d3b2b29726
Using a URI has not be allowed for many years [0], however this code was
not enforced until 17.10 docker [1].
Sadly, we need to setup 2 different vhost ports for this, old 1.13.1
clients will not work properly if they are combined with new. Keep
original logic working on 8081 and move 17.10+ clients to 8082.
[0] https://github.com/docker/docker-ce/blob/17.06/components/engine/registry/config.go#L339
[1] 1cc36398f9
Change-Id: I837f562331603a7c00f9ba8554b6aa2975169eeb
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
314 lines
11 KiB
Plaintext
314 lines
11 KiB
Plaintext
# ************************************
|
|
# Managed by Puppet
|
|
# ************************************
|
|
|
|
NameVirtualHost <%= @vhost_name %>:<%= @port %>
|
|
|
|
# Dedicated port for proxy caching, as not to affect afs mirrors.
|
|
Listen 8080
|
|
NameVirtualHost <%= @vhost_name %>:8080
|
|
|
|
Listen 8081
|
|
NameVirtualHost <%= @vhost_name %>:8081
|
|
|
|
Listen 8082
|
|
NameVirtualHost <%= @vhost_name %>:8082
|
|
|
|
<VirtualHost <%= @vhost_name %>:<%= @port %>>
|
|
ServerName <%= @srvname %>
|
|
<% if @serveraliases.is_a? Array -%>
|
|
<% @serveraliases.each do |name| -%>
|
|
<%= " ServerAlias #{name}\n" %>
|
|
<% end %>
|
|
<% elsif @serveraliases != nil -%>
|
|
<%= " ServerAlias #{@serveraliases}" -%>
|
|
<% end %>
|
|
DocumentRoot <%= @docroot %>
|
|
<Directory <%= @docroot %>>
|
|
Options <%= @options %>
|
|
AllowOverride None
|
|
Order allow,deny
|
|
allow from all
|
|
Satisfy any
|
|
<IfVersion >= 2.4>
|
|
Require all granted
|
|
</IfVersion>
|
|
</Directory>
|
|
|
|
RewriteEngine On
|
|
|
|
# Pypi's bandersnatch URL's are:
|
|
# /pypi/simple/index.html
|
|
# /pypi/simple/a/a/(index.html)?
|
|
# /pypi/simple/a/a/a-etc.whl
|
|
# /pypi/simple/a/abcd/(index.html)?
|
|
# /pypi/simple/a/abcd/abcd-etc.whl
|
|
RewriteCond %{REQUEST_URI} ^/pypi/simple/([^/])([^/]*)
|
|
RewriteCond %{DOCUMENT_ROOT}/pypi/simple/$1/$1$2 -d
|
|
RewriteRule ^/pypi/simple/([^/])([^/]*)(/.*)?$ /pypi/simple/$1/$1$2$3 [L]
|
|
|
|
# Wheel URL's are:
|
|
# /wheel/{distro}-{distro-version}/a/a/a-etc.whl
|
|
# /wheel/{distro}-{distro-version}/a/abcd/abcd-etc.whl
|
|
# /wheel/{distro}-{distro-version}/a/abcde/abcde-etc.whl
|
|
RewriteCond %{REQUEST_URI} ^/wheel/([^/]+)/([^/])([^/]*)
|
|
