opensource/magistrala
1
0
Fork 0
mirror of https://github.com/absmach/magistrala.git synced 2026-06-23 04:10:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
7667eee725e71cd1a1ad8d30a641aead0754bc65
magistrala/docker/nginx/nginx-x509.conf
T
Felix Gateru 7667eee725 SMQ - 2435 - Merge invitations into domains service (#2676) 
Signed-off-by: Felix Gateru <felix.gateru@gmail.com>
2025-02-13 16:24:39 +01:00

172 lines
5.7 KiB
Plaintext
Raw Blame History

# Copyright (c) Abstract Machines
# SPDX-License-Identifier: Apache-2.0
# This is the SuperMQ NGINX configuration for mututal authentication based on X.509 certifiactes.
user nginx;
worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
load_module /etc/nginx/modules/ngx_stream_js_module.so;
load_module /etc/nginx/modules/ngx_http_js_module.so;
include /etc/nginx/modules-enabled/*.conf;
events {
# Explanation: https://serverfault.com/questions/787919/optimal-value-for-nginx-worker-connections
# We'll keep 10k connections per core (assuming one worker per core)
worker_connections 10000;
}
http {
include snippets/http_access_log.conf;
js_path "/etc/nginx/njs/";
js_import authorization from /etc/nginx/authorization.js;
js_set $auth_key authorization.setKey;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# Include single-node or multiple-node (cluster) upstream
include snippets/mqtt-ws-upstream.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
set $dynamic_server_name "$SMQ_NGINX_SERVER_NAME";
if ($dynamic_server_name = '') {
set $dynamic_server_name "localhost";
}
server_name $dynamic_server_name;
ssl_verify_client optional;
include snippets/ssl.conf;
include snippets/ssl-client.conf;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Access-Control-Allow-Origin '*';
add_header Access-Control-Allow-Methods '*';
add_header Access-Control-Allow-Headers '*';
# Proxy pass to domains service
location ~ ^/(domains) {
include snippets/proxy-headers.conf;
add_header Access-Control-Expose-Headers Location;
proxy_pass http://domains:${SMQ_DOMAINS_HTTP_PORT};
}
# Proxy pass to users service
location ~ ^/(users|groups|password|authorize|oauth/callback/[^/]+) {
include snippets/proxy-headers.conf;
add_header Access-Control-Expose-Headers Location;
proxy_pass http://users:${SMQ_USERS_HTTP_PORT};
}
# Proxy pass to groups service
location ~ "^/([a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12})/(groups)" {
include snippets/proxy-headers.conf;
add_header Access-Control-Expose-Headers Location;
proxy_pass http://groups:${SMQ_GROUPS_HTTP_PORT};
}
# Proxy pass to clients service
location ~ "^/([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})/(clients)" {
include snippets/proxy-headers.conf;
add_header Access-Control-Expose-Headers Location;
proxy_pass http://clients:${SMQ_CLIENTS_HTTP_PORT};
}
# Proxy pass to channels service
location ~ "^/([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})/(channels)" {
include snippets/proxy-headers.conf;
add_header Access-Control-Expose-Headers Location;
proxy_pass http://channels:${SMQ_CHANNELS_HTTP_PORT};
}
location /health {
include snippets/proxy-headers.conf;
proxy_pass http://clients:${SMQ_CLIENTS_HTTP_PORT};
}
location /metrics {
include snippets/proxy-headers.conf;
proxy_pass http://clients:${SMQ_CLIENTS_HTTP_PORT};
}
# Proxy pass to supermq-http-adapter
location /http/ {
include snippets/verify-ssl-client.conf;
include snippets/proxy-headers.conf;
proxy_set_header Authorization $auth_key;
# Trailing `/` is mandatory. Refer to the http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
# If the proxy_pass directive is specified with a URI, then when a request is passed to the server,
# the part of a normalized request URI matching the location is replaced by a URI specified in the directive
proxy_pass http://http-adapter:${SMQ_HTTP_ADAPTER_PORT}/;
}
# Proxy pass to supermq-mqtt-adapter over WS
location /mqtt {
include snippets/verify-ssl-client.conf;
include snippets/proxy-headers.conf;
include snippets/ws-upgrade.conf;
proxy_pass http://mqtt_ws_cluster;
}
# Proxy pass to supermq-ws-adapter
location /ws/ {
include snippets/verify-ssl-client.conf;
include snippets/proxy-headers.conf;
include snippets/ws-upgrade.conf;
proxy_pass http://ws-adapter:${SMQ_WS_ADAPTER_HTTP_PORT}/;
}
}
}
# MQTT
stream {
include snippets/stream_access_log.conf;
# Include JS script for mTLS
js_path "/etc/nginx/njs/";
js_import authorization from /etc/nginx/authorization.js;
# Include single-node or multiple-node (cluster) upstream
include snippets/mqtt-upstream.conf;
ssl_verify_client on;
include snippets/ssl-client.conf;
server {
listen ${SMQ_NGINX_MQTT_PORT};
listen [::]:${SMQ_NGINX_MQTT_PORT};
listen ${SMQ_NGINX_MQTTS_PORT} ssl;
listen [::]:${SMQ_NGINX_MQTTS_PORT} ssl;
include snippets/ssl.conf;
js_preread authorization.authenticate;
proxy_pass mqtt_cluster;
}
}
error_log info.log info;
Reference in New Issue View Git Blame Copy Permalink