2019-09-12 16:55:24 +02:00
|
|
|
# Copyright (c) Mainflux
|
2019-04-02 17:54:24 +02:00
|
|
|
# SPDX-License-Identifier: Apache-2.0
|
2019-09-12 16:55:24 +02:00
|
|
|
|
2019-04-02 17:54:24 +02:00
|
|
|
# This is the Mainflux NGINX configuration for mututal authentication based on X.509 certifiactes.
|
|
|
|
|
|
2017-09-19 00:28:14 +02:00
|
|
|
user nginx;
|
|
|
|
|
worker_processes auto;
|
2019-09-12 16:55:24 +02:00
|
|
|
worker_cpu_affinity auto;
|
2017-09-19 00:28:14 +02:00
|
|
|
pid /run/nginx.pid;
|
2019-04-02 17:54:24 +02:00
|
|
|
load_module /etc/nginx/modules/ngx_stream_js_module.so;
|
|
|
|
|
load_module /etc/nginx/modules/ngx_http_js_module.so;
|
2017-09-19 00:28:14 +02:00
|
|
|
include /etc/nginx/modules-enabled/*.conf;
|
|
|
|
|
|
|
|
|
|
events {
|
2019-09-12 16:55:24 +02:00
|
|
|
# Explanation: https://serverfault.com/questions/787919/optimal-value-for-nginx-worker-connections
|
|
|
|
|
# We'll keep 10k connections per core (assuming one worker per core)
|
|
|
|
|
worker_connections 10000;
|
2017-09-19 00:28:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
http {
|
2019-10-15 16:39:46 +02:00
|
|
|
include snippets/http_access_log.conf;
|
2020-01-15 15:27:24 +01:00
|
|
|
|
2023-01-29 03:58:28 +03:00
|
|
|
js_path "/etc/nginx/njs/";
|
|
|
|
|
js_import authorization from /etc/nginx/authorization.js;
|
|
|
|
|
|
|
|
|
|
js_set $auth_key authorization.setKey;
|
2019-09-12 16:55:24 +02:00
|
|
|
|
2018-03-11 18:06:01 +01:00
|
|
|
sendfile on;
|
|
|
|
|
tcp_nopush on;
|
|
|
|
|
tcp_nodelay on;
|
|
|
|
|
keepalive_timeout 65;
|
|
|
|
|
types_hash_max_size 2048;
|
|
|
|
|
|
|
|
|
|
include /etc/nginx/mime.types;
|
|
|
|
|
default_type application/octet-stream;
|
|
|
|
|
|
2019-04-02 17:54:24 +02:00
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
2018-03-11 18:06:01 +01:00
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
|
|
2019-09-12 16:55:24 +02:00
|
|
|
# Include single-node or multiple-node (cluster) upstream
|
|
|
|
|
include snippets/mqtt-ws-upstream.conf;
|
2017-09-19 00:28:14 +02:00
|
|
|
|
|
|
|
|
server {
|
|
|
|
|
listen 80 default_server;
|
|
|
|
|
listen [::]:80 default_server;
|
|
|
|
|
listen 443 ssl http2 default_server;
|
|
|
|
|
listen [::]:443 ssl http2 default_server;
|
2019-10-15 16:39:46 +02:00
|
|
|
ssl_verify_client optional;
|
2019-09-12 16:55:24 +02:00
|
|
|
include snippets/ssl.conf;
|
2019-10-15 16:39:46 +02:00
|
|
|
include snippets/ssl-client.conf;
|
2017-09-19 00:28:14 +02:00
|
|
|
|
|
|
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
|
|
|
|
|
add_header X-Frame-Options DENY;
|
|
|
|
|
add_header X-Content-Type-Options nosniff;
|
2017-09-21 18:50:00 +02:00
