Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Portus/examples/compose/nginx/nginx.conf
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
198 lines (164 sloc)
6.84 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This file is largely based on the one written by @Djelibeybi in: | |
| # https://github.com/Djelibeybi/Portus-On-OracleLinux7/ | |
| # List of known problems with this file: | |
| # | |
| # NOTE: this file uses only one certificate for the different services. This is | |
| # not the best way to go (see #1906). | |
| # BUG: proxy_ssl_verify is off (NGinx default). This means that certificate | |
| # validation is off on proxied traffic, which is bad (see #1907). | |
| events { | |
| worker_connections 1024; | |
| } | |
| http { | |
| include mime.types; | |
| default_type application/octet-stream; | |
| charset UTF-8; | |
| # Some basic config. | |
| server_tokens off; | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| # On timeouts. | |
| keepalive_timeout 65; | |
| client_header_timeout 240; | |
| client_body_timeout 240; | |
| fastcgi_read_timeout 249; | |
| reset_timedout_connection on; | |
| ## Set a variable to help us decide if we need to add the | |
| ## 'Docker-Distribution-Api-Version' header. | |
| ## The registry always sets this header. | |
| ## In the case of nginx performing auth, the header will be unset | |
| ## since nginx is auth-ing before proxying. | |
| map $upstream_http_docker_distribution_api_version $docker_distribution_api_version { | |
| '' 'registry/2.0'; | |
| } | |
| upstream portus { | |
| least_conn; | |
| server portus:3000 max_fails=3 fail_timeout=15s; | |
| } | |
| upstream registry { | |
| least_conn; | |
| server registry:5000 max_fails=3 fail_timeout=15s; | |
| } | |
| server { | |
| listen 443 ssl http2; | |
| server_name 172.17.0.1; | |
| root /srv/Portus/public; | |
| ## | |
| # SSL | |
| ssl on; | |
| # Certificates | |
| ssl_certificate /secrets/portus.crt; | |
| ssl_certificate_key /secrets/portus.key; | |
| # Enable session resumption to improve https performance | |
| # | |
| # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_timeout 10m; | |
| # Enables server-side protection from BEAST attacks | |
| # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html | |
| ssl_prefer_server_ciphers on; | |
| # Disable SSLv3 (enabled by default since nginx 0.8.19) | |
| # since it's less secure than TLS | |
| # http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| # Ciphers chosen for forward secrecy and compatibility. | |
| # | |
| # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html | |
| ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | |
| ## | |
| # Docker-specific stuff. | |
| proxy_set_header Host $http_host; # required for Docker client sake | |
| proxy_set_header X-Forwarded-Host $http_host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Scheme $scheme; | |
| # disable any limits to avoid HTTP 413 for large image uploads | |
| client_max_body_size 0; | |
| # required to avoid HTTP 411: see Issue #1486 | |
| # (https://github.com/docker/docker/issues/1486) | |
| chunked_transfer_encoding on; | |
| ## | |
| # Custom headers. | |
| # Adding HSTS[1] (HTTP Strict Transport Security) to avoid SSL stripping[2]. | |
| # | |
| # [1] https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security | |
| # [2] https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping | |
| add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; | |
| # Don't allow the browser to render the page inside a frame or iframe | |
| # and avoid Clickjacking. More in the following link: | |
| # | |
| # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options | |
| add_header X-Frame-Options DENY; | |
| # Disable content-type sniffing on some browsers. | |
| add_header X-Content-Type-Options nosniff; | |
| # This header enables the Cross-site scripting (XSS) filter built into | |
| # most recent web browsers. It's usually enabled by default anyway, so the | |
| # role of this header is to re-enable the filter for this particular | |
| # website if it was disabled by the user. | |
| add_header X-XSS-Protection "1; mode=block"; | |
| # Add header for IE in compatibility mode. | |
| add_header X-UA-Compatible "IE=edge"; | |
| # Redirect (most) requests to /v2/* to the Docker Registry | |
| location /v2/ { | |
| # Do not allow connections from docker 1.5 and earlier | |
| # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents | |
| if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { | |
| return 404; | |
| } | |
| ## If $docker_distribution_api_version is empty, the header will not be added. | |
| ## See the map directive above where this variable is defined. | |
| add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always; | |
| proxy_pass https://registry; | |
| proxy_set_header Host $http_host; # required for docker client's sake | |
| proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| proxy_read_timeout 900; | |
| proxy_buffering on; | |
| } | |
| # Portus needs to handle /v2/token for authentication | |
| location = /v2/token { | |
| proxy_pass https://portus; | |
| proxy_set_header Host $http_host; # required for docker client's sake | |
| proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| proxy_read_timeout 900; | |
| proxy_buffering on; | |
| } | |
| # Portus needs to handle /v2/webhooks/events for notifications | |
| location = /v2/webhooks/events { | |
| proxy_pass https://portus; | |
| proxy_set_header Host $http_host; # required for docker client's sake | |
| proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| proxy_read_timeout 900; | |
| proxy_buffering on; | |
| } | |
| # Assets are mapped inside of /srv/Portus/public from a shared volume. | |
| location ~ ^/(assets)/ { | |
| access_log off; | |
| gzip_static on; | |
| expires max; | |
| add_header Cache-Control public; | |
| add_header Last-Modified ""; | |
| add_header ETag ""; | |
| break; | |
| } | |
| # Portus handles everything else for the UI | |
| location / { | |
| try_files $uri/index.html $uri.html $uri @portus; | |
| } | |
| location @portus { | |
| proxy_pass https://portus; | |
| proxy_set_header Host $http_host; # required for docker client's sake | |
| proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| proxy_read_timeout 900; | |
| proxy_buffering on; | |
| } | |
| } | |
| } |