edge-ai-suites/manufacturing-ai-suite/industrial-edge-insights-multimodal/configs/nginx/nginx.conf at 04b797529d69356077d573c24ae412eae12ce060 · open-edge-platform/edge-ai-suites · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
worker_processes auto;

events {}

# MQTT proxy via TCP (uncomment if needed)
stream {
    upstream ia-mqtt-broker {
        server ia-mqtt-broker:1883;
    }

    server {
        listen 1883 ssl;
        ssl_certificate /opt/nginx/certs/cert.pem;
        ssl_certificate_key /opt/nginx/certs/key.pem;

        proxy_pass ia-mqtt-broker;
    }
}

http {
    # Grafana accessible at root path via HTTPS 443 mapped to the local container port
    # TimeSeries Microservice REST API available at /ts-api/
    # Host mapping is defined in the Docker Compose file
    server {
        listen 15443 ssl;

        server_name localhost;

        client_max_body_size 500M;

        # Nginx SSL cert paths
        ssl_certificate /opt/nginx/certs/cert.pem;
        ssl_certificate_key /opt/nginx/certs/key.pem;

        # SSL security settings
        ssl_protocols TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ecdh_curve secp384r1;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off;

        # Security headers
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options SAMEORIGIN;

        location /ts-api {
            proxy_pass http://ia-time-series-analytics-microservice:5000/;
            proxy_http_version 1.1;
            proxy_set_header Host $host;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_buffering off;
            rewrite ^/ts-api/(.*)$ /$1 break;
        }

        # DL Streamer Pipeline Server
        location /dsps-api/ {
            proxy_pass http://dlstreamer-pipeline-server:8080/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_buffering off;
        }

        # ------------------------------------------------
        # WHIP / WHEP exact routes
        # ------------------------------------------------
        location ~ ^/samplestream/(whip|whep)(/.*)?$ {
            proxy_pass http://${MEDIAMTX_SERVER}:${WHIP_SERVER_PORT}$request_uri;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_connect_timeout 300s;
            proxy_send_timeout 300s;
            proxy_read_timeout 300s;
            send_timeout 300s;

            proxy_buffering off;
            proxy_request_buffering off;

            # CORS
            add_header Access-Control-Allow-Origin *;
            add_header Access-Control-Allow-Methods "GET, DELETE, POST, PATCH, OPTIONS";
            add_header Access-Control-Allow-Headers "Content-Type, Authorization";

            if ($request_method = OPTIONS) {
                return 204;
            }
        }

        # ------------------------------------------------
        # All other /samplestream traffic → MediaMTX
        # (but NOT whip/whep — regex above overrides it)
        # ------------------------------------------------
        location ^~ /samplestream/ {
            proxy_pass http://${MEDIAMTX_SERVER}:${WHIP_SERVER_PORT};

            proxy_http_version 1.1;
            proxy_set_header Host $host;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            proxy_connect_timeout 300s;
            proxy_send_timeout 300s;
            proxy_read_timeout 300s;
            send_timeout 300s;

            proxy_buffering off;
            proxy_request_buffering off;
        }


        location / {
            proxy_pass http://ia-grafana:3000/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_buffering off;
            rewrite ^/grafana/(.*)$ /$1 break;
        }
    }
}