RewriteCond %{DOCUMENT_ROOT}/wheel/$1/$2/$2$3 -d
|
|
RewriteRule ^/wheel/([^/]+)/([^/])([^/]*)(/.*)?$ /wheel/$1/$2/$2$3$4 [L]
|
|
|
|
# TODO(jhesketh): Remove this after bandersnatch implements pep503
|
|
# https://bitbucket.org/pypa/bandersnatch/pull-requests/20/fully-implement-pep-503-normalization/diff
|
|
|
|
# Special cases for openstack.nose_plugin & backports.*
|
|
RewriteRule ^(.*)/openstack-nose-plugin(.*)$ $1/openstack.nose_plugin$2
|
|
RewriteRule ^(.*)/backports-(.*)$ $1/backports.$2
|
|
|
|
RewriteCond %{REQUEST_URI} ^/pypi/simple/([^/])([^/]*)
|
|
RewriteCond %{DOCUMENT_ROOT}/pypi/simple/$1/$1$2 -d
|
|
RewriteRule ^/pypi/simple/([^/])([^/]*)(/.*)?$ /pypi/simple/$1/$1$2$3 [L]
|
|
|
|
# Try again but replacing -'s with .'s
|
|
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-f
|
|
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-d
|
|
RewriteRule (.*)-(.*) $1.$2 [N]
|
|
|
|
RewriteCond %{REQUEST_URI} ^/pypi/simple/([^/])([^/]*)
|
|
RewriteCond %{DOCUMENT_ROOT}/pypi/simple/$1/$1$2 -d
|
|
RewriteRule ^/pypi/simple/([^/])([^/]*)(/.*)?$ /pypi/simple/$1/$1$2$3 [L]
|
|
|
|
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_error.log
|
|
LogLevel warn
|
|
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_access.log combined
|
|
ServerSignature Off
|
|
</VirtualHost>
|
|
|
|
<VirtualHost <%= @vhost_name %>:8080>
|
|
ServerName <%= @srvname %>:8080
|
|
<% if @serveraliases.is_a? Array -%>
|
|
<% @serveraliases.each do |name| -%>
|
|
<%= " ServerAlias #{name}:8080\n" %>
|
|
<% end %>
|
|
<% elsif @serveraliases != nil -%>
|
|
<%= " ServerAlias #{@serveraliases}:8080" -%>
|
|
<% end %>
|
|
|
|
# Disable directory listing by default.
|
|
<Directory />
|
|
Order Deny,Allow
|
|
Deny from all
|
|
Options None
|
|
AllowOverride None
|
|
</Directory>
|
|
|
|
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_8080_error.log
|
|
LogLevel warn
|
|
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_8080_access.log combined
|
|
ServerSignature Off
|
|
|
|
# Caching reverse proxy for things that don't make sense in AFS
|
|
#
|
|
# General cache rules
|
|
CacheRoot "/var/cache/apache2/proxy"
|
|
CacheDirLevels 5
|
|
CacheDirLength 2
|
|
# SSL support
|
|
SSLProxyEngine on
|
|
# Prevent thundering herds.
|
|
CacheLock on
|
|
CacheLockPath "/tmp/mod_cache-lock"
