tweaks for caching; ignore caching headers from upstreams; key cache only by host/path (no params)

ricardop · ricardop · commit af65390a7f3e · 2018-06-27T15:18:25.000+02:00
diff --git a/nginx.conf b/nginx.conf
@@ -35,6 +35,14 @@ http {
         default $host;
     }
 
+    # A map to enable authentication to some specific docker hosts.
+    # To use this, mount a volume in docker.
+    
+    map $host $dockerAuth {
+        include /etc/nginx/docker.auth.*.map;
+        default "";
+    }
+    
     # These maps parse the original Host and URI from a /forcecache redirect.
     map $request_uri $realHost {
         ~/forcecacheinsecure/([^:/]+)/originalwas(/.+) $1;
@@ -74,22 +82,35 @@ http {
         if ($request_method = DELETE) {
             return 405;
         }
-
+        
         proxy_read_timeout 900;
         
         # Use cache locking, with a huge timeout, so that multiple Docker clients asking for the same blob at the same time 
         # will wait for the first to finish instead of doing multiple upstream requests.
         proxy_cache_lock on;
         proxy_cache_lock_timeout 120s;
-        proxy_cache_valid 200 301 302 60d; # Cache all 200, 301, and 302 for 60 days.
+
+        # Cache all 200, 301, 302, and 307 (emitted by private registries) for 60 days.
+        proxy_cache_valid 200 301 302 307 60d; 
+        
+        # Some extra settings to maximize cache hits and efficiency
         proxy_force_ranges on;
         proxy_ignore_client_abort on;
         proxy_cache_revalidate on;
 
+        # Hide/ignore headers from caching. S3 especially likes to send Expires headers in the past in some situations.
+        proxy_hide_header      Set-Cookie;
+        proxy_ignore_headers    X-Accel-Expires Expires Cache-Control Set-Cookie;
+        
+        # Block API v1. We dont know how to handle these.
+        # Docker-client should start with v2 and fallback to v1 if something fails, for example, if authentication failed to a protected v2 resource.
+        location /v1 {
+            return 405;
+        }
+
         # don't cache mutable entity /v2/<name>/manifests/<reference> (unless the reference is a digest)
         location ~ ^/v2/[^\/]+/manifests/(?![A-Fa-f0-9_+.-]+:) {
             proxy_pass https://$targetHost;
-            add_header X-Eh-Aqui $targetHost;
         }
 
         # don't cache mutable entity /v2/<name>/tags/list
@@ -122,6 +143,11 @@ http {
         location /forcecachesecure {
             proxy_pass https://$realHost$realPath;
             proxy_cache cache;
+            
+            # Change the cache key, so that we can cache signed S3 requests and such. Only host and path are considered.
+            proxy_cache_key $proxy_host$uri;
+
+            # Some debugging headers. Not important
             add_header X-Docker-Caching-Proxy-Real-Proto https;
             add_header X-Docker-Caching-Proxy-Real-Host $realHost;
             add_header X-Docker-Caching-Proxy-Real-Path $realPath;
@@ -132,9 +158,14 @@ http {
         location /forcecacheinsecure {
             proxy_pass http://$realHost$realPath;
             proxy_cache cache;
+            
+            # Change the cache key, so that we can cache signed S3 requests and such. Only host and path are considered.
+            proxy_cache_key $proxy_host$uri;
+
+            # Some debugging headers. Not important
             add_header X-Docker-Caching-Proxy-Real-Proto http;
             add_header X-Docker-Caching-Proxy-Real-Host $realHost;
             add_header X-Docker-Caching-Proxy-Real-Path $realPath;
         }
     }
-}
+}
