Skip to content

[Metro AI Suite] IBVS: Add reverse proxy for IBVS docker deployment #764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rohitkatakol merged 26 commits into from
Oct 24, 2025
Merged

[Metro AI Suite] IBVS: Add reverse proxy for IBVS docker deployment #764

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
85d4c4e
Reverse proxy changes for ibvs
rohitkatakol Sep 30, 2025
8960339
Create ibvs app with static web pages
rohitkatakol Oct 1, 2025
e4af35a
Fix rtsp stream
rohitkatakol Oct 1, 2025
7fda14d
Helm changes for reverse proxy
rohitkatakol Oct 5, 2025
218254a
Fix proxy requests for milvus ui
rohitkatakol Oct 6, 2025
4d34cd6
Fix swagger documentaion for featurematching
rohitkatakol Oct 6, 2025
bf1fdec
RTSP stream enable with reverse proxy
rohitkatakol Oct 7, 2025
9ce133c
Undo helm changes
rohitkatakol Oct 7, 2025
8d427f9
Merge branch 'main' into feature/rkatakol/ibvs_reverse_proxy
rohitkatakol Oct 7, 2025
adcb029
Minor changes
rohitkatakol Oct 7, 2025
e57b306
Document changes
rohitkatakol Oct 7, 2025
faa512a
Merge branch 'main' into feature/rkatakol/ibvs_reverse_proxy
rohitkatakol Oct 7, 2025
6768bfa
Merge branch 'main' into feature/rkatakol/ibvs_reverse_proxy
rohitkatakol Oct 8, 2025
b221402
Cleaning up compose.yml file
rohitkatakol Oct 8, 2025
a51eb00
Remove dockerfile for nginx
rohitkatakol Oct 8, 2025
83f1944
Merge branch 'main' into feature/rkatakol/ibvs_reverse_proxy
rohitkatakol Oct 14, 2025
6f61ef8
Changes to certificate generation script
rohitkatakol Oct 14, 2025
e1b58d7
Merge branch 'main' into feature/rkatakol/ibvs_reverse_proxy
rohitkatakol Oct 16, 2025
76b9211
Added reverse proxy for helm chart
rohitkatakol Oct 17, 2025
06a30a0
Merge branch 'main' into feature/rkatakol/ibvs_reverse_proxy
rohitkatakol Oct 22, 2025
43f1b34
Minor changes
rohitkatakol Oct 22, 2025
f2071f0
Document changes for helm
rohitkatakol Oct 22, 2025
65f051c
Document changes for nginx architecture
rohitkatakol Oct 23, 2025
f357a3e
Document changes for nginx architecture
rohitkatakol Oct 23, 2025
7de2cc7
Merge branch 'main' into feature/rkatakol/ibvs_reverse_proxy
rohitkatakol Oct 23, 2025
0e06bb7
Merge branch 'main' into feature/rkatakol/ibvs_reverse_proxy
rohitkatakol Oct 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions metro-ai-suite/image-based-video-search/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Image-Based Video Search Sample Application
# Image-Based Video Search (IBVS) Sample Application
<!--REQUIRED: Add a short description without including the name of the RI/Application/microservice in the description. Ensure it's at least 50 characters (excluding spaces) and doesn't exceed 150 characters (excluding spaces). This will enable the content to be properly displayed in the catalog's card layout.-->
Performs near real-time analysis and image-based search to detect and retrieve objects of interest in large video datasets.

Expand All @@ -12,7 +12,7 @@ You can use this foundation to build solutions for diverse use cases, including
## How it Works
The application workflow has three stages: inputs, processing, and outputs.

![Diagram illustrating the components and interactions within the Image-Based Video Search system, including inputs, processing, and outputs.](docs/user-guide/_images/architecture_simplified.png)
![Diagram illustrating the components and interactions within the Image-Based Video Search system, including inputs, processing, and outputs.](docs/user-guide/_images/architecture.png)

### Inputs

Expand All @@ -23,6 +23,7 @@ The application includes a demonstration video for testing. The video loops cont

### Processing

- **Nginx reverse proxy server**: All interactions with user happens via Nginx server. It protects IBVS app by handling SSL/TLS encryption, filtering and validating requests and making the app directly inaccessible from external access.
- **Video analysis with Deep Learning Streamer Pipeline Server and MediaMTX**: Select **Analyze Stream** to start the DL Streamer Pipeline Server pipeline. The Pipeline Server processes video through **MediaMTX**, which simulates remote video cameras and publishes live streams. The Pipeline Server extracts frames and detects objects in each frame, publishing predictions through **MQTT**.
- **Feature extraction with Feature Matching**: DL Streamer Pipeline Server sends metadata and images through MQTT to the Feature Matching microservice. Feature Matching generates feature vectors. If predictions exceed the threshold, the system stores vector embeddings in MilvusDB and saves frames in the Docker file system.
- **Storage and retrieval in MilvusDB**: MilvusDB stores feature vectors. You can review them in MilvusUI.
Expand Down
276 changes: 276 additions & 0 deletions metro-ai-suite/image-based-video-search/chart/templates/nginx/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,276 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-conf
namespace: {{ .Values.namespace }}
data:
nginx.conf: |
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

stream {
upstream rtsp_upstream {
server ibvs-mediamtx:8554; # RTSP server inside Docker network
}

server {
listen 8554; # Nginx listens for RTSP on 8554
proxy_pass rtsp_upstream;
}
}

http {
# Upstream blocks
upstream ibvs_app {
server ibvs-app:3000;
}
upstream milvus_ui {
server ibvs-milvusui:3000;
}
upstream feature_matching {
server ibvs-featurematching:8000;
}
upstream dlstreamer {
server ibvs-dlstreamer-pipeline-server:8080;
}
upstream milvus_db {
server ibvs-milvusdb:19530;
}
upstream milvus_db_http {
server ibvs-milvusdb:9091;
}

