mirror of
https://github.com/absmach/magistrala.git
synced 2026-06-23 04:10:28 +00:00
Dušan Borovčanin
220 lines
7.4 KiB
Plaintext
220 lines
7.4 KiB
Plaintext
# Copyright (c) Abstract Machines
|
||
# SPDX-License-Identifier: Apache-2.0
|
||
|
||
# This is the Magistrala NGINX configuration for mututal authentication based on X.509 certifiactes.
|
||
|
||
user nginx;
|
||
worker_processes auto;
|
||
worker_cpu_affinity auto;
|
||
worker_rlimit_nofile 65535;
|
||
pid /run/nginx.pid;
|
||
load_module /etc/nginx/modules/ngx_stream_js_module.so;
|
||
load_module /etc/nginx/modules/ngx_http_js_module.so;
|
||
include /etc/nginx/modules-enabled/*.conf;
|
||
|
||
events {
|
||
# Explanation: https://serverfault.com/questions/787919/optimal-value-for-nginx-worker-connections
|
||
# We'll keep 10k connections per core (assuming one worker per core)
|
||
worker_connections 10000;
|
||
}
|
||
|
||
http {
|
||
include snippets/http_access_log.conf;
|
||
|
||
js_path "/etc/nginx/njs/";
|
||
js_import authorization from /etc/nginx/authorization.js;
|
||
|
||
js_set $auth_key authorization.setKey;
|
||
|
||
sendfile on;
|
||
tcp_nopush on;
|
||
tcp_nodelay on;
|
||
keepalive_timeout 65;
|
||
types_hash_max_size 2048;
|
||
client_max_body_size 5M;
|
||
|
||
include /etc/nginx/mime.types;
|
||
default_type application/octet-stream;
|
||
|
||
ssl_protocols TLSv1.2 TLSv1.3;
|
||
ssl_prefer_server_ciphers on;
|
||
resolver 127.0.0.11 ipv6=off valid=10s;
|
||
resolver_timeout 5s;
|
||
|
||
# Include single-node or multiple-node (cluster) upstream
|
||
include snippets/mqtt-ws-upstream.conf;
|
||
include snippets/fluxmq-http-upstream.conf;
|
||
|
||
server {
|
||
listen 80 default_server;
|
||
listen [::]:80 default_server;
|
||
listen 443 ssl default_server;
|
||
listen [::]:443 ssl default_server;
|
||
http2 on;
|
||
|
||
set $dynamic_server_name "$MG_NGINX_SERVER_NAME";
|
||
|
||
if ($dynamic_server_name = '') {
|
||
set $dynamic_server_name "localhost";
|
||
}
|
||
|
||
server_name $dynamic_server_name;
|
||
set $auth_upstream "auth:${MG_AUTH_HTTP_PORT}";
|
||
set $domains_upstream "domains:${MG_DOMAINS_HTTP_PORT}";
|
||
set $users_upstream "users:${MG_USERS_HTTP_PORT}";
|
||
set $groups_upstream "groups:${MG_GROUPS_HTTP_PORT}";
|
||
set $clients_upstream "clients:${MG_CLIENTS_HTTP_PORT}";
|
||
set $channels_upstream "channels:${MG_CHANNELS_HTTP_PORT}";
|
||
set $rules_upstream "re:${MG_RE_HTTP_PORT}";
|
||
set $alarms_upstream "alarms:${MG_ALARMS_HTTP_PORT}";
|
||
set $reports_upstream "reports:${MG_REPORTS_HTTP_PORT}";
|
||
|
||
ssl_verify_client optional;
|
||
include snippets/ssl.conf;
|
||
include snippets/ssl-client.conf;
|
||
|
||
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
|
||
add_header X-Frame-Options DENY;
|
||
add_header X-Content-Type-Options nosniff;
|
||
add_header Access-Control-Allow-Origin '*';
|
||
add_header Access-Control-Allow-Methods '*';
|
||
add_header Access-Control-Allow-Headers '*';
|
||
|
||
location ^~ /.well-known/acme-challenge/ {
|
||
root /var/www/certbot;
|
||
default_type text/plain;
|
||
try_files $uri =404;
|
||
}
|
||
|
||
# Proxy pass to auth service
|
||
location ~ ^/(pats) {
|
||
include snippets/proxy-headers.conf;
|
||
add_header Access-Control-Expose-Headers Location;
|
||
proxy_pass http://$auth_upstream;
|
||
}
|
||
|
||
# Proxy pass to domains service
|
||
location ~ ^/(domains|invitations) {
|
||
include snippets/proxy-headers.conf;
|
||
add_header Access-Control-Expose-Headers Location;
|
||
proxy_pass http://$domains_upstream;
|
||
}
|
||
|
||
# Proxy pass to users service
|
||
location ~ ^/(users|password|verify-email|authorize|oauth/callback/[^/]+) {
|
||
