forked from rpardini/docker-registry-proxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx.conf
319 lines (259 loc) · 11.6 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
user nginx;
worker_processes auto;
# error log config comes from external file created by entrypoint, to toggle debug on/off.
include /etc/nginx/error.log.debug.warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
map_hash_bucket_size 128;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Include nginx timeout configs
include /etc/nginx/nginx.timeouts.config.conf;
# Use a debug-oriented logging format.
log_format debugging escape=json
'{'
'"access_time":"$time_local",'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"request":"$request",'
'"status":"$status",'
'"bytes_sent":"$body_bytes_sent",'
'"host":"$host",'
'"proxy_host":"$proxy_host",'
'"upstream":"$upstream_addr"'
'"upstream_status":"$upstream_status",'
'"ssl_protocol":"$ssl_protocol",'
'"connect_host":"$connect_host",'
'"connect_port":"$connect_port",'
'"connect_addr":"$connect_addr",'
'"upstream_http_location":"$upstream_http_location",'
'"upstream_cache_status":"$upstream_cache_status",'
'"http_authorization":"$http_authorization",'
'}';
log_format debug_proxy escape=json
'{'
'"access_time":"$time_local",'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"request":"$request",'
'"status":"$status",'
'"bytes_sent":"$body_bytes_sent",'
'"host":"$host",'
'"proxy_host":"$proxy_host",'
'"upstream":"$upstream_addr"'
'"upstream_status":"$upstream_status",'
'"ssl_protocol":"$ssl_protocol",'
'"connect_host":"$connect_host",'
'"connect_port":"$connect_port",'
'"connect_addr":"$connect_addr",'
'"upstream_http_location":"$upstream_http_location",'
'"upstream_cache_status":"$upstream_cache_status",'
'"http_authorization":"$http_authorization",'
'}';
log_format tweaked escape=json
'{'
'"access_time":"$time_local",'
'"upstream_cache_status":"$upstream_cache_status",'
'"method":"$request_method",'
'"uri":"$uri",'
'"request_type":"$docker_proxy_request_type",'
'"status":"$status",'
'"bytes_sent":"$body_bytes_sent",'
'"upstream_response_time":"$upstream_response_time",'
'"host":"$host",'
'"proxy_host":"$proxy_host",'
'"upstream":"$upstream_addr"'
'}';
gzip off;
# Entrypoint generates the proxy_cache_path here, so it is configurable externally.
include /etc/nginx/conf.d/cache_max_size.conf;
# Just in case you want to rewrite some hosts. Default maps directly.
map $host $targetHost {
hostnames;
include /etc/nginx/docker.targetHost.map;
default $host;
}
# A map to enable authentication to some specific docker registries.
# This is auto-generated by the entrypoint.sh based on environment variables
map $host $dockerAuth {
hostnames;
include /etc/nginx/docker.auth.map;
default "";
}
# @TODO: actually for auth.docker.io, if we want to support multiple authentications, we'll need to decide
# @TODO: based not only on the hostname, but also URI (/token) and query string (?scope)
# @TODO: I wonder if this would help gcr.io and quay.io with authentication also....
map $dockerAuth $finalAuth {
"" "$http_authorization"; # if empty, keep the original passed-in from the docker client.
default "Basic $dockerAuth"; # if not empty, add the Basic preamble to the auth
}
# Map to decide which hosts get directed to the caching portion.
# This is automatically generated from the list of cached registries, plus a few fixed hosts
# By default, we don't intercept, allowing free flow of non-registry traffic
map $connect_host $interceptedHost {
hostnames;
include /etc/nginx/docker.intercept.map;
default "$connect_addr"; # $connect_addr is 'IP address and port of the remote host, e.g. "192.168.1.5:12345". IP address is resolved from host name of CONNECT request line.'
}
# These maps parse the original Host and URI from a /forcecache redirect.
map $request_uri $realHost {
~/forcecacheinsecure/([^:/]+)/originalwas(/.+) $1;
~/forcecachesecure/([^:/]+)/originalwas(/.+) $1;
default "DID_NOT_MATCH_HOST";
}
map $request_uri $realPath {
~/forcecacheinsecure/([^:/]+)/originalwas(/.+) $2;
~/forcecachesecure/([^:/]+)/originalwas(/.+) $2;
default "DID_NOT_MATCH_PATH";
}
# The proxy director layer, listens on 3128
server {
listen 3128;
listen [::]:3128;
server_name proxy_director_;
# dont log the CONNECT proxy.
#access_log /var/log/nginx/access.log debug_proxy;
access_log off;
set $docker_proxy_request_type "unknown-connect";
proxy_connect;
proxy_connect_allow all;
proxy_connect_address $interceptedHost;
proxy_max_temp_file_size 0;
