diff --git a/.github/workflows/external_trigger.yml b/.github/workflows/external_trigger.yml index c25779a..5da493c 100644 --- a/.github/workflows/external_trigger.yml +++ b/.github/workflows/external_trigger.yml @@ -23,7 +23,7 @@ jobs: echo "> [!NOTE]" >> $GITHUB_STEP_SUMMARY echo "> External trigger running off of main branch. To disable this trigger, add \`socket-proxy_main\` into the Github organizational variable \`SKIP_EXTERNAL_TRIGGER\`." >> $GITHUB_STEP_SUMMARY printf "\n## Retrieving external version\n\n" >> $GITHUB_STEP_SUMMARY - EXT_RELEASE=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.20/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \ + EXT_RELEASE=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.21/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \ && awk '/^P:'"nginx"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://') echo "Type is \`alpine_repo\`" >> $GITHUB_STEP_SUMMARY if [ -z "${EXT_RELEASE}" ] || [ "${EXT_RELEASE}" == "null" ]; then @@ -44,16 +44,18 @@ jobs: token=$(curl -sX GET \ "https://ghcr.io/token?scope=repository%3Alinuxserver%2Fsocket-proxy%3Apull" \ | jq -r '.token') - multidigest=$(curl -s \ - --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ - --header "Authorization: Bearer ${token}" \ - "https://ghcr.io/v2/${image}/manifests/${tag}" \ - | jq -r 'first(.manifests[].digest)') - digest=$(curl -s \ - --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ - --header "Authorization: Bearer ${token}" \ - "https://ghcr.io/v2/${image}/manifests/${multidigest}" \ - | jq -r '.config.digest') + multidigest=$(curl -s \ + --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ + --header "Accept: application/vnd.oci.image.index.v1+json" \ + --header "Authorization: Bearer ${token}" \ + "https://ghcr.io/v2/${image}/manifests/${tag}") + multidigest=$(jq -r ".manifests[] | select(.platform.architecture == \"amd64\").digest?" <<< "${multidigest}") + digest=$(curl -s \ + --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ + --header "Accept: application/vnd.oci.image.manifest.v1+json" \ + --header "Authorization: Bearer ${token}" \ + "https://ghcr.io/v2/${image}/manifests/${multidigest}" \ + | jq -r '.config.digest') image_info=$(curl -sL \ --header "Authorization: Bearer ${token}" \ "https://ghcr.io/v2/${image}/blobs/${digest}") @@ -77,7 +79,7 @@ jobs: if [ "${EXT_RELEASE}" == "${IMAGE_VERSION}" ]; then echo "Version \`${EXT_RELEASE}\` already pushed, exiting" >> $GITHUB_STEP_SUMMARY exit 0 - elif [[ $(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.20/main/aarch64/APKINDEX.tar.gz" | tar -xz -C /tmp && awk '/^P:'"nginx"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://') != "${EXT_RELEASE}" ]]; then + elif [[ $(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.21/main/aarch64/APKINDEX.tar.gz" | tar -xz -C /tmp && awk '/^P:'"nginx"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://') != "${EXT_RELEASE}" ]]; then echo "New version \`${EXT_RELEASE}\` found; but not all arch repos updated yet; exiting" >> $GITHUB_STEP_SUMMARY FAILURE_REASON="New version ${EXT_RELEASE} for socket-proxy tag latest is detected, however not all arch repos are updated yet. Will try again later." curl -X POST -H "Content-Type: application/json" --data '{"avatar_url": "https://cdn.discordapp.com/avatars/354986384542662657/df91181b3f1cf0ef1592fbe18e0962d7.png","embeds": [{"color": 9802903, diff --git a/Dockerfile b/Dockerfile index d269e6f..8e8a19c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -FROM docker.io/alpine:3.20 +FROM docker.io/alpine:3.21 # set version label ARG BUILD_DATE @@ -18,7 +18,7 @@ RUN \ curl \ envsubst && \ if [ -z ${NGINX_VERSION+x} ]; then \ - NGINX_VERSION=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.20/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \ + NGINX_VERSION=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.21/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \ && awk '/^P:nginx$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \ fi && \ apk add --no-cache \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index d269e6f..8e8a19c 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -FROM docker.io/alpine:3.20 +FROM docker.io/alpine:3.21 # set version label ARG BUILD_DATE @@ -18,7 +18,7 @@ RUN \ curl \ envsubst && \ if [ -z ${NGINX_VERSION+x} ]; then \ - NGINX_VERSION=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.20/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \ + NGINX_VERSION=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.21/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \ && awk '/^P:nginx$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \ fi && \ apk add --no-cache \ diff --git a/Jenkinsfile b/Jenkinsfile index 