## Set a variable to help us decide if we need to add the ## 'Docker-Distribution-Api-Version' header. ## The registry always sets this header. ## In the case of nginx performing auth, the header is unset ## since nginx is auth-ing before proxying. map ${DOLLAR}upstream_http_docker_distribution_api_version ${DOLLAR}docker_distribution_api_version { '' 'registry/2.0'; } server { # resolver 127.0.0.11 valid=30s; ## internal docker dns #listen [::]:3011 default ipv6only=on; ## listen for ipv6 listen 80; client_header_timeout 120s; client_body_timeout 120s; client_max_body_size 200m; # save logs here server_name ${SERVER_NAME}; location / { return 301 https://${DOLLAR}host${DOLLAR}request_uri; } } server { # resolver 127.0.0.11 valid=30s; ## internal docker dns #listen [::]:3011 default ipv6only=on; ## listen for ipv6 # listen 444 listen 5000 ssl; # this should allow large docs client_header_timeout 120s; client_body_timeout 120s; client_max_body_size 200m; ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; # save logs here #access_log /var/log/nginx/access.log compression; server_name ${SERVER_NAME}; location / { proxy_pass ${DRONE_PROXY_PASS}; } } server { # resolver 127.0.0.11 valid=30s; ## internal docker dns #listen [::]:3011 default ipv6only=on; ## listen for ipv6 # listen 444 listen 5001 ssl; # this should allow large docs client_header_timeout 120s; client_body_timeout 120s; client_max_body_size 0; ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; # save logs here #access_log /var/log/nginx/access.log compression; # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) chunked_transfer_encoding on; server_name ${SERVER_NAME}; location /v2/ { # Do not allow connections from docker 1.5 and earlier # docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents if (${DOLLAR}http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) { return 404; } add_header 'Docker-Distribution-Api-Version' ${DOLLAR}docker_distribution_api_version always; proxy_set_header Host ${DOLLAR}http_host; proxy_set_header X-Real-IP ${DOLLAR}remote_addr; proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; proxy_buffering off; proxy_pass ${REGISTRY_PROXY_PASS}; } } server { # resolver 127.0.0.11 valid=30s; ## internal docker dns #listen [::]:3011 default ipv6only=on; ## listen for ipv6 # listen 444 listen 443 ssl; # this should allow large docs client_header_timeout 120s; client_body_timeout 120s; client_max_body_size 0; ssl_certificate /etc/letsencrypt/live/${SERVER_NAME}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/${SERVER_NAME}/privkey.pem; # save logs here #access_log /var/log/nginx/access.log compression; # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486) chunked_transfer_encoding on; server_name ${SERVER_NAME}; # root /www/data; location ${GIT_LOCATION} { proxy_pass ${PROXY_PASS}; } location ${BLOG_LOCATION} { proxy_set_header Host ${DOLLAR}http_host; proxy_set_header X-Real-IP ${DOLLAR}remote_addr; proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; proxy_buffering off; proxy_pass ${BLOG_PROXY_PASS}; } location ${PORTAINER_LOCATION} { proxy_set_header Host ${DOLLAR}http_host; proxy_set_header X-Real-IP ${DOLLAR}remote_addr; proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; proxy_buffering off; proxy_pass ${PORTAINER_PROXY_PASS}; } location ${CHAT_LOCATION}sockjs { set ${DOLLAR}upstream ${CHAT_PROXY_PASS}/chat/sockjs; proxy_pass ${DOLLAR}upstream; proxy_http_version 1.1; proxy_set_header Upgrade ${DOLLAR}http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host ${DOLLAR}host; proxy_set_header X-Real-IP ${DOLLAR}remote_addr; proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; proxy_set_header X-Forward-Proto http; proxy_set_header X-Nginx-Proxy true; proxy_redirect off; } location ${CHAT_LOCATION}sockjs/ { set ${DOLLAR}upstream ${CHAT_PROXY_PASS}/chat/sockjs; proxy_pass ${DOLLAR}upstream; proxy_http_version 1.1; proxy_set_header Upgrade ${DOLLAR}http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host ${DOLLAR}host; proxy_set_header X-Real-IP ${DOLLAR}remote_addr; proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; proxy_set_header X-Forward-Proto http; proxy_set_header X-Nginx-Proxy true; proxy_redirect off; } location ${CHAT_LOCATION} { set ${DOLLAR}upstream ${CHAT_PROXY_PASS}; proxy_pass ${DOLLAR}upstream; proxy_http_version 1.1; proxy_set_header Upgrade ${DOLLAR}http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host ${DOLLAR}http_host; proxy_set_header X-Real-IP ${DOLLAR}remote_addr; proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; proxy_set_header X-Forward-Proto http; proxy_set_header X-Nginx-Proxy true; proxy_redirect off; } location ${REMOTE_LOCATION}websocket-tunnel { proxy_pass ${REMOTE_PROXY_PASS}websocket-tunnel; proxy_http_version 1.1; proxy_set_header Upgrade ${DOLLAR}http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host ${DOLLAR}host; proxy_set_header X-Real-IP ${DOLLAR}remote_addr; proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; proxy_set_header X-Forward-Proto http; proxy_set_header X-Nginx-Proxy true; proxy_redirect off; } location ${REMOTE_LOCATION}websocket-tunnel/ { proxy_pass ${REMOTE_PROXY_PASS}websocket-tunnel/; proxy_http_version 1.1; proxy_set_header Upgrade ${DOLLAR}http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host ${DOLLAR}host; proxy_set_header X-Real-IP ${DOLLAR}remote_addr; proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; proxy_set_header X-Forward-Proto http; proxy_set_header X-Nginx-Proxy true; proxy_redirect off; } location ${REMOTE_LOCATION} { proxy_pass ${REMOTE_PROXY_PASS}; } }