# Redirect all HTTP -> HTTPS
server {
listen 80;
return 301 https://$host$request_uri;
}

# HTTPS server block
server {
listen 443 ssl;
server_name localhost;
client_max_body_size 500M;

# SSL configuration
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;

# SSL security settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";

# Milvus App (Vue SPA)
location / {
proxy_pass http://ibvs_app/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

# Serve static assets directly
location /assets/ {
proxy_pass http://ibvs_app/assets/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

# Milvus UI
location /ibvs-milvus-ui/ {
proxy_pass http://milvus_ui/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

# Milvus UI api requests
location /api/ {
proxy_pass http://milvus_ui/api/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

# Milvus UI socket.IO requests
location /socket.io/ {
proxy_pass http://milvus_ui/socket.io/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

# Feature Matching
location /ibvs-feature-matching/ {
proxy_pass http://feature_matching/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

# Feature Matching search requests
location /search/ {
proxy_pass http://feature_matching/search/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

# Get static images for search results
location /static/ {
proxy_pass http://feature_matching/static/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

# Feature Matching clear requests
location /clear/ {
proxy_pass http://feature_matching/clear/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

# Featurematching healthz requests
location /healthz {
proxy_pass http://feature_matching;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

# Feature Matching Swagger docs requests
location /docs {
proxy_pass http://feature_matching;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

# Feature Matching swagger docs openapi.json requests
location /openapi.json {
proxy_pass http://feature_matching/openapi.json;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

# DLStreamer Pipeline Server
location /ibvs-dlstreamer/ {
proxy_pass http://dlstreamer/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

# # DLStreamer Pipeline Server pipelines requests
location /pipelines/ {
proxy_pass http://dlstreamer/pipelines/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

# Milvus DB API
location /ibvs-milvus-db/ {
proxy_pass http://milvus_db;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

# Milvus DB HTTP
location /ibvs-milvus-db-http/ {
proxy_pass http://milvus_db_http/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

# Stream video
location /stream/ {
proxy_pass http://ibvs-mediamtx:8888/stream/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

# Health check
location /nginx_healthz {
return 200 "ok\n";
add_header Content-Type text/plain;
}
}
}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: generate-certs-script
data:
generate_certs.sh: |
#!/bin/sh
set -e
SSL_DIR="/etc/nginx/ssl"
mkdir -p "$SSL_DIR"

if ! command -v openssl >/dev/null 2>&1; then
echo "Installing openssl..."
apk add --no-cache openssl
fi

if [ ! -f "$SSL_DIR/server.crt" ] || [ ! -f "$SSL_DIR/server.key" ]; then
echo "🔐 Generating self-signed SSL certificate..."
openssl req -x509 -nodes -days 365 \
-newkey rsa:2048 \
-keyout "$SSL_DIR/server.key" \
-out "$SSL_DIR/server.crt" \
-subj "/C=US/ST=CA/L=San Francisco/O=Intel/OU=Edge AI/CN=localhost"
fi
54 changes: 54 additions & 0 deletions metro-ai-suite/image-based-video-search/chart/templates/nginx/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: '{{ include "image_based_video_search.fullname" . }}-nginx-reverse-proxy'
labels:
{{- include "image_based_video_search.labels" . | nindent 4 }}
katenary.v3/component: nginx-reverse-proxy
spec:
replicas: 1
selector:
matchLabels:
{{- include "image_based_video_search.selectorLabels" . | nindent 6 }}
katenary.v3/component: nginx-reverse-proxy
template:
metadata:
labels:
{{- include "image_based_video_search.selectorLabels" . | nindent 8 }}
katenary.v3/component: nginx-reverse-proxy
spec:
initContainers:
- name: generate-certs
image: alpine/openssl:3.5.4
command:
- /bin/sh
- -c
- /scripts/generate_certs.sh
volumeMounts:
- name: generate-certs-script
mountPath: /scripts
- name: nginx-ssl
mountPath: /etc/nginx/ssl
containers:
- name: nginx-reverse-proxy
image: nginx:1.27-alpine
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443
volumeMounts:
- name: nginx-conf
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
- name: nginx-ssl
mountPath: /etc/nginx/ssl
volumes:
- name: nginx-conf
configMap:
name: nginx-conf
- name: nginx-ssl
emptyDir: {}
- name: generate-certs-script
configMap:
name: generate-certs-script
defaultMode: 0755
27 changes: 27 additions & 0 deletions metro-ai-suite/image-based-video-search/chart/templates/nginx/service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: v1
kind: Service
metadata:
name: '{{ include "image_based_video_search.fullname" . }}-nginx-reverse-proxy'
labels:
{{- include "image_based_video_search.labels" . | nindent 4 }}
katenary.v3/component: nginx-reverse-proxy
spec:
type: NodePort
ports:
- name: nginx-reverse-proxy-80
port: 80
protocol: TCP
targetPort: 80
nodePort: 30080
- name: nginx-reverse-proxy-443
port: 443
protocol: TCP
targetPort: 443
nodePort: 30443
- name: nginx-reverse-proxy-8554
port: 8554
targetPort: 8554
nodePort: 30554 # external port for 8554
selector:
{{- include "image_based_video_search.selectorLabels" . | nindent 4 }}
katenary.v3/component: nginx-reverse-proxy
Loading