93cb2e3..1ba83e8 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -27,8 +27,7 @@ pipeline { DEV_DOCKERHUB_IMAGE = 'lsiodev/socket-proxy' PR_DOCKERHUB_IMAGE = 'lspipepr/socket-proxy' DIST_IMAGE = 'alpine' - DIST_TAG = '3.20' - DIST_REPO = 'http://dl-cdn.alpinelinux.org/alpine/v3.20/main/' + DIST_REPO = 'http://dl-cdn.alpinelinux.org/alpine/v3.21/main/' DIST_REPO_PACKAGES = 'nginx' MULTIARCH='true' CI='true' @@ -516,7 +515,7 @@ pipeline { --label \"org.opencontainers.image.title=Socket-proxy\" \ --label \"org.opencontainers.image.description=socket-proxy image by linuxserver.io\" \ --no-cache --pull -t ${IMAGE}:${META_TAG} --platform=linux/amd64 \ - --provenance=false --sbom=false --builder=container --load \ + --provenance=true --sbom=true --builder=container --load \ --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." sh '''#! /bin/bash set -e @@ -580,7 +579,7 @@ pipeline { --label \"org.opencontainers.image.title=Socket-proxy\" \ --label \"org.opencontainers.image.description=socket-proxy image by linuxserver.io\" \ --no-cache --pull -t ${IMAGE}:amd64-${META_TAG} --platform=linux/amd64 \ - --provenance=false --sbom=false --builder=container --load \ + --provenance=true --sbom=true --builder=container --load \ --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." sh '''#! /bin/bash set -e @@ -637,7 +636,7 @@ pipeline { --label \"org.opencontainers.image.title=Socket-proxy\" \ --label \"org.opencontainers.image.description=socket-proxy image by linuxserver.io\" \ --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} --platform=linux/arm64 \ - --provenance=false --sbom=false --builder=container --load \ + --provenance=true --sbom=true --builder=container --load \ --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." sh '''#! /bin/bash set -e diff --git a/README.md b/README.md index 4a6901e..efbcffb 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,9 @@ This image can be run with a read-only container filesystem. For details please To help you get started creating a container from this image you can either use docker compose or the docker cli. +>[!NOTE] +>Unless a parameter is flaged as 'optional', it is *mandatory* and a value must be provided. + ### docker compose (recommended, [click here for more info](https://docs.linuxserver.io/general/docker-compose)) ```yaml @@ -193,27 +196,27 @@ Containers are configured using parameters passed at runtime (such as those abov * Shell access whilst the container is running: - ```bash - docker exec -it socket-proxy /bin/sh - ``` +```bash +docker exec -it socket-proxy /bin/sh +``` * To monitor the logs of the container in realtime: - ```bash - docker logs -f socket-proxy - ``` +```bash +docker logs -f socket-proxy +``` * Container version number: - ```bash - docker inspect -f '{{ index .Config.Labels "build_version" }}' socket-proxy - ``` +```bash +docker inspect -f '{{ index .Config.Labels "build_version" }}' socket-proxy +``` * Image version number: - ```bash - docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/socket-proxy:latest - ``` +```bash +docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/socket-proxy:latest +``` ## Updating Info @@ -224,66 +227,67 @@ Below are the instructions for updating containers: ### Via Docker Compose * Update images: - * All images: + * All images: - ```bash - docker compose pull - ``` + ```bash + docker compose pull + ``` - * Single image: + * Single image: - ```bash - docker compose pull socket-proxy - ``` + ```bash + docker compose pull socket-proxy + ``` * Update containers: - * All containers: + * All containers: - ```bash - docker compose up -d - ``` + ```bash + docker compose up -d + ``` - * Single container: + * Single container: - ```bash - docker compose up -d socket-proxy - ``` + ```bash + docker compose up -d socket-proxy + ``` * You can also remove the old dangling images: - ```bash - docker image prune - ``` +```bash +docker image prune +``` ### Via Docker Run * Update the image: - ```bash - docker pull lscr.io/linuxserver/socket-proxy:latest - ``` +```bash +docker pull lscr.io/linuxserver/socket-proxy:latest +``` * Stop the running container: - ```bash - docker stop socket-proxy - ``` +```bash +docker stop socket-proxy +``` * Delete the container: - ```bash - docker rm socket-proxy - ``` +```bash +docker rm socket-proxy +``` * You can also remove the old dangling images: - ```bash - docker image prune - ``` +```bash +docker image prune +``` ### Image Update Notifications - Diun (Docker Image Update Notifier) -**tip**: We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported. +>[!TIP] +>We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported. ## Building locally @@ -308,6 +312,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **05.12.24:** - Rebase