|
|
CacheLockMaxAge 5
|
|
# 5GiB
|
|
CacheMaxFileSize 5368709120
|
|
CacheStoreExpired On
|
|
|
|
# Added Aug 2017 in an attempt to avoid occasional 502 errors (around
|
|
# 0.05% of requests) of the type:
|
|
#
|
|
# End of file found: ... AH01102: error reading status line from remote server ...
|
|
#
|
|
# Per [1]:
|
|
#
|
|
# This avoids the "proxy: error reading status line from remote
|
|
# server" error message caused by the race condition that the backend
|
|
# server closed the pooled connection after the connection check by the
|
|
# proxy and before data sent by the proxy reached the backend.
|
|
#
|
|
# [1] https://httpd.apache.org/docs/2.4/mod/mod_proxy_http.html
|
|
SetEnv proxy-initial-not-pooled 1
|
|
|
|
# Per site caching reverse proxy rules
|
|
# Only cache specific backends, rely on afs cache otherwise.
|
|
|
|
# buildlogs.centos.org (302 redirects to buildlogs.cdn.centos.org)
|
|
CacheEnable disk "/buildlogs.centos"
|
|
ProxyPass "/buildlogs.centos/" "https://buildlogs.centos.org/" ttl=120 disablereuse=On retry=0
|
|
ProxyPassReverse "/buildlogs.centos/" "https://buildlogs.centos.org/"
|
|
|
|
# buildlogs.cdn.centos.org
|
|
CacheEnable disk "/buildlogs.cdn.centos"
|
|
ProxyPass "/buildlogs.cdn.centos/" "https://buildlogs.cdn.centos.org/" ttl=120 disablereuse=On retry=0
|
|
ProxyPassReverse "/buildlogs.cdn.centos/" "https://buildlogs.cdn.centos.org/"
|
|
|
|
# rdo
|
|
CacheEnable disk "/rdo"
|
|
ProxyPass "/rdo/" "https://trunk.rdoproject.org/" ttl=120 keepalive=On retry=0
|
|
ProxyPassReverse "/rdo/" "https://trunk.rdoproject.org/"
|
|
|
|
# tarballs
|
|
CacheEnable disk "/tarballs"
|
|
ProxyPass "/tarballs/" "https://tarballs.openstack.org/" ttl=120 keepalive=On retry=0
|
|
ProxyPassReverse "/tarballs/" "https://tarballs.openstack.org/"
|
|
|
|
# pypi
|
|
CacheEnable disk "/pypi"
|
|
ProxyPass "/pypi/" "http://mirror.dfw.rax.openstack.org/pypi/" ttl=120 keepalive=On retry=0
|
|
ProxyPassReverse "/pypi/" "http://mirror.dfw.rax.openstack.org/pypi/"
|
|
|
|
# images.linuxcontainers.org
|
|
CacheEnable disk "/images.linuxcontainers"
|
|
ProxyPass "/images.linuxcontainers/" "http://us.images.linuxcontainers.org/" ttl=120 keepalive=On retry=0
|
|
ProxyPassReverse "/images.linuxcontainers/" "http://us.images.linuxcontainers.org/"
|
|
|
|
# registry.npmjs.org
|
|
CacheEnable disk "/registry.npmjs"
|
|
ProxyPass "/registry.npmjs/" "https://registry.npmjs.org/" ttl=120 keepalive=On retry=0
|
|
ProxyPassReverse "/registry.npmjs/" "https://registry.npmjs.org/"
|
|
|
|
# api.rubygems.org
|
|
CacheEnable disk "/api.rubygems"
|
|
ProxyPass "/api.rubygems/" "https://api.rubygems.org/" ttl=120 keepalive=On retry=0
|
|
ProxyPassReverse "/api.rubygems/" "https://api.rubygems.org/"
|
|
|
|
# rubygems.org
|
|
CacheEnable disk "/rubygems"
|
|
ProxyPass "/rubygems/" "https://rubygems.org/" ttl=120 keepalive=On retry=0
|
|
ProxyPassReverse "/rubygems/" "https://rubygems.org/"
|
|
|
|
# opendaylight
|
|
CacheEnable disk "/opendaylight"
|
|
ProxyPass "/opendaylight/" "https://nexus.opendaylight.org/" ttl=120 keepalive=On retry=0
|
|
ProxyPassReverse "/opendaylight/" "https://nexus.opendaylight.org/"
|
|
|
|
# elastico
|
|
CacheEnable disk "/elastic"
|
|
ProxyPass "/elastic/" "https://packages.elastic.co/" ttl=120 keepalive=On retry=0
|
|
ProxyPassReverse "/elastic/" "https://packages.elastic.co/"
|
|
|
|
# grafana
|
|
CacheEnable disk "/grafana"
|
|
ProxyPass "/grafana" "https://packagecloud.io/grafana/" ttl=120 keepalive=On retry=0
|
|
ProxyPassReverse "/grafana/" "https://packagecloud.io/grafana/"
|
|
|
|
# OracleLinux
|
|
CacheEnable disk "/oraclelinux
|
|
ProxyPass "/oraclelinux/" "http://yum.oracle.com/repo/OracleLinux/" ttl=120 keepalive=On retry=0
|
|
ProxyPassReverse "/oraclelinux/" "http://yum.oracle.com/repo/OracleLinux/"
