-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx.conf
202 lines (169 loc) · 6.91 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
# Based on: https://github.com/SUSE/Portus/blob/master/examples/compose/nginx/nginx.conf
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
charset UTF-8;
# Some basic config.
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# On timeouts.
keepalive_timeout 65;
client_header_timeout 240;
client_body_timeout 240;
fastcgi_read_timeout 249;
reset_timedout_connection on;
## Set a variable to help us decide if we need to add the
## 'Docker-Distribution-Api-Version' header.
## The registry always sets this header.
## In the case of nginx performing auth, the header will be unset
## since nginx is auth-ing before proxying.
map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
'' 'registry/2.0';
}
upstream portus {
least_conn;
server portus:3000 max_fails=3 fail_timeout=15s;
}
upstream registry {
least_conn;
server registry:5000 max_fails=3 fail_timeout=15s;
}
server {
listen 443 ssl http2;
server_name docker.bioinfo.no;
root /srv/Portus/public;
##
# SSL
ssl on;
# Certificates
ssl_certificate /run/secrets/cert.crt;
ssl_certificate_key /run/secrets/privkey.key;
# Enable session resumption to improve https performance
#
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:SSL:150m;
ssl_session_timeout 150m;
# Enables server-side protection from BEAST attacks
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
ssl_prefer_server_ciphers on;
# Disable SSLv3 (enabled by default since nginx 0.8.19)
# since it's less secure than TLS
# http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Ciphers chosen for forward secrecy and compatibility.
#
# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
##
# Docker-specific stuff.
proxy_set_header Host $http_host; # required for Docker client sake
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
# disable any limits to avoid HTTP 413 for large image uploads
client_max_body_size 0;
# required to avoid HTTP 411: see Issue #1486
# (https://github.com/docker/docker/issues/1486)
chunked_transfer_encoding on;
##
# Custom headers.
# Adding HSTS[1] (HTTP Strict Transport Security) to avoid SSL stripping[2].
#
# [1] https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# [2] https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# Don't allow the browser to render the page inside a frame or iframe
# and avoid Clickjacking. More in the following link:
#
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options DENY;
# Disable content-type sniffing on some browsers.
add_header X-Content-Type-Options nosniff;
# This header enables the Cross-site scripting (XSS) filter built into
# most recent web browsers. It's usually enabled by default anyway, so the
# role of this header is to re-enable the filter for this particular
# website if it was disabled by the user.
add_header X-XSS-Protection "1; mode=block";
# Add header for IE in compatibility mode.
add_header X-UA-Compatible "IE=edge";
# Redirect (most) requests to /v2/* to the Docker Registry
location /v2/ {
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
## If $docker_distribution_api_version is empty, the header will not be added.
## See the map directive above where this variable is defined.
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_pass https://registry;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 9000;
proxy_connect_timeout 9000;
proxy_send_timeout 9000;
client_max_body_size 0;
proxy_buffering on;
}
# Portus needs to handle /v2/token for authentication
location = /v2/token {
proxy_pass https://portus;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 9000;
proxy_connect_timeout 9000;
proxy_send_timeout 9000;
client_max_body_size 0;
proxy_buffering on;
}
# Portus needs to handle /v2/webhooks/events for notifications
location = /v2/webhooks/events {
proxy_pass https://portus;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 9000;
proxy_connect_timeout 9000;
proxy_send_timeout 9000;
client_max_body_size 0;
proxy_buffering on;
}
# Assets are mapped inside of /srv/Portus/public from a shared volume.
location ~ ^/(assets)/ {
access_log off;
gzip_static on;
expires max;
add_header Cache-Control public;
add_header Last-Modified "";
add_header ETag "";
break;
}
# Portus handles everything else for the UI
location / {
try_files $uri/index.html $uri.html $uri @portus;
}
location @portus {
proxy_pass https://portus;
proxy_set_header Host $http_host; # required for docker client's sake
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 9000;
proxy_connect_timeout 9000;
proxy_send_timeout 9000;
client_max_body_size 0;
proxy_buffering on;
}
}
}