403;
|
|
proxy_cache_valid 1s;
|
|
error_page 301 302 307 = @handle_redirects;
|
|
}
|
|
|
|
location @handle_redirects {
|
|
#store the current state of the world so we can reuse it in a minute
|
|
# We need to capture these values now, because as soon as we invoke
|
|
# the proxy_* directives, these will disappear
|
|
set $original_uri $uri;
|
|
set $orig_loc $upstream_http_location;
|
|
|
|
# during this process, nginx will preserve the headers intended for the original destination.
|
|
# in most cases thats okay, but for some (eg: google storage), passing an Authorization
|
|
# header can cause problems. Also, that would leak the credentials for the registry
|
|
# into the storage system (unrelated).
|
|
proxy_set_header Authorization "";
|
|
|
|
# nginx goes to fetch the value from the upstream Location header
|
|
proxy_pass $orig_loc;
|
|
proxy_cache cache;
|
|
# But we store the result with the cache key of the original request URI
|
|
# so that future clients don't need to follow the redirect too
|
|
proxy_cache_key $original_uri;
|
|
}
|
|
|
|
# by default, dont cache anything.
|
|
location / {
|
|
proxy_pass https://$targetHost;
|
|
proxy_cache off;
|
|
add_header X-Docker-Caching-Proxy-Debug-Cache "no:default";
|
|
}
|
|
}
|
|
}
|