|
|
</VirtualHost>
|
|
|
|
<VirtualHost <%= @vhost_name %>:8081>
|
|
ServerName <%= @srvname %>:8081
|
|
<% if @serveraliases.is_a? Array -%>
|
|
<% @serveraliases.each do |name| -%>
|
|
<%= " ServerAlias #{name}:8081\n" %>
|
|
<% end %>
|
|
<% elsif @serveraliases != nil -%>
|
|
<%= " ServerAlias #{@serveraliases}:8081" -%>
|
|
<% end %>
|
|
|
|
# Disable directory listing by default.
|
|
<Directory />
|
|
Order Deny,Allow
|
|
Deny from all
|
|
Options None
|
|
AllowOverride None
|
|
</Directory>
|
|
|
|
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_8081_error.log
|
|
LogLevel warn
|
|
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_8081_access.log combined
|
|
ServerSignature Off
|
|
|
|
# Caching reverse proxy for things that don't make sense in AFS
|
|
#
|
|
# General cache rules
|
|
CacheRoot "/var/cache/apache2/proxy"
|
|
CacheDirLevels 5
|
|
CacheDirLength 2
|
|
# SSL support
|
|
SSLProxyEngine on
|
|
# Prevent thundering herds.
|
|
CacheLock on
|
|
CacheLockPath "/tmp/mod_cache-lock"
|
|
CacheLockMaxAge 5
|
|
# 5GiB
|
|
CacheMaxFileSize 5368709120
|
|
# Ignore expire headers as the urls use sha256 hashes.
|
|
CacheIgnoreQueryString On
|
|
CacheStoreExpired On
|
|
|
|
# registry-1.docker.io
|
|
CacheEnable disk "/registry-1.docker"
|
|
ProxyPass "/registry-1.docker/" "https://registry-1.docker.io/" ttl=120 keepalive=On retry=0
|
|
ProxyPassReverse "/registry-1.docker/" "https://registry-1.docker.io/"
|
|
|
|
# dseasb33srnrn.cloudfront.net
|
|
CacheEnable disk "/cloudfront"
|
|
ProxyPass "/cloudfront/" "https://dseasb33srnrn.cloudfront.net/" ttl=120 keepalive=On retry=0
|
|
ProxyPassReverse "/cloudfront/" "https://dseasb33srnrn.cloudfront.net/"
|
|
|
|
</VirtualHost>
|
|
|
|
<VirtualHost <%= @vhost_name %>:8082>
|
|
ServerName <%= @srvname %>:8082
|
|
<% if @serveraliases.is_a? Array -%>
|
|
<% @serveraliases.each do |name| -%>
|
|
<%= " ServerAlias #{name}:8082\n" %>
|
|
<% end %>
|
|
<% elsif @serveraliases != nil -%>
|
|
<%= " ServerAlias #{@serveraliases}:8082" -%>
|
|
<% end %>
|
|
|
|
# Disable directory listing by default.
|
|
<Directory />
|
|
Order Deny,Allow
|
|
Deny from all
|
|
Options None
|
|
AllowOverride None
|
|
</Directory>
|
|
|
|
ErrorLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_8082_error.log
|
|
LogLevel warn
|
|
CustomLog /var/log/<%= scope.lookupvar("httpd::params::apache_name") %>/<%= @name %>_8082_access.log combined
|
|
ServerSignature Off
|
|
|
|
# Caching reverse proxy for things that don't make sense in AFS
|
|
#
|
|
# General cache rules
|
|
CacheRoot "/var/cache/apache2/proxy"
|
|
CacheDirLevels 5
|
|
CacheDirLength 2
|
|
# SSL support
|
|
SSLProxyEngine on
|
|
# Prevent thundering herds.
|
|
CacheLock on
|
|
CacheLockPath "/tmp/mod_cache-lock"
|
|
CacheLockMaxAge 5
|
|
# 5GiB
|
|
CacheMaxFileSize 5368709120
|
|
# Ignore expire headers as the urls use sha256 hashes.
|
|
CacheIgnoreQueryString On
|
|
CacheStoreExpired On
|
|
|
|
# NOTE(SamYaple): Docker has historically not allowed to have anything in
|
|
# the URI, but it wasn't enforced until they started validating the config
|
|
# in docker-ce 17.10. Prior to that, it was working fine.
|
|
CacheEnable disk "/"
|
|
ProxyPass "/" "https://registry-1.docker.io/" ttl=120 keepalive=On retry=0
|
|
ProxyPassReverse "/" "https://registry-1.docker.io/"
|
|
|
|
# dseasb33srnrn.cloudfront.net
|
|
CacheEnable disk "/cloudfront"
|
|
ProxyPass "/cloudfront/" "https://dseasb33srnrn.cloudfront.net/" ttl=120 keepalive=On retry=0
|
|
ProxyPassReverse "/cloudfront/" "https://dseasb33srnrn.cloudfront.net/"
|
|
|
|
</VirtualHost>
|