mirror of
https://github.com/mainflux/mainflux.git
synced 2025-04-27 13:48:49 +08:00
42dd813521
* MF-1308 - Use IETF Health Check standard Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Add nginx health endpoint Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Rm github.com/nelkinda dependency Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Check error Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Replace Version by Health in the CLI and SDK Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Fix typo Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Use new build flag go:build Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Revert wrong renaming Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * sdk health test Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Add /health endpoint to openapi doc Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Use const for description message Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Add version and build time during build Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Time format Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Add version and commit using git and build args Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Add comments Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Add tests Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Add missing api properties Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Fix api Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Use ./schemas/HealthInfo.yml as Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Fix example Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Use content type application/health+json Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Set Makefile variables only if empty Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Fix typo Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com>
153 lines
4.9 KiB
Plaintext
153 lines
4.9 KiB
Plaintext
# Copyright (c) Mainflux
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
# This is the Mainflux NGINX configuration for mututal authentication based on X.509 certifiactes.
|
|
|
|
user nginx;
|
|
worker_processes auto;
|
|
worker_cpu_affinity auto;
|
|
pid /run/nginx.pid;
|
|
load_module /etc/nginx/modules/ngx_stream_js_module.so;
|
|
load_module /etc/nginx/modules/ngx_http_js_module.so;
|
|
include /etc/nginx/modules-enabled/*.conf;
|
|
|
|
events {
|
|
# Explanation: https://serverfault.com/questions/787919/optimal-value-for-nginx-worker-connections
|
|
# We'll keep 10k connections per core (assuming one worker per core)
|
|
worker_connections 10000;
|
|
}
|
|
|
|
http {
|
|
include snippets/http_access_log.conf;
|
|
|
|
js_include authorization.js;
|
|
js_set $auth_key setKey;
|
|
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
keepalive_timeout 65;
|
|
types_hash_max_size 2048;
|
|
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Include single-node or multiple-node (cluster) upstream
|
|
include snippets/mqtt-ws-upstream.conf;
|
|
|
|
server {
|
|
listen 80 default_server;
|
|
listen [::]:80 default_server;
|
|
listen 443 ssl http2 default_server;
|
|
listen [::]:443 ssl http2 default_server;
|
|
ssl_verify_client optional;
|
|
include snippets/ssl.conf;
|
|
include snippets/ssl-client.conf;
|
|
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
|
|
add_header X-Frame-Options DENY;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header Access-Control-Allow-Origin '*';
|
|
add_header Access-Control-Allow-Methods '*';
|
|
add_header Access-Control-Allow-Headers '*';
|
|
|
|
server_name localhost;
|
|
|
|
# Proxy pass to users service
|
|
location ~ ^/(users|tokens|password) {
|
|
include snippets/proxy-headers.conf;
|
|
proxy_pass http://users:${MF_USERS_HTTP_PORT};
|
|
}
|
|
|
|
|
|
|
|
# Proxy pass to things service
|
|
location ~ ^/(things|channels|connect|disconnect) {
|
|
include snippets/proxy-headers.conf;
|
|
add_header Access-Control-Expose-Headers Location;
|
|
proxy_pass http://things:${MF_THINGS_HTTP_PORT};
|
|
}
|
|
|
|
location ~ ^/(identify){
|
|
include snippets/proxy-headers.conf;
|
|
add_header Access-Control-Expose-Headers Location;
|
|
proxy_pass http://things:${MF_THINGS_AUTH_HTTP_PORT};
|
|
}
|
|
|
|
# Proxy pass for groups to things service
|
|
location ^~ /groups/things/ {
|
|
include snippets/proxy-headers.conf;
|
|
add_header Access-Control-Expose-Headers Location;
|
|
proxy_pass http://things:${MF_THINGS_HTTP_PORT}/groups/;
|
|
}
|
|
|
|
# Proxy pass for groups to users service
|
|
location ^~ /groups/users/ {
|
|
include snippets/proxy-headers.conf;
|
|
add_header Access-Control-Expose-Headers Location;
|
|
proxy_pass http://users:${MF_USERS_HTTP_PORT}/groups/;
|
|
}
|
|
|
|
location ~ ^/(groups|members|keys) {
|
|
include snippets/proxy-headers.conf;
|
|
add_header Access-Control-Expose-Headers Location;
|
|
proxy_pass http://auth:${MF_AUTH_HTTP_PORT};
|
|
}
|
|
|
|
location /health {
|
|
include snippets/proxy-headers.conf;
|
|
proxy_pass http://things:${MF_THINGS_HTTP_PORT};
|
|
}
|
|
|
|
# Proxy pass to mainflux-http-adapter
|
|
location /http/ {
|
|
include snippets/verify-ssl-client.conf;
|
|
include snippets/proxy-headers.conf;
|
|
proxy_set_header Authorization $auth_key;
|
|
|
|
# Trailing `/` is mandatory. Refer to the http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
|
|
# If the proxy_pass directive is specified with a URI, then when a request is passed to the server,
|
|
# the part of a normalized request URI matching the location is replaced by a URI specified in the directive
|
|
proxy_pass http://http-adapter:${MF_HTTP_ADAPTER_PORT}/;
|
|
}
|
|
|
|
# Proxy pass to mainflux-mqtt-adapter over WS
|
|
location /mqtt {
|
|
include snippets/verify-ssl-client.conf;
|
|
include snippets/proxy-headers.conf;
|
|
include snippets/ws-upgrade.conf;
|
|
proxy_pass http://mqtt_ws_cluster;
|
|
}
|
|
}
|
|
}
|
|
|
|
# MQTT
|
|
stream {
|
|
include snippets/stream_access_log.conf;
|
|
|
|
# Include JS script for mTLS
|
|
js_include authorization.js;
|
|
|
|
# Include single-node or multiple-node (cluster) upstream
|
|
include snippets/mqtt-upstream.conf;
|
|
ssl_verify_client on;
|
|
include snippets/ssl-client.conf;
|
|
|
|
server {
|
|
listen ${MF_NGINX_MQTT_PORT};
|
|
listen [::]:${MF_NGINX_MQTT_PORT};
|
|
listen ${MF_NGINX_MQTTS_PORT} ssl;
|
|
listen [::]:${MF_NGINX_MQTTS_PORT} ssl;
|
|
|
|
include snippets/ssl.conf;
|
|
js_preread authenticate;
|
|
|
|
proxy_pass mqtt_cluster;
|
|
}
|
|
}
|
|
|
|
error_log info.log info;
|