allgo.conf.template 4.28 KB
Newer Older
1 2 3 4
upstream django
{
	server 127.0.0.1:8000  fail_timeout=0;
}
5 6 7 8
upstream aio
{
	server 127.0.0.1:8001  fail_timeout=0;
}
9 10 11 12 13 14 15 16 17

server
{
  listen		8080;

  client_max_body_size 1G;
  client_body_in_file_only clean;
  client_body_buffer_size 32K;

18 19
  # ----
  # location are presented in their application/priority order
20

21
  location /api/
22 23
  { # The CORS config allows any origin. These endpoints MUST NOT use
    # authentication by cookie.
24 25 26 27
    if ($request_method = 'OPTIONS')
    {
      add_header 'Access-Control-Allow-Origin' '*';
      add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
28

29 30 31
      add_header 'Access-Control-Max-Age' 1728000;
      add_header 'Content-Type' 'text/plain; charset=utf-8';
      add_header 'Content-Length' 0;
32

33 34
      # Custom headers and headers various browsers *should* be OK with but aren't
      add_header 'Access-Control-Allow-Headers' 'Content-Type,Authorization';
35

36
      return 204;
37 38
    }

39 40 41
    location /api/v1/
    { # it's not illegal access, go through django
      add_header Access-Control-Allow-Origin "*";
42

43 44
      proxy_pass http://django;
      proxy_redirect off; # work without it, maybe it's bad to remove it
45

46 47 48 49 50 51 52
      # header set to distinguish between requests going directly from nginx and
      # requests going through aio
      #
      # This is a security feature. Django trusts this value (like the
      # X-Forwarded-* headers), do not remove it !
      proxy_set_header	X-Origin	"nginx";
    }
53

54 55 56 57 58
    location /api/v1/datastore/
    { # it's not illegal access, access to static file
      autoindex on;
      auth_request     /auth;
      auth_request_set $auth_status $upstream_status;
59
      alias /vol/rw/datastore/;
60 61 62 63 64 65 66 67 68 69


      # This is a security measure (DO NOT REMOVE)
      #
      # By default nginx follows symbolic links, which would be a major
      # vulnerability because jobs could create symbolic links to any file
      # inside django container (like the secret key for signing tokens)
      #
      disable_symlinks on;
    }
70 71 72 73 74 75 76

    location ~ ^/api/v1/jobs/\d+/events$ {
    	proxy_pass http://aio;
	proxy_redirect  off;
	proxy_buffering	off;
    }

77
  } #location /api/
78 79


80 81 82 83 84 85 86 87
  location = /auth
  { # call the auth view in django
    # = grant that only known user can go through
    internal;
    proxy_pass              http://django/auth;
    proxy_redirect off;
    proxy_set_header        X-Original-URI $request_uri;
  }
88 89


90 91 92 93 94 95 96
  location /aio/
  { # allgo async endpoints
	proxy_pass	http://aio/aio/;
	proxy_redirect  off;
	proxy_buffering	off;
  }

97

98 99 100
  location @django
  { # simple access to the web site
    proxy_redirect off;
101 102 103 104 105 106 107 108 109 110
    proxy_pass http://django;

    # header set to distinguish between requests going directly from nginx and
    # requests going through aio
    #
    # This is a security feature. Django trusts this value (like the
    # X-Forwarded-* headers), do not remove it !
    proxy_set_header	X-Origin	"nginx";
  }

111

BAIRE Anthony's avatar
BAIRE Anthony committed
112 113 114 115 116 117 118 119 120 121

  # registry endpoints
  # - forwarded to the registry
  # - except manifest push/pull -> forwarded through the django server (to
  # 	guarantee that the db is transactionally updated)
  location /v2/
  {
	proxy_pass	{ALLGO_REGISTRY_PRIVATE_URL}/v2/;
	proxy_redirect  off;
	proxy_buffering	off;
122 123
	proxy_ssl_verify		on;
	proxy_ssl_trusted_certificate	/vol/ro/certs/registry.crt;
BAIRE Anthony's avatar
BAIRE Anthony committed
124 125 126 127 128 129 130 131 132 133 134 135 136 137

	location ~ ^/v2/.*/manifests/[^/]*$ {
		proxy_pass	http://aio;

		# for the moment we do not allow deleting images
		limit_except GET PUT { deny all; }
	}
	location ~ ^/v2/.*/blobs/[^/]*$ {
		proxy_pass	{ALLGO_REGISTRY_PRIVATE_URL};

		# for the moment we only allow pushing images
		limit_except HEAD { deny all; }
	}
  }
138 139 140 141 142 143 144


  location /datastore/
  { # access to static files
    autoindex on;
    auth_request     /auth;
    auth_request_set $auth_status $upstream_status;
145
    alias /vol/rw/datastore/;
146 147

    # This is a security measure (DO NOT REMOVE)
148
    #
149 150 151 152 153
    # By default nginx follows symbolic links, which would be a major
    # vulnerability because jobs could create symbolic links to any file
    # inside django container (like the secret key for signing tokens)
    #
    disable_symlinks on;
154
  }
155

156 157 158 159 160 161
  location /
  { # allgo endpoints
    # - static files served directly by nginx
    # - other requests forwarded to the django server
	sendfile on;
	send_timeout 300s;
162

163 164 165 166 167
	keepalive_timeout 5;
	root /var/www/html;
	try_files $uri/index.html $uri.html $uri @django;
  }
} #server