public/docker-registry-proxy
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add mitmproxy/nginx-debug inspection capabilities

Browse Source 
- avoid some caching for non-blob urls
This commit is contained in:
Ricardo Pardini
2018-11-04 11:23:52 +01:00
parent 1486d6920e
commit 8ff06e3dec
4 changed files with 107 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
nginx.conf
View File

@@ -1,7 +1,9 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
# error log config comes from external file created by entrypoint, to toggle debug on/off.
include /etc/nginx/error.log.debug.warn;
pid /var/run/nginx.pid;
events {
@@ -13,28 +15,28 @@ http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Use a debug-oriented logging format.
# Use a debug-oriented logging format.
log_format debugging '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent '
'"HOST: $host" "UPSTREAM: $upstream_addr" '
'"UPSTREAM-STATUS: $upstream_status" '
'"SSL-PROTO: $ssl_protocol" '
'"CONNECT-HOST: $connect_host" "CONNECT-PORT: $connect_port" "CONNECT-ADDR: $connect_addr" '
'"CONNECT-HOST: $connect_host" "CONNECT-PORT: $connect_port" "CONNECT-ADDR: $connect_addr" "INTERCEPTED: $interceptedHost" '
'"PROXY-HOST: $proxy_host" "UPSTREAM-REDIRECT: $upstream_http_location" "CACHE-STATUS: $upstream_cache_status" '
'"AUTH: $http_authorization" ' ;
log_format tweaked '$upstream_cache_status [$time_local] "$uri" '
'$status $body_bytes_sent '
'"HOST:$host" '
'"PROXY-HOST:$proxy_host" "UPSTREAM:$upstream_addr" ';
keepalive_timeout 300;
gzip off;
# The cache directory. This can get huge. Better to use a Docker volume pointing here!
# Set to 32gb which should be enough
proxy_cache_path /docker_mirror_cache levels=1:2 max_size=32g inactive=60d keys_zone=cache:10m use_temp_path=off;
# Just in case you want to rewrite some hosts. Default maps directly.
map $host $targetHost {
hostnames;
@@ -48,7 +50,7 @@ http {
include /etc/nginx/docker.auth.map;
default "";
}
# Map to decide which hosts get directed to the caching portion.
# This is automatically generated from the list of cached registries, plus a few fixed hosts
# By default, we don't intercept, allowing free flow of non-registry traffic
@@ -57,13 +59,13 @@ http {
include /etc/nginx/docker.intercept.map;
default "$connect_host:443";
}
map $dockerAuth $finalAuth {
map $dockerAuth $finalAuth {
"" "$http_authorization"; # if empty, keep the original passed-in from the client
default "Basic $dockerAuth"; # if not empty, add the Basic preamble to the auth
}
# These maps parse the original Host and URI from a /forcecache redirect.
map $request_uri $realHost {
~/forcecacheinsecure/([^:/]+)/originalwas(/.+) $1;
@@ -76,20 +78,20 @@ http {
~/forcecachesecure/([^:/]+)/originalwas(/.+) $2;
default "DID_NOT_MATCH_PATH";
}
# The proxy director layer, listens on 3128
server {
listen 3128;
server_name _;
# dont log the CONNECT proxy.
access_log off;
proxy_connect;
proxy_connect_address $interceptedHost;
proxy_max_temp_file_size 0;
# We need to resolve the real names of our proxied servers.
resolver 8.8.8.8 4.2.2.2 ipv6=off; # Avoid ipv6 addresses for now
@@ -97,22 +99,23 @@ http {
location / {
return 403 "The docker caching proxy is working!";
}
location /ca.crt {
alias /ca/ca.crt;
alias /ca/ca.crt;
