Skip to content

Commit af65390

Browse files
author
ricardop
committed
tweaks for caching; ignore caching headers from upstreams; key cache only by host/path (no params)
1 parent 325dd23 commit af65390

File tree

1 file changed

+35
-4
lines changed

1 file changed

+35
-4
lines changed

nginx.conf

Lines changed: 35 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,14 @@ http {
3535
default $host;
3636
}
3737

38+
# A map to enable authentication to some specific docker hosts.
39+
# To use this, mount a volume in docker.
40+
41+
map $host $dockerAuth {
42+
include /etc/nginx/docker.auth.*.map;
43+
default "";
44+
}
45+
3846
# These maps parse the original Host and URI from a /forcecache redirect.
3947
map $request_uri $realHost {
4048
~/forcecacheinsecure/([^:/]+)/originalwas(/.+) $1;
@@ -74,22 +82,35 @@ http {
7482
if ($request_method = DELETE) {
7583
return 405;
7684
}
77-
85+
7886
proxy_read_timeout 900;
7987

8088
# Use cache locking, with a huge timeout, so that multiple Docker clients asking for the same blob at the same time
8189
# will wait for the first to finish instead of doing multiple upstream requests.
8290
proxy_cache_lock on;
8391
proxy_cache_lock_timeout 120s;
84-
proxy_cache_valid 200 301 302 60d; # Cache all 200, 301, and 302 for 60 days.
92+
93+
# Cache all 200, 301, 302, and 307 (emitted by private registries) for 60 days.
94+
proxy_cache_valid 200 301 302 307 60d;
95+
96+
# Some extra settings to maximize cache hits and efficiency
8597
proxy_force_ranges on;
8698
proxy_ignore_client_abort on;
8799
proxy_cache_revalidate on;
88100

101+
# Hide/ignore headers from caching. S3 especially likes to send Expires headers in the past in some situations.
102+
proxy_hide_header Set-Cookie;
103+
proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
104+
105+
# Block API v1. We dont know how to handle these.
106+
# Docker-client should start with v2 and fallback to v1 if something fails, for example, if authentication failed to a protected v2 resource.
107+
location /v1 {
108+
return 405;
109+
}
110+
89111
# don't cache mutable entity /v2/<name>/manifests/<reference> (unless the reference is a digest)
90112
location ~ ^/v2/[^\/]+/manifests/(?![A-Fa-f0-9_+.-]+:) {
91113
proxy_pass https://$targetHost;
92-
add_header X-Eh-Aqui $targetHost;
93114
}
94115

95116
# don't cache mutable entity /v2/<name>/tags/list
@@ -122,6 +143,11 @@ http {
122143
location /forcecachesecure {
123144
proxy_pass https://$realHost$realPath;
124145
proxy_cache cache;
146+
147+
# Change the cache key, so that we can cache signed S3 requests and such. Only host and path are considered.
148+
proxy_cache_key $proxy_host$uri;
149+
150+
# Some debugging headers. Not important
125151
add_header X-Docker-Caching-Proxy-Real-Proto https;
126152
add_header X-Docker-Caching-Proxy-Real-Host $realHost;
127153
add_header X-Docker-Caching-Proxy-Real-Path $realPath;
@@ -132,9 +158,14 @@ http {
132158
location /forcecacheinsecure {
133159
proxy_pass http://$realHost$realPath;
134160
proxy_cache cache;
161+
162+
# Change the cache key, so that we can cache signed S3 requests and such. Only host and path are considered.
163+
proxy_cache_key $proxy_host$uri;
164+
165+
# Some debugging headers. Not important
135166
add_header X-Docker-Caching-Proxy-Real-Proto http;
136167
add_header X-Docker-Caching-Proxy-Real-Host $realHost;
137168
add_header X-Docker-Caching-Proxy-Real-Path $realPath;
138169
}
139170
}
140-
}
171+
}

0 commit comments

Comments
 (0)