# We need to resolve the real names of our proxied servers.
#resolver 8.8.8.8 4.2.2.2 ipv6=off; # Avoid ipv6 addresses for now
include /etc/nginx/resolvers.conf;
# forward proxy for non-CONNECT request
location / {
add_header "Content-type" "text/plain" always;
return 200 "docker-registry-proxy: The docker caching proxy is working!";
}
location /ca.crt {
alias /ca/ca.crt;
}
location /setup/systemd {
add_header "Content-type" "text/plain" always;
return 200 '
set -e
if [ ! -d /etc/systemd ]; then
echo "Not a systemd system"
exit 1
fi
mkdir -p /etc/systemd/system/docker.service.d
cat << EOD > /etc/systemd/system/docker.service.d/http-proxy.conf
[Service]
Environment="HTTPS_PROXY=$scheme://$http_host/"
EOD
# Get the CA certificate from the proxy and make it a trusted root.
curl $scheme://$http_host/ca.crt > /usr/share/ca-certificates/docker_registry_proxy.crt
if fgrep -q "docker_registry_proxy.crt" /etc/ca-certificates.conf ; then
echo "certificate refreshed"
else
echo "docker_registry_proxy.crt" >> /etc/ca-certificates.conf
fi
update-ca-certificates --fresh
# Reload systemd
systemctl daemon-reload
# Restart dockerd
systemctl restart docker.service
echo "Docker configured with HTTPS_PROXY=$scheme://$http_host/"
';
} # end location /setup/systemd
} # end server
# The caching layer
server {
# Listen on both 80 and 443, for all hostnames.
# actually could be 443 or 444, depending on debug. this is now generated by the entrypoint.
listen 80 default_server;
include /etc/nginx/caching.layer.listen;
server_name proxy_caching_;
# Do some tweaked logging.
access_log /var/log/nginx/access.log tweaked;
set $docker_proxy_request_type "unknown";
# Send upstream status as header
add_header X-Docker-Registry-Proxy-Cache-Upstream-Status "$upstream_cache_status";
# Use the generated certificates, they contain names for all the proxied registries.
ssl_certificate /certs/fullchain.pem;
ssl_certificate_key /certs/web.key;
# We need to resolve the real names of our proxied servers.
#resolver 8.8.8.8 4.2.2.2 ipv6=off; # Avoid ipv6 addresses for now
include /etc/nginx/resolvers.conf;
# Docker needs this. Don't ask.
chunked_transfer_encoding on;
# configuration of the different allowed methods
include "/etc/nginx/conf.d/allowed.methods.conf";
proxy_read_timeout 900;
# Request buffering
include /etc/nginx/proxy.request.buffering.conf;
# Use cache locking, with a huge timeout, so that multiple Docker clients asking for the same blob at the same time
# will wait for the first to finish instead of doing multiple upstream requests.
proxy_cache_lock on;
proxy_cache_lock_timeout 880s;
# Cache all 200, 206 for 60 days.
proxy_cache_valid 200 206 60d;
# Some extra settings to maximize cache hits and efficiency
proxy_force_ranges on;
proxy_ignore_client_abort on;
proxy_cache_revalidate on;
# Hide/ignore headers from caching. S3 especially likes to send Expires headers in the past in some situations.
proxy_hide_header Set-Cookie;
proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
# Add the authentication info, if the map matched the target domain.
proxy_set_header Authorization $finalAuth;
# Use SNI during the TLS handshake with the upstream.
proxy_ssl_server_name on;
# This comes from a include file generated by the entrypoint.
include /etc/nginx/docker.verify.ssl.conf;
# Block API v1. We dont know how to handle these.
# Docker-client should start with v2 and fallback to v1 if something fails, for example, if authentication failed to a protected v2 resource.
location /v1 {
return 405 "docker-registry-proxy: docker is trying to use v1 API. Either the image does not exist upstream, or you need to configure docker-registry-proxy to authenticate against $host";
}
# For blob requests by digest, do cache, and treat redirects.
location ~ ^/v2/(.*)/blobs/sha256:(.*) {
set $docker_proxy_request_type "blob-by-digest";
include "/etc/nginx/nginx.manifest.common.conf";
}
# For manifest requests by digest, do cache, and treat redirects.
# These are some of the requests that DockerHub will throttle.
location ~ ^/v2/(.*)/manifests/sha256:(.*) {
set $docker_proxy_request_type "manifest-by-digest";
include "/etc/nginx/nginx.manifest.common.conf";
}
# Config for manifest URL caching is generated by the entrypoint based on ENVs.
# Go check it out, entrypoint.sh
include "/etc/nginx/nginx.manifest.caching.config.conf";
# Cache blobs requests that are not by digest
# Since these are mutable, we invalidate them immediately and keep them only in case the backend is down
location ~ ^/v2/(.*)/blobs/ {
set $docker_proxy_request_type "blob-mutable";
proxy_cache_valid 0s;
include "/etc/nginx/nginx.manifest.stale.conf";
}
location @handle_redirects {
#store the current state of the world so we can reuse it in a minute
# We need to capture these values now, because as soon as we invoke
# the proxy_* directives, these will disappear
set $original_uri $uri;
set $orig_loc $upstream_http_location;
# during this process, nginx will preserve the headers intended for the original destination.
# in most cases thats okay, but for some (eg: google storage), passing an Authorization
# header can cause problems. Also, that would leak the credentials for the registry
# into the storage system (unrelated).
proxy_set_header Authorization "";
# nginx goes to fetch the value from the upstream Location header
proxy_pass $orig_loc;
proxy_cache cache;
# But we store the result with the cache key of the original request URI
# so that future clients don't need to follow the redirect too
proxy_cache_key $original_uri;
}
# by default, dont cache anything.
location / {
proxy_pass https://$targetHost;
proxy_cache off;
}
}
}