feat(nginx): cache by blob sha instead of uri

[ChandonPierre]

From upstream PR: rpardini#107

If images sourced from separate registries share the same layer, do not cache them twice

Tested with ghcr.io/goauthentik/server:2023.10.6 registry.gitlab.com/coreweave/utility-images/authentik:66c08674 from the below dockerfile

Almost all layers were cache HITs when pulling the second image, versus MISS in the previous implementation

# Use the base image from ghcr.io/goauthentik/server with tag 2023.10.6
FROM ghcr.io/goauthentik/server:2023.10.6

# Download the LDAP models.py file and add it to /authentik/sources/ldap/models.py
ADD https://raw.githubusercontent.com/goauthentik/authentik/c0b7d32b365520425e24d8a22940525d5327b205/authentik/sources/ldap/models.py /authentik/sources/ldap/models.py

USER root

RUN chmod 644 /authentik/sources/ldap/models.py

USER 1000

[robbat2]

how does this prevent a cache collision between HEAD/GET/OPTIONS on the same URLs? Esp when the conditionals for ALLOW_PUSH etc are false, so proxy_cache_methods is not set.

I think $request_method should have been included in the cache_key, so that HEAD is also cached, distinctly from GET requests.

If you've tested that case, sure, let's ship it, otherwise please verify that first.
As a plus, it will also mean that HEAD is cached and doesn't hit ratelimits

[ChandonPierre]

how does this prevent a cache collision between HEAD/GET/OPTIONS on the same URLs? Esp when the conditionals for ALLOW_PUSH etc are false, so proxy_cache_methods is not set.

I think $request_method should have been included in the cache_key, so that HEAD is also cached, distinctly from GET requests.

If you've tested that case, sure, let's ship it, otherwise please verify that first. As a plus, it will also mean that HEAD is cached and doesn't hit ratelimits

Good catch; that's likely the reason for rpardini#89

I'll pull in something similar and add to this PR