aSauerwein/gist:424ac58e13c7aadd619b3c75461e555f Secret

## gistfile1.txt
worker_processes auto;
pid /tmp/nginx.pid;

events {
  worker_connections 3096;
  use epoll;
  multi_accept on;
}

http {
  client_body_temp_path /tmp/client_body_temp;
  proxy_temp_path /tmp/proxy_temp;
  fastcgi_temp_path /tmp/fastcgi_temp;
  uwsgi_temp_path /tmp/uwsgi_temp;
  scgi_temp_path /tmp/scgi_temp;
  tcp_nodelay on;

  # this is necessary for us to be able to disable request buffering in all cases
  proxy_http_version 1.1;

  # Map for proxy cache
  map $host $harbor_project {
    default 0;
    ~^docker-mirror.k8s.ntslab.loc$ docker.io;
    ~^(?<project>.+).docker-mirror.k8ts.ntslab.loc$ $project;
  }
  map $request_uri $new_uri {
    ~^/v2/(.+)$ /v2/$harbor_project/$1;
  }
  map $args $new_args {
    ~^(?<prefix2>.*scope=repository%3A)(?<suffix2>.*)$     ${prefix2}${harbor_project}%2F$suffix2;
  }
  map $upstream_http_www_authenticate $new_header {
    ~^(?<prefix1>.*https://).*(?<suffix1>/service/token.*)$     $prefix1$host$suffix1;
  }

  upstream core {
    server "harbor-core:80";
  }

  upstream portal {
    server "harbor-portal:80";
  }
  upstream notary-server {
    server harbor-notary-server:4443;
  }

  log_format timed_combined '[$time_local]:$remote_addr - '
    '"$request" $status $body_bytes_sent '
    '"$http_referer" "$http_user_agent" '
    '$request_time $upstream_response_time $pipe';

  access_log /dev/stdout timed_combined;

  map $http_x_forwarded_proto $x_forwarded_proto {
    default $http_x_forwarded_proto;
    ""      $scheme;
  }
  server {
    listen 4443 ssl;
    listen [::]:4443 ssl;
    server_tokens off;
    # ssl
    ssl_certificate /etc/nginx/cert/tls.crt;
    ssl_certificate_key /etc/nginx/cert/tls.key;

    # recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html
    ssl_protocols tlsv1.1 tlsv1.2;
    ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:ssl:10m;

    # disable any limits to avoid http 413 for large image uploads
    client_max_body_size 0;

    # required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486)
    chunked_transfer_encoding on;

    location /v2/ {
      proxy_pass http://notary-server/v2/;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;

      proxy_buffering off;
      proxy_request_buffering off;
    }
  }

  server {
    listen 8443 ssl;
    listen [::]:8443 ssl;
#    server_name harbordomain.com;
    # Rewrite for proxy cache
    if ($harbor_project != 0) {
      rewrite ^/v2/(.+)$ $new_uri;
      set $args $new_args;
    }

    server_tokens off;
    # SSL
    ssl_certificate /etc/nginx/cert/tls.crt;
    ssl_certificate_key /etc/nginx/cert/tls.key;

    # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    # disable any limits to avoid HTTP 413 for large image uploads
    client_max_body_size 0;

    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
    chunked_transfer_encoding on;

    # Add extra headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header Content-Security-Policy "frame-ancestors 'none'";

    location / {
      proxy_pass http://portal/;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;

      proxy_cookie_path / "/; HttpOnly; Secure";

      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /api/ {
      proxy_pass http://core/api/;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;

      proxy_cookie_path / "/; Secure";

      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /chartrepo/ {
      proxy_pass http://core/chartrepo/;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;

      proxy_cookie_path / "/; Secure";

      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /c/ {
      proxy_pass http://core/c/;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;

      proxy_cookie_path / "/; Secure";

      proxy_buffering off;
      proxy_request_buffering off;
    }

    location /v1/ {
      return 404;
    }

    location /v2/ {
      proxy_pass http://core/v2/;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
      proxy_buffering off;
      proxy_request_buffering off;
      # Modify headers for proxy cache
      proxy_hide_header Www-Authenticate;
      add_header Www-Authenticate $new_header always;
    }

    location /service/ {
      proxy_pass http://core/service/;
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $x_forwarded_proto;

      proxy_cookie_path / "/; Secure";

      proxy_buffering off;
      proxy_request_buffering off;
    }

  location /service/notifications {
      return 404;
    }
  }
    server {
      listen 8080;
      listen [::]:8080;
      #server_name harbordomain.com;
      return 301 https://$host$request_uri;
  }
}
	worker_processes auto;
	pid /tmp/nginx.pid;

	events {
	worker_connections 3096;
	use epoll;
	multi_accept on;
	}

	http {
	client_body_temp_path /tmp/client_body_temp;
	proxy_temp_path /tmp/proxy_temp;
	fastcgi_temp_path /tmp/fastcgi_temp;
	uwsgi_temp_path /tmp/uwsgi_temp;
	scgi_temp_path /tmp/scgi_temp;
	tcp_nodelay on;

