mirror of
https://github.com/mainflux/mainflux.git
synced 2025-04-24 13:48:49 +08:00
3e7bac493c
* Initial Commit: Sync Env Veriables With Docker Deployment Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Sync Env Vars With Master Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Remove Altprefix Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Rename HttpPort to HTTPPort Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix envPrefixDB After Rebase Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Remove Server Parse Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Provision For TLS on CoAP Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Exit After Defer Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Remove Unused Function Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Document Undocumentated Env Variables Signed-off-by: rodneyosodo <blackd0t@protonmail.com> --------- Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Co-authored-by: Drasko DRASKOVIC <drasko.draskovic@gmail.com>
155 lines
5.0 KiB
Plaintext
155 lines
5.0 KiB
Plaintext
# Copyright (c) Mainflux
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
# This is the Mainflux NGINX configuration for mututal authentication based on X.509 certifiactes.
|
|
|
|
user nginx;
|
|
worker_processes auto;
|
|
worker_cpu_affinity auto;
|
|
pid /run/nginx.pid;
|
|
load_module /etc/nginx/modules/ngx_stream_js_module.so;
|
|
load_module /etc/nginx/modules/ngx_http_js_module.so;
|
|
include /etc/nginx/modules-enabled/*.conf;
|
|
|
|
events {
|
|
# Explanation: https://serverfault.com/questions/787919/optimal-value-for-nginx-worker-connections
|
|
# We'll keep 10k connections per core (assuming one worker per core)
|
|
worker_connections 10000;
|
|
}
|
|
|
|
http {
|
|
include snippets/http_access_log.conf;
|
|
|
|
js_path "/etc/nginx/njs/";
|
|
js_import authorization from /etc/nginx/authorization.js;
|
|
|
|
js_set $auth_key authorization.setKey;
|
|
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
keepalive_timeout 65;
|
|
types_hash_max_size 2048;
|
|
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Include single-node or multiple-node (cluster) upstream
|
|
include snippets/mqtt-ws-upstream.conf;
|
|
|
|
server {
|
|
listen 80 default_server;
|
|
listen [::]:80 default_server;
|
|
listen 443 ssl http2 default_server;
|
|
listen [::]:443 ssl http2 default_server;
|
|
ssl_verify_client optional;
|
|
include snippets/ssl.conf;
|
|
include snippets/ssl-client.conf;
|
|
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
|
|
add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header Access-Control-Allow-Origin '*';
|
|
add_header Access-Control-Allow-Methods '*';
|
|
add_header Access-Control-Allow-Headers '*';
|
|
|
|
server_name localhost;
|
|
|
|
# Proxy pass to users service
|
|
location ~ ^/(users|groups|password|policies|authorize) {
|
|
include snippets/proxy-headers.conf;
|
|
add_header Access-Control-Expose-Headers Location;
|
|
proxy_pass http://users:${MF_USERS_HTTP_PORT};
|
|
}
|
|
|
|
location ^~ /users/policies {
|
|
include snippets/proxy-headers.conf;
|
|
add_header Access-Control-Expose-Headers Location;
|
|
proxy_pass http://users:${MF_USERS_HTTP_PORT}/policies;
|
|
}
|
|
|
|
# Proxy pass to things service
|
|
location ~ ^/(things|channels|connect|disconnect|identify) {
|
|
include snippets/proxy-headers.conf;
|
|
add_header Access-Control-Expose-Headers Location;
|
|
proxy_pass http://things:${MF_THINGS_HTTP_PORT};
|
|
}
|
|
|
|
location ^~ /things/policies {
|
|
include snippets/proxy-headers.conf;
|
|
add_header Access-Control-Expose-Headers Location;
|
|
proxy_pass http://things:${MF_THINGS_HTTP_PORT}/policies;
|
|
}
|
|
|
|
location /health {
|
|
include snippets/proxy-headers.conf;
|
|
proxy_pass http://things:${MF_THINGS_HTTP_PORT};
|
|
}
|
|
|
|
location /metrics {
|
|
include snippets/proxy-headers.conf;
|
|
proxy_pass http://things:${MF_THINGS_HTTP_PORT};
|
|
}
|
|
|
|
# Proxy pass to mainflux-http-adapter
|
|
location /http/ {
|
|
include snippets/verify-ssl-client.conf;
|
|
include snippets/proxy-headers.conf;
|
|
proxy_set_header Authorization $auth_key;
|
|
|
|
# Trailing `/` is mandatory. Refer to the http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
|
|
# If the proxy_pass directive is specified with a URI, then when a request is passed to the server,
|
|
# the part of a normalized request URI matching the location is replaced by a URI specified in the directive
|
|
proxy_pass http://http-adapter:${MF_HTTP_ADAPTER_PORT}/;
|
|
}
|
|
|
|
# Proxy pass to mainflux-mqtt-adapter over WS
|
|
location /mqtt {
|
|
include snippets/verify-ssl-client.conf;
|
|
include snippets/proxy-headers.conf;
|
|
include snippets/ws-upgrade.conf;
|
|
proxy_pass http://mqtt_ws_cluster;
|
|
}
|
|
|
|
# Proxy pass to mainflux-ws-adapter
|
|
location /ws/ {
|
|
include snippets/verify-ssl-client.conf;
|
|
include snippets/proxy-headers.conf;
|
|
include snippets/ws-upgrade.conf;
|
|
proxy_pass http://ws-adapter:${MF_WS_ADAPTER_HTTP_PORT}/;
|
|
}
|
|
}
|
|
}
|
|
|
|
# MQTT
|
|
stream {
|
|
include snippets/stream_access_log.conf;
|
|
|
|
# Include JS script for mTLS
|
|
js_path "/etc/nginx/njs/";
|
|
|
|
js_import authorization from /etc/nginx/authorization.js;
|
|
|
|
# Include single-node or multiple-node (cluster) upstream
|
|
include snippets/mqtt-upstream.conf;
|
|
ssl_verify_client on;
|
|
include snippets/ssl-client.conf;
|
|
|
|
server {
|
|
listen ${MF_NGINX_MQTT_PORT};
|
|
listen [::]:${MF_NGINX_MQTT_PORT};
|
|
listen ${MF_NGINX_MQTTS_PORT} ssl;
|
|
listen [::]:${MF_NGINX_MQTTS_PORT} ssl;
|
|
|
|
include snippets/ssl.conf;
|
|
js_preread authorization.authenticate;
|
|
|
|
proxy_pass mqtt_cluster;
|
|
}
|
|
}
|
|
|
|
error_log info.log info;
|