viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

exclude manifest requests from nginx registry cache

Browse source 
Split /v2/ location into two: regex match for blobs (cached 24h, immutable
content-addressed by SHA256) and prefix match for everything else including
manifests (proxy_cache off, mutable tags). Also remove disabled registries
(quay, k8s, kyverno) whose containers/configs don't exist on the VM.
This commit is contained in:
Viktor Barzin 2026-03-14 22:43:20 +00:00
parent 0d01b3d1f3
commit 7e72a10848
1 changed files with 20 additions and 109 deletions
Download patch file Download diff file Expand all files Collapse all files

129
modules/docker-registry/nginx_registry.conf
View file

@ -33,21 +33,6 @@ http {
keepalive 32;
}
upstream quay {
server registry-quay:5000;
keepalive 32;
}
upstream k8s {
server registry-k8s:5000;
keepalive 32;
}
upstream kyverno {
server registry-kyverno:5000;
keepalive 32;
}
upstream private {
server registry-private:5000;
keepalive 32;
@ -63,7 +48,8 @@ http {
proxy_request_buffering off;
proxy_buffering on;
location /v2/ {
# Blobs are content-addressed (sha256) — immutable, safe to cache aggressively
location ~ /v2/.*/blobs/ {
proxy_pass http://dockerhub;
proxy_http_version 1.1;
proxy_set_header Host $host;
@ -81,6 +67,19 @@ http {
proxy_send_timeout 900;
}
# Manifests are mutable (tags can change) — no cache, pass through to registry
location /v2/ {
proxy_pass http://dockerhub;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Connection "";
proxy_cache off;
proxy_read_timeout 900;
proxy_send_timeout 900;
}
location / {
return 200 'ok';
add_header Content-Type text/plain;
@ -97,7 +96,8 @@ http {
proxy_request_buffering off;
proxy_buffering on;
location /v2/ {
# Blobs are content-addressed (sha256) — immutable, safe to cache aggressively
location ~ /v2/.*/blobs/ {
proxy_pass http://ghcr;
proxy_http_version 1.1;
proxy_set_header Host $host;
@ -115,103 +115,14 @@ http {
proxy_send_timeout 900;
}
location / {
return 200 'ok';
add_header Content-Type text/plain;
}
}
# --- Quay (port 5020) ---
server {
listen 5020;
server_name _;
client_max_body_size 0;
proxy_request_buffering off;
proxy_buffering on;
# Manifests are mutable (tags can change) — no cache, pass through to registry
location /v2/ {
proxy_pass http://quay;
proxy_pass http://ghcr;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Connection "";
proxy_cache registry;
proxy_cache_lock on;
proxy_cache_lock_timeout 15m;
proxy_cache_lock_age 15m;
proxy_cache_use_stale updating;
proxy_cache_valid 200 206 24h;
proxy_cache_methods GET;
proxy_read_timeout 900;
proxy_send_timeout 900;
}
location / {
return 200 'ok';
add_header Content-Type text/plain;
}
}
# --- registry.k8s.io (port 5030) ---
server {
listen 5030;
server_name _;
client_max_body_size 0;
proxy_request_buffering off;
proxy_buffering on;
location /v2/ {
proxy_pass http://k8s;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Connection "";
proxy_cache registry;
proxy_cache_lock on;
proxy_cache_lock_timeout 15m;
proxy_cache_lock_age 15m;
proxy_cache_use_stale updating;
proxy_cache_valid 200 206 24h;
proxy_cache_methods GET;
proxy_read_timeout 900;
proxy_send_timeout 900;
}
location / {
return 200 'ok';
add_header Content-Type text/plain;
}
}
# --- reg.kyverno.io (port 5040) ---
server {
listen 5040;
server_name _;
client_max_body_size 0;
proxy_request_buffering off;
proxy_buffering on;
location /v2/ {
proxy_pass http://kyverno;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Connection "";
proxy_cache registry;
proxy_cache_lock on;
proxy_cache_lock_timeout 15m;
proxy_cache_lock_age 15m;
proxy_cache_use_stale updating;
proxy_cache_valid 200 206 24h;
proxy_cache_methods GET;
proxy_cache off;
proxy_read_timeout 900;
proxy_send_timeout 900;