include snippets/proxy-headers.conf;
|
||
add_header Access-Control-Expose-Headers Location;
|
||
proxy_pass http://$users_upstream;
|
||
}
|
||
|
||
# Proxy pass to groups service
|
||
location ~ "^/([a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12})/(groups)" {
|
||
include snippets/proxy-headers.conf;
|
||
add_header Access-Control-Expose-Headers Location;
|
||
proxy_pass http://$groups_upstream;
|
||
}
|
||
|
||
# Proxy pass to clients service
|
||
location ~ "^/([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})/(clients)" {
|
||
include snippets/proxy-headers.conf;
|
||
add_header Access-Control-Expose-Headers Location;
|
||
proxy_pass http://$clients_upstream;
|
||
}
|
||
|
||
# Proxy pass to channels service
|
||
location ~ "^/([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})/(channels)" {
|
||
include snippets/proxy-headers.conf;
|
||
add_header Access-Control-Expose-Headers Location;
|
||
proxy_pass http://$channels_upstream;
|
||
}
|
||
|
||
# Proxy pass to rule engine service
|
||
location ~ "^/([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})/(rules)" {
|
||
include snippets/proxy-headers.conf;
|
||
add_header Access-Control-Expose-Headers Location;
|
||
proxy_pass http://$rules_upstream;
|
||
}
|
||
|
||
# Proxy pass to alarms service
|
||
location ~ "^/([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})/(alarms)" {
|
||
include snippets/proxy-headers.conf;
|
||
add_header Access-Control-Expose-Headers Location;
|
||
proxy_pass http://$alarms_upstream;
|
||
}
|
||
|
||
# Proxy pass to reports service
|
||
location ~ "^/([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})/(reports)" {
|
||
include snippets/proxy-headers.conf;
|
||
add_header Access-Control-Expose-Headers Location;
|
||
proxy_pass http://$reports_upstream;
|
||
}
|
||
|
||
location /health {
|
||
include snippets/proxy-headers.conf;
|
||
proxy_pass http://$clients_upstream;
|
||
}
|
||
|
||
location /metrics {
|
||
include snippets/proxy-headers.conf;
|
||
proxy_pass http://$clients_upstream;
|
||
}
|
||
|
||
# Proxy pass to FluxMQ HTTP API
|
||
location /http/ {
|
||
include snippets/verify-ssl-client.conf;
|
||
include snippets/proxy-headers.conf;
|
||
proxy_set_header Authorization $auth_key;
|
||
proxy_pass http://fluxmq_http_cluster/;
|
||
}
|
||
|
||
# Proxy pass to FluxMQ MQTT over WebSocket
|
||
location /mqtt {
|
||
include snippets/verify-ssl-client.conf;
|
||
include snippets/proxy-headers.conf;
|
||
include snippets/ws-upgrade.conf;
|
||
proxy_pass http://mqtt_ws_cluster;
|
||
}
|
||
|
||
# UI proxy – populated by docker/setup-tls.sh; empty = no catch-all (local dev)
|
||
include snippets/ui-proxy.conf;
|
||
}
|
||
}
|
||
|
||
# MQTT
|
||
stream {
|
||
include snippets/stream_access_log.conf;
|
||
|
||
# Include JS script for mTLS
|
||
js_path "/etc/nginx/njs/";
|
||
|
||
js_import authorization from /etc/nginx/authorization.js;
|
||
|
||
# Include single-node or multiple-node (cluster) upstream
|
||
include snippets/mqtt-upstream.conf;
|
||
include snippets/fluxmq-amqp-upstream.conf;
|
||
ssl_verify_client on;
|
||
include snippets/ssl-client.conf;
|
||
|
||
server {
|
||
listen ${MG_NGINX_MQTT_PORT};
|
||
listen [::]:${MG_NGINX_MQTT_PORT};
|
||
listen ${MG_NGINX_MQTTS_PORT} ssl;
|
||
listen [::]:${MG_NGINX_MQTTS_PORT} ssl;
|
||
|
||
include snippets/ssl.conf;
|
||
js_preread authorization.authenticate;
|
||
|
||
proxy_pass mqtt_cluster;
|
||
}
|
||
|
||
# FluxMQ AMQP 0.9.1 (event store)
|
||
server {
|
||
listen ${MG_NGINX_AMQP_PORT};
|
||
listen [::]:${MG_NGINX_AMQP_PORT};
|
||
|
||
proxy_pass fluxmq_amqp_cluster;
|
||
}
|
||
}
|
||
|
||
error_log info.log info;
|