to Alpine 3.21. * **26.08.24:** - Change `ALLOW_START`, `ALLOW_STOP`, and `ALLOW_RESTARTS` to work even with `POST=0`. * **24.05.24:** - Rebase to Alpine 3.20. * **15.04.24:** - Allow disabling IPv6 support for legacy devices. diff --git a/jenkins-vars.yml b/jenkins-vars.yml index c36055a..994a3cd 100644 --- a/jenkins-vars.yml +++ b/jenkins-vars.yml @@ -6,6 +6,8 @@ external_type: alpine_repo release_type: stable release_tag: latest ls_branch: main +image_sbom: true +image_provenance: true repo_vars: - BUILD_VERSION_ARG = 'NGINX_VERSION' - LS_USER = 'linuxserver' @@ -15,8 +17,7 @@ repo_vars: - DEV_DOCKERHUB_IMAGE = 'lsiodev/socket-proxy' - PR_DOCKERHUB_IMAGE = 'lspipepr/socket-proxy' - DIST_IMAGE = 'alpine' - - DIST_TAG = '3.20' - - DIST_REPO = 'http://dl-cdn.alpinelinux.org/alpine/v3.20/main/' + - DIST_REPO = 'http://dl-cdn.alpinelinux.org/alpine/v3.21/main/' - DIST_REPO_PACKAGES = 'nginx' - MULTIARCH='true' - CI='true' diff --git a/readme-vars.yml b/readme-vars.yml index ca5c769..69c45ad 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -73,6 +73,9 @@ full_custom_readme: | To help you get started creating a container from this image you can either use docker compose or the docker cli. + >[!NOTE] + >Unless a parameter is flaged as 'optional', it is *mandatory* and a value must be provided. + ### docker compose (recommended, [click here for more info](https://docs.linuxserver.io/general/docker-compose)) ```yaml @@ -197,27 +200,27 @@ full_custom_readme: | * Shell access whilst the container is running: - ```bash - docker exec -it socket-proxy /bin/sh - ``` + ```bash + docker exec -it socket-proxy /bin/sh + ``` * To monitor the logs of the container in realtime: - ```bash - docker logs -f socket-proxy - ``` + ```bash + docker logs -f socket-proxy + ``` * Container version number: - ```bash - docker inspect -f '{{ index .Config.Labels "build_version" }}' socket-proxy - ``` + ```bash + docker inspect -f '{{ index .Config.Labels "build_version" }}' socket-proxy + ``` * Image version number: - ```bash - docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/socket-proxy:latest - ``` + ```bash + docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/socket-proxy:latest + ``` ## Updating Info @@ -228,66 +231,67 @@ full_custom_readme: | ### Via Docker Compose * Update images: - * All images: + * All images: - ```bash - docker compose pull - ``` + ```bash + docker compose pull + ``` - * Single image: + * Single image: - ```bash - docker compose pull socket-proxy - ``` + ```bash + docker compose pull socket-proxy + ``` * Update containers: - * All containers: + * All containers: - ```bash - docker compose up -d - ``` + ```bash + docker compose up -d + ``` - * Single container: + * Single container: - ```bash - docker compose up -d socket-proxy - ``` + ```bash + docker compose up -d socket-proxy + ``` * You can also remove the old dangling images: - ```bash - docker image prune - ``` + ```bash + docker image prune + ``` ### Via Docker Run * Update the image: - ```bash - docker pull lscr.io/linuxserver/socket-proxy:latest - ``` + ```bash + docker pull lscr.io/linuxserver/socket-proxy:latest + ``` * Stop the running container: - ```bash - docker stop socket-proxy - ``` + ```bash + docker stop socket-proxy + ``` * Delete the container: - ```bash - docker rm socket-proxy - ``` + ```bash + docker rm socket-proxy + ``` * You can also remove the old dangling images: - ```bash - docker image prune - ``` + ```bash + docker image prune + ``` ### Image Update Notifications - Diun (Docker Image Update Notifier) - **tip**: We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported. + >[!TIP] + >We recommend [Diun](https://crazymax.dev/diun/) for update notifications. Other tools that automatically update containers unattended are not recommended or supported. ## Building locally @@ -312,6 +316,7 @@ full_custom_readme: | ## Versions + * **05.12.24:** - Rebase to Alpine 3.21. * **26.08.24:** - Change `ALLOW_START`, `ALLOW_STOP`, and `ALLOW_RESTARTS` to work even with `POST=0`. * **24.05.24:** - Rebase to Alpine 3.20. * **15.04.24:** - Allow disabling IPv6 support for legacy devices. diff --git a/root/docker-entrypoint.sh b/root/docker-entrypoint.sh index d289448..7ce9ce4 100755 --- a/root/docker-entrypoint.sh +++ b/root/docker-entrypoint.sh @@ -10,6 +10,8 @@ else envsubst "$(printf '${%s} ' $(bash -c "compgen -A variable"))" < /templates/default_nopost.template > /run/default.conf fi +mkdir /run/nginx-tmp + echo ' ─────────────────────────────────────── diff --git a/root/etc/nginx/nginx.conf b/root/etc/nginx/nginx.conf index cbe9573..70fa50a 100644 --- a/root/etc/nginx/nginx.conf +++ b/root/etc/nginx/nginx.conf @@ -36,11 +36,11 @@ http { # error code 