|
|
|
add_header Access-Control-Allow-Origin '*';
|
|
|
|
|
add_header Access-Control-Allow-Methods '*';
|
2019-04-02 17:54:24 +02:00
|
|
|
add_header Access-Control-Allow-Headers '*';
|
2017-09-21 18:50:00 +02:00
|
|
|
|
|
|
|
|
server_name localhost;
|
2018-03-11 18:06:01 +01:00
|
|
|
|
2018-05-14 17:21:06 +02:00
|
|
|
# Proxy pass to users service
|
2023-06-14 12:40:37 +02:00
|
|
|
location ~ ^/(users|groups|password|policies|authorize) {
|
2019-09-12 16:55:24 +02:00
|
|
|
include snippets/proxy-headers.conf;
|
2023-06-14 12:40:37 +02:00
|
|
|
add_header Access-Control-Expose-Headers Location;
|
2019-09-12 16:55:24 +02:00
|
|
|
proxy_pass http://users:${MF_USERS_HTTP_PORT};
|
2018-05-14 17:21:06 +02:00
|
|
|
}
|
2018-03-11 18:06:01 +01:00
|
|
|
|
2023-07-28 15:39:13 +03:00
|
|
|
location ^~ /users/policies {
|
|
|
|
|
include snippets/proxy-headers.conf;
|
|
|
|
|
add_header Access-Control-Expose-Headers Location;
|
|
|
|
|
proxy_pass http://users:${MF_USERS_HTTP_PORT}/policies;
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-15 17:13:09 +02:00
|
|
|
# Proxy pass to things service
|
2023-06-14 12:40:37 +02:00
|
|
|
location ~ ^/(things|channels|connect|disconnect|identify) {
|
2019-09-12 16:55:24 +02:00
|
|
|
include snippets/proxy-headers.conf;
|
2018-05-24 15:26:03 +02:00
|
|
|
add_header Access-Control-Expose-Headers Location;
|
2019-09-12 16:55:24 +02:00
|
|
|
proxy_pass http://things:${MF_THINGS_HTTP_PORT};
|
2017-09-21 18:50:00 +02:00
|
|
|
}
|
2023-06-14 12:40:37 +02:00
|
|
|
|
2023-07-28 15:39:13 +03:00
|
|
|
location ^~ /things/policies {
|
|
|
|
|
include snippets/proxy-headers.conf;
|
|
|
|
|
add_header Access-Control-Expose-Headers Location;
|
|
|
|
|
proxy_pass http://things:${MF_THINGS_HTTP_PORT}/policies;
|
|
|
|
|
}
|
|
|
|
|
|
2023-06-14 12:40:37 +02:00
|
|
|
location /health {
|
2021-03-04 10:29:03 +01:00
|
|
|
include snippets/proxy-headers.conf;
|
2023-06-14 12:40:37 +02:00
|
|
|
proxy_pass http://things:${MF_THINGS_HTTP_PORT};
|
2021-03-04 10:29:03 +01:00
|
|
|
}
|
2021-12-15 13:20:56 +01:00
|
|
|
|
2023-06-14 12:40:37 +02:00
|
|
|
location /metrics {
|
2019-09-12 16:55:24 +02:00
|
|
|
include snippets/proxy-headers.conf;
|
|
|
|
|
proxy_pass http://things:${MF_THINGS_HTTP_PORT};
|
2018-05-28 19:20:17 +02:00
|
|
|
}
|
2023-06-14 12:40:37 +02:00
|
|
|
|
2018-05-14 17:21:06 +02:00
|
|
|
# Proxy pass to mainflux-http-adapter
|
|
|
|
|
location /http/ {
|
2019-09-12 16:55:24 +02:00
|
|
|
include snippets/verify-ssl-client.conf;
|
|
|
|
|
include snippets/proxy-headers.conf;
|
2019-04-02 17:54:24 +02:00
|
|
|
proxy_set_header Authorization $auth_key;
|
