mirror of
https://github.com/goharbor/harbor.git
synced 2024-11-30 06:03:45 +01:00
0d44e4f535
Modify nginx configuration to use 308 instead of 301 on the http to https redirect. Fix problems with some clients on POST requests that are transformed to GET on 301 redirect (per HTTP 1.1 standard). See [RFC7538](https://tools.ietf.org/html/rfc7538). Signed-off-by: Stéphane Albert <sheeprine@oh.its.fake.nullplace.com>
147 lines
4.4 KiB
Plaintext
147 lines
4.4 KiB
Plaintext
worker_processes auto;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
use epoll;
|
|
multi_accept on;
|
|
}
|
|
|
|
http {
|
|
tcp_nodelay on;
|
|
include /etc/nginx/conf.d/*.upstream.conf;
|
|
|
|
# this is necessary for us to be able to disable request buffering in all cases
|
|
proxy_http_version 1.1;
|
|
|
|
upstream core {
|
|
server core:8080;
|
|
}
|
|
|
|
upstream portal {
|
|
server portal:80;
|
|
}
|
|
|
|
log_format timed_combined '$$remote_addr - '
|
|
'"$$request" $$status $$body_bytes_sent '
|
|
'"$$http_referer" "$$http_user_agent" '
|
|
'$$request_time $$upstream_response_time $$pipe';
|
|
|
|
access_log /dev/stdout timed_combined;
|
|
|
|
include /etc/nginx/conf.d/*.server.conf;
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
# server_name harbordomain.com;
|
|
server_tokens off;
|
|
# SSL
|
|
ssl_certificate $ssl_cert;
|
|
ssl_certificate_key $ssl_cert_key;
|
|
|
|
# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
|
ssl_protocols TLSv1.1 TLSv1.2;
|
|
ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
|
|
# disable any limits to avoid HTTP 413 for large image uploads
|
|
client_max_body_size 0;
|
|
|
|
# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
|
|
chunked_transfer_encoding on;
|
|
|
|
location / {
|
|
proxy_pass http://portal/;
|
|
proxy_set_header Host $$http_host;
|
|
proxy_set_header X-Real-IP $$remote_addr;
|
|
proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
|
|
|
|
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
proxy_set_header X-Forwarded-Proto $$scheme;
|
|
|
|
# Add Secure flag when serving HTTPS
|
|
proxy_cookie_path / "/; secure";
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /c/ {
|
|
proxy_pass http://core/c/;
|
|
proxy_set_header Host $$host;
|
|
proxy_set_header X-Real-IP $$remote_addr;
|
|
proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
|
|
|
|
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
proxy_set_header X-Forwarded-Proto $$scheme;
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /api/ {
|
|
proxy_pass http://core/api/;
|
|
proxy_set_header Host $$host;
|
|
proxy_set_header X-Real-IP $$remote_addr;
|
|
proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
|
|
|
|
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
proxy_set_header X-Forwarded-Proto $$scheme;
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /chartrepo/ {
|
|
proxy_pass http://core/chartrepo/;
|
|
proxy_set_header Host $$host;
|
|
proxy_set_header X-Real-IP $$remote_addr;
|
|
proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
|
|
|
|
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
proxy_set_header X-Forwarded-Proto $$scheme;
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /v1/ {
|
|
return 404;
|
|
}
|
|
|
|
location /v2/ {
|
|
proxy_pass http://core/v2/;
|
|
proxy_set_header Host $$http_host;
|
|
proxy_set_header X-Real-IP $$remote_addr;
|
|
proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
|
|
|
|
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
proxy_set_header X-Forwarded-Proto $$scheme;
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /service/ {
|
|
proxy_pass http://core/service/;
|
|
proxy_set_header Host $$http_host;
|
|
proxy_set_header X-Real-IP $$remote_addr;
|
|
proxy_set_header X-Forwarded-For $$proxy_add_x_forwarded_for;
|
|
|
|
# When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
|
|
proxy_set_header X-Forwarded-Proto $$scheme;
|
|
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location /service/notifications {
|
|
return 404;
|
|
}
|
|
}
|
|
server {
|
|
listen 80;
|
|
#server_name harbordomain.com;
|
|
return 308 https://$$host$$request_uri;
|
|
}
|
|
}
|