413. Set to 0 to disable. Default is '1m'. client_max_body_size 0; - client_body_temp_path /run/nginx-tmp; - proxy_temp_path /run/nginx-tmp; - fastcgi_temp_path /run/nginx-tmp; - uwsgi_temp_path /run/nginx-tmp; - scgi_temp_path /run/nginx-tmp; + client_body_temp_path /run/nginx-tmp/nginx 1 2; + proxy_temp_path /run/nginx-tmp/nginx-proxy; + fastcgi_temp_path /run/nginx-tmp/nginx-fastcgi; + uwsgi_temp_path /run/nginx-tmp/nginx-uwsgi; + scgi_temp_path /run/nginx-tmp/nginx-scgi; # Sendfile copies data between one FD and other from within the kernel, # which is more efficient than read() + write(). Default is off. diff --git a/root/templates/default_nopost.template b/root/templates/default_nopost.template index eda3582..4f5d44b 100644 --- a/root/templates/default_nopost.template +++ b/root/templates/default_nopost.template @@ -33,9 +33,9 @@ server { include /etc/nginx/proxy.conf; - location ~* ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) {if ($path_restarts = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/start {if ($path_start = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/stop {if ($path_stop = 0){return 403;}proxy_pass http://unix:$dockersocket;} + location ~* ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/(stop|restart|kill) {if ($path_restarts = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/auth {limit_except GET HEAD {deny all;}if ($path_auth = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/build {limit_except GET HEAD {deny all;}if ($path_build = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/commit {limit_except GET HEAD {deny all;}if ($path_commit = 0){return 403;}proxy_pass http://unix:$dockersocket;} diff --git a/root/templates/default_nopost_ipv4.template b/root/templates/default_nopost_ipv4.template index 51a114c..923a427 100644 --- a/root/templates/default_nopost_ipv4.template +++ b/root/templates/default_nopost_ipv4.template @@ -32,9 +32,9 @@ server { include /etc/nginx/proxy.conf; - location ~* ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) {if ($path_restarts = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/start {if ($path_start = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/stop {if ($path_stop = 0){return 403;}proxy_pass http://unix:$dockersocket;} + location ~* ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/(stop|restart|kill) {if ($path_restarts = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/auth {limit_except GET HEAD {deny all;}if ($path_auth = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/build {limit_except GET HEAD {deny all;}if ($path_build = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/commit {limit_except GET HEAD {deny all;}if ($path_commit = 0){return 403;}proxy_pass http://unix:$dockersocket;} diff --git a/root/templates/default_post.template b/root/templates/default_post.template index 7319642..1cb545a 100644 --- a/root/templates/default_post.template +++ b/root/templates/default_post.template @@ -33,9 +33,9 @@ server { include /etc/nginx/proxy.conf; - location ~* ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) {if ($path_restarts = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/start {if ($path_start = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/stop {if ($path_stop = 0){return 403;}proxy_pass http://unix:$dockersocket;} + location ~* ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/(stop|restart|kill) {if ($path_restarts = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/auth {if ($path_auth = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/build {if ($path_build = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/commit {if ($path_commit = 0){return 403;}proxy_pass http://unix:$dockersocket;} diff --git a/root/templates/default_post_ipv4.template b/root/templates/default_post_ipv4.template index 94bf9da..d44ed84 100644 --- a/root/templates/default_post_ipv4.template +++ b/root/templates/default_post_ipv4.template @@ -32,9 +32,9 @@ server { include /etc/nginx/proxy.conf; - location ~* ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/((stop)|(restart)|(kill)) {if ($path_restarts = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/start {if ($path_start = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/stop {if ($path_stop = 0){return 403;}proxy_pass http://unix:$dockersocket;} + location ~* ^(/v[\d\.]+)?/containers/[a-zA-Z0-9_.-]+/(stop|restart|kill) {if ($path_restarts = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/auth {if ($path_auth = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/build {if ($path_build = 0){return 403;}proxy_pass http://unix:$dockersocket;} location ~* ^(/v[\d\.]+)?/commit {if ($path_commit = 0){return 403;}proxy_pass http://unix:$dockersocket;}