2018-05-14 17:21:06 +02:00
|
|
|
|
2019-09-12 16:55:24 +02:00
|
|
|
# Trailing `/` is mandatory. Refer to the http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
|
|
|
|
|
# If the proxy_pass directive is specified with a URI, then when a request is passed to the server,
|
|
|
|
|
# the part of a normalized request URI matching the location is replaced by a URI specified in the directive
|
|
|
|
|
proxy_pass http://http-adapter:${MF_HTTP_ADAPTER_PORT}/;
|
2018-05-14 13:11:29 +02:00
|
|
|
}
|
2017-09-19 00:28:14 +02:00
|
|
|
|
2019-04-02 17:54:24 +02:00
|
|
|
# Proxy pass to mainflux-mqtt-adapter over WS
|
2020-03-25 22:26:50 +01:00
|
|
|
location /mqtt {
|
2019-09-12 16:55:24 +02:00
|
|
|
include snippets/verify-ssl-client.conf;
|
|
|
|
|
include snippets/proxy-headers.conf;
|
|
|
|
|
include snippets/ws-upgrade.conf;
|
2020-03-25 22:26:50 +01:00
|
|
|
proxy_pass http://mqtt_ws_cluster;
|
2018-05-20 09:29:19 +02:00
|
|
|
}
|
2022-09-16 17:37:12 +05:30
|
|
|
|
|
|
|
|
# Proxy pass to mainflux-ws-adapter
|
|
|
|
|
location /ws/ {
|
|
|
|
|
include snippets/verify-ssl-client.conf;
|
|
|
|
|
include snippets/proxy-headers.conf;
|
|
|
|
|
include snippets/ws-upgrade.conf;
|
2023-07-31 15:38:35 +03:00
|
|
|
proxy_pass http://ws-adapter:${MF_WS_ADAPTER_HTTP_PORT}/;
|
2022-09-16 17:37:12 +05:30
|
|
|
}
|
2018-05-20 09:29:19 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# MQTT
|
|
|
|
|
stream {
|
2019-10-15 16:39:46 +02:00
|
|
|
include snippets/stream_access_log.conf;
|
2020-01-15 15:27:24 +01:00
|
|
|
|
2019-09-12 16:55:24 +02:00
|
|
|
# Include JS script for mTLS
|
2023-01-29 03:58:28 +03:00
|
|
|
js_path "/etc/nginx/njs/";
|
|
|
|
|
|
|
|
|
|
js_import authorization from /etc/nginx/authorization.js;
|
2019-09-12 16:55:24 +02:00
|
|
|
|
|
|
|
|
# Include single-node or multiple-node (cluster) upstream
|
|
|
|
|
include snippets/mqtt-upstream.conf;
|
2019-10-15 16:39:46 +02:00
|
|
|
ssl_verify_client on;
|
|
|
|
|
include snippets/ssl-client.conf;
|
2019-09-12 16:55:24 +02:00
|
|
|
|
2018-05-20 09:29:19 +02:00
|
|
|
server {
|
2020-07-08 10:42:33 +02:00
|
|
|
listen ${MF_NGINX_MQTT_PORT};
|
|
|
|
|
listen [::]:${MF_NGINX_MQTT_PORT};
|
|
|
|
|
listen ${MF_NGINX_MQTTS_PORT} ssl;
|
|
|
|
|
listen [::]:${MF_NGINX_MQTTS_PORT} ssl;
|
2018-05-20 09:29:19 +02:00
|
|
|
|
2019-09-12 16:55:24 +02:00
|
|
|
include snippets/ssl.conf;
|
2023-01-29 03:58:28 +03:00
|
|
|
js_preread authorization.authenticate;
|
2018-05-24 15:26:03 +02:00
|
|
|
|
2019-09-12 16:55:24 +02:00
|
|
|
proxy_pass mqtt_cluster;
|
2017-09-19 00:28:14 +02:00
|
|
|
}
|
|
|
|
|
}
|
2019-04-02 17:54:24 +02:00
|
|
|
|
|
|
|
|
error_log info.log info;
|
