# For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; ssl_engine pkcs11; # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events {{ worker_connections 1024; }} http {{ log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 4096; include /etc/nginx/mime.types; default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; server {{ listen 80; listen [::]:80; server_name {PUBLIC_DOMAIN}; # "Canonical Name" for this server location = /_sys/canon-name {{ default_type text/plain; add_header Access-Control-Allow-Origin *; # Return server's hostname name as it is on our SSL cert return 200 '{PUBLIC_DOMAIN}'; }} # Basic redirect for everything that supports redirects location / {{ return 301 https://{PUBLIC_DOMAIN}$request_uri; }} }} # Settings for a TLS enabled server. # server {{ # Disable size limit on request bodies client_max_body_size 0; listen 443 ssl; listen [::]:443 ssl; server_name {PUBLIC_DOMAIN}; ssl_protocols TLSv1.2; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_prefer_server_ciphers on; # Set this to the stanza path configured in /etc/nitro_enclaves/acm.yaml include "/etc/pki/nginx/nginx-acm.conf"; # "Canonical Name" endpoint - configured the same way as on your # default server. location = /_sys/canon-name {{ default_type text/plain; add_header Access-Control-Allow-Origin *; # Return server's hostname name as it is on the SSL cert return 200 '{PUBLIC_DOMAIN}'; }} # ---------- # Ingress Router configuration and endpoints proxy_buffering off; proxy_request_buffering off; # Routes (endpoints). Each target port name here is the name # of the port as defined in `nucleus-stack.env` of the Base Stack # When configuring, please note that trailing slashes (or their absence) # is crucial - deleting them where they are or # adding them where they weren't will cause problems. # Target host will be your SERVER_IP_OR_HOST as configured in your # base Nucleus stack. # # Targets ports will depend on how they were configured: # values here are the same as defaults as provided in the base # stack, and will work, unless any base stack's ports were tweaked. # # Exception to this is Navigator: here, we target port 8080. # Core API: use API_PORT_2 here. Do NOT use API_PORT. location /omni/api {{ proxy_pass http://{NUCLEUS_SERVER_DOMAIN}:3019; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host:3019; }} # LFT: use LFT_PORT here location /omni/lft/ {{ proxy_pass http://{NUCLEUS_SERVER_DOMAIN}:3030/; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; }} # Discovery Service: use DISCOVERY_PORT here location /omni/discovery {{ proxy_pass http://{NUCLEUS_SERVER_DOMAIN}:3333; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; }} # Auth Service: use AUTH_PORT here location /omni/auth {{ proxy_pass http://{NUCLEUS_SERVER_DOMAIN}:3100; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; }} # Auth Service's Login Form: use AUTH_LOGIN_FORM_PORT here location /omni/auth/login {{ proxy_pass http://{NUCLEUS_SERVER_DOMAIN}:3180/; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; add_header Access-Control-Allow-Origin *; proxy_set_header Connection "upgrade"; }} # Navigator # Default root redirect to Navigator (routed via `/omni/web2`) location = / {{ return 301 https://{PUBLIC_DOMAIN}/omni/web2; }} # Actual Navigator route, use WEB_PORT here # (and we recommend using something other than 80 to avoid default # direct connections to it - here, we use 8080). location /omni/web2/ {{ proxy_pass http://{NUCLEUS_SERVER_DOMAIN}:8080/; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; }} # Redirect for browser links produced by Apps and Connectors. # Basically, we want to "catch" every URL that contains an # `omniverse://` URL in it and route those to Navigator. # Note: re-writing to `omni/web2` due to browser links not # including `omni/web2` # !!! Note - one slash after omniverse: in the regexp because NGINX # !!! collapses two slashes into one. location ~* "^/omniverse:/(.*)$" {{ return 301 https://{PUBLIC_DOMAIN}/omni/web2/omniverse://$1; }} # Tagging Service: use TAGGING_PORT here location /omni/tagging2 {{ proxy_pass http://{NUCLEUS_SERVER_DOMAIN}:3020; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; }} # Search Service: use SEARCH_PORT here location /omni/search2 {{ proxy_pass http://{NUCLEUS_SERVER_DOMAIN}:3400; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; }} }} }}