}
# @TODO: add a dynamic root path that generates instructions for usage on docker clients
}
# The caching layer
server {
# Listen on both 80 and 443, for all hostnames.
# actually could be 443 or 444, depending on debug. this is now generated by the entrypoint.
listen 80 default_server;
listen 443 ssl default_server;
include /etc/nginx/caching.layer.listen;
server_name _;
# Do some tweaked logging.
access_log /var/log/nginx/access.log tweaked;
@@ -136,17 +139,17 @@ http {
if ($request_method = DELETE) {
return 405 "DELETE method is not allowed";
}
proxy_read_timeout 900;
# Use cache locking, with a huge timeout, so that multiple Docker clients asking for the same blob at the same time
# Use cache locking, with a huge timeout, so that multiple Docker clients asking for the same blob at the same time
# will wait for the first to finish instead of doing multiple upstream requests.
proxy_cache_lock on;
proxy_cache_lock_timeout 120s;
# Cache all 200, 301, 302, and 307 (emitted by private registries) for 60 days.
proxy_cache_valid 200 301 302 307 60d;
proxy_cache_valid 200 301 302 307 60d;
# Some extra settings to maximize cache hits and efficiency
proxy_force_ranges on;
proxy_ignore_client_abort on;
@@ -155,13 +158,13 @@ http {
# Hide/ignore headers from caching. S3 especially likes to send Expires headers in the past in some situations.
proxy_hide_header Set-Cookie;
proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
# Add the authentication info, if the map matched the target domain.
proxy_set_header Authorization $finalAuth;
# This comes from a include file generated by the entrypoint.
include /etc/nginx/docker.verify.ssl.conf;
# Some debugging info
# add_header X-Docker-Caching-Proxy-Real-Host $realHost;
# add_header X-Docker-Caching-Proxy-Real-Path $realPath;
@@ -176,23 +179,35 @@ http {
# don't cache mutable entity /v2/<name>/manifests/<reference> (unless the reference is a digest)
location ~ ^/v2/[^\/]+/manifests/(?![A-Fa-f0-9_+.-]+:) {
proxy_pass https://$targetHost;
add_header X-Docker-Caching-Proxy-Debug-Cache "no:manifests";
}
# don't cache mutable entity /v2/<name>/tags/list
location ~ ^/v2/[^\/]+/tags/list {
proxy_pass https://$targetHost;
proxy_cache off;
add_header X-Docker-Caching-Proxy-Debug-Cache "no:tagslist";
}
# don't cache mutable entity /v2/_catalog
location ~ ^/v2/_catalog$ {
proxy_pass https://$targetHost;
proxy_cache off;
add_header X-Docker-Caching-Proxy-Debug-Cache "no:catalog";
}
# force cache of the first hit which is always /v2/ - even for 401 unauthorized.
# dont cache the first hit which is always /v2/
location = /v2/ {
proxy_pass https://$targetHost;
proxy_cache cache;
proxy_cache_valid 200 301 302 307 401 60d;
proxy_cache off;
add_header X-Docker-Caching-Proxy-Debug-Cache "no:rootv2";
}
# dont cache /token (done against auth servers)
location = /token {
proxy_pass https://$targetHost;
proxy_cache off;
add_header X-Docker-Caching-Proxy-Debug-Cache "no:token";
}
# cache everything else
@@ -208,6 +223,8 @@ http {
# We to it twice, one for http and another for https.
proxy_redirect ~^https://([^:/]+)(/.+)$ https://docker.caching.proxy.internal/forcecachesecure/$1/originalwas$2;
proxy_redirect ~^http://([^:/]+)(/.+)$ http://docker.caching.proxy.internal/forcecacheinsecure/$1/originalwas$2;
add_header X-Docker-Caching-Proxy-Debug-Cache "yes:everythingelse";
}
# handling for the redirect case explained above, with https.
@@ -215,9 +232,12 @@ http {
location /forcecachesecure {
proxy_pass https://$realHost$realPath;
proxy_cache cache;
# Change the cache key, so that we can cache signed S3 requests and such. Only host and path are considered.
proxy_cache_key $proxy_host$uri;
add_header X-Docker-Caching-Proxy-Debug-Cache "yes:forcecachesecure";
}
# handling for the redirect case explained above, with http.
@@ -225,9 +245,11 @@ http {
location /forcecacheinsecure {
proxy_pass http://$realHost$realPath;
proxy_cache cache;
# Change the cache key, so that we can cache signed S3 requests and such. Only host and path are considered.
proxy_cache_key $proxy_host$uri;
add_header X-Docker-Caching-Proxy-Debug-Cache "yes:forcecacheinsecure";
}
}
}