	# this is necessary for us to be able to disable request buffering in all cases
	proxy_http_version 1.1;

	# Map for proxy cache
	map $host $harbor_project {
	default 0;
	~^docker-mirror.k8s.ntslab.loc$ docker.io;
	~^(?<project>.+).docker-mirror.k8ts.ntslab.loc$ $project;
	}
	map $request_uri $new_uri {
	~^/v2/(.+)$ /v2/$harbor_project/$1;
	}
	map $args $new_args {
	~^(?<prefix2>.scope=repository%3A)(?<suffix2>.)$ ${prefix2}${harbor_project}%2F$suffix2;
	}
	map $upstream_http_www_authenticate $new_header {
	~^(?<prefix1>.https://).(?<suffix1>/service/token.*)$ $prefix1$host$suffix1;
	}

	upstream core {
	server "harbor-core:80";
	}

	upstream portal {
	server "harbor-portal:80";
	}
	upstream notary-server {
	server harbor-notary-server:4443;
	}

	log_format timed_combined '[$time_local]:$remote_addr - '
	'"$request" $status $body_bytes_sent '
	'"$http_referer" "$http_user_agent" '
	'$request_time $upstream_response_time $pipe';

	access_log /dev/stdout timed_combined;

	map $http_x_forwarded_proto $x_forwarded_proto {
	default $http_x_forwarded_proto;
	"" $scheme;
	}
	server {
	listen 4443 ssl;
	listen [::]:4443 ssl;
	server_tokens off;
	# ssl
	ssl_certificate /etc/nginx/cert/tls.crt;
	ssl_certificate_key /etc/nginx/cert/tls.key;

	# recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html
	ssl_protocols tlsv1.1 tlsv1.2;
	ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:ssl:10m;

	# disable any limits to avoid http 413 for large image uploads
	client_max_body_size 0;

	# required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486)
	chunked_transfer_encoding on;

	location /v2/ {
	proxy_pass http://notary-server/v2/;
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $x_forwarded_proto;

	proxy_buffering off;
	proxy_request_buffering off;
	}
	}

	server {
	listen 8443 ssl;
	listen [::]:8443 ssl;
	# server_name harbordomain.com;
	# Rewrite for proxy cache
	if ($harbor_project != 0) {
	rewrite ^/v2/(.+)$ $new_uri;
	set $args $new_args;
	}

	server_tokens off;
	# SSL
	ssl_certificate /etc/nginx/cert/tls.crt;
	ssl_certificate_key /etc/nginx/cert/tls.key;

	# Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;

	# disable any limits to avoid HTTP 413 for large image uploads
	client_max_body_size 0;

	# required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
	chunked_transfer_encoding on;

	# Add extra headers
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
	add_header X-Frame-Options DENY;
	add_header Content-Security-Policy "frame-ancestors 'none'";

	location / {
	proxy_pass http://portal/;
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $x_forwarded_proto;

	proxy_cookie_path / "/; HttpOnly; Secure";

	proxy_buffering off;
	proxy_request_buffering off;
	}

	location /api/ {
	proxy_pass http://core/api/;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $x_forwarded_proto;

	proxy_cookie_path / "/; Secure";

	proxy_buffering off;
	proxy_request_buffering off;
	}

	location /chartrepo/ {
	proxy_pass http://core/chartrepo/;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $x_forwarded_proto;

	proxy_cookie_path / "/; Secure";

	proxy_buffering off;
	proxy_request_buffering off;
	}

	location /c/ {
	proxy_pass http://core/c/;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $x_forwarded_proto;

	proxy_cookie_path / "/; Secure";

	proxy_buffering off;
	proxy_request_buffering off;
	}

	location /v1/ {
	return 404;
	}

	location /v2/ {
	proxy_pass http://core/v2/;
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $x_forwarded_proto;
	proxy_buffering off;
	proxy_request_buffering off;
	# Modify headers for proxy cache
	proxy_hide_header Www-Authenticate;
	add_header Www-Authenticate $new_header always;
	}

	location /service/ {
	proxy_pass http://core/service/;
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $x_forwarded_proto;

	proxy_cookie_path / "/; Secure";

	proxy_buffering off;
	proxy_request_buffering off;
	}

	location /service/notifications {
	return 404;
	}
	}
	server {
	listen 8080;
	listen [::]:8080;
	#server_name harbordomain.com;
	return 301 https://$host$request_uri;
	}
	}