# This config file is a sample section of an NGINX configuration # file to set up an Ingress Router for Nucleus Base Stack. # # If using NGINX as your Ingress Router, this file can be included # in the http{} section of your main NGINX config - after # reviewing and configuring it. # # Mainly, you need to configure correct names - both for this server, # as well as for the "downstream" proxy_pass targets, and SSL # parameters. # # This server's name should match SSL_INGRESS_HOST of your base stack's # configuration. # # Downstream targets for proxy_pass'es should be pointed at the same # IP or host as you have configured in SERVER_IP_OR_HOST variable of # your base stack's .env file # # If using this config file, do not change anything else - slashes or their # existance, headers, and other options. Do not remove endpoints. # # If using some other reverse proxy instead of NGINX, make sure to match # the configuration exactly. # # For more information on SSL in Nucleus, # refer to https://docs.omniverse.nvidia.com/nucleus/ssl # -- # DNS servers so that we can use hostnames in our routes # resolver 1.2.3.4 5.6.7.8; resolver 8.8.8.8; # Default server on 80. This: # # - allows redirects to the proper hostname (for which SSL cert is valid) # # - adds required `/_sys/canon-name` endpoint for WebSockets clients # to query "canonical name" of the server (some WebSockets clients # do not support redirects) via non-secure connection server { listen 80; server_name _; # "Canonical Name" for this server location = /_sys/canon-name { default_type text/plain; add_header Access-Control-Allow-Origin *; # Return server's hostname name as it is on our SSL cert return 200 '20.78.122.74.nip.io'; } # location = /_sys/canonical-name { # default_type text/plain; # add_header Access-Control-Allow-Origin *; # # Return server's hostname name as it is on our SSL cert # return 200 '20.78.122.74.nip.io'; #} location = /omni/discovery { # return 301 https://20.78.122.74.nip.io/omni/discovery/; # proxy_pass http://10.2.0.7:3333; proxy_pass https://20.78.122.74.nip.io/omni/discovery/; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; add_header Access-Control-Allow-Origin * always; add_header Access-Control-Allow-Headers * always; add_header Access-Control-Allow-Methods * always; proxy_set_header "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36"; proxy_set_header Connection "upgrade"; } # Basic redirect for everything that supports redirects location / { return 302 https://20.78.122.74.nip.io$request_uri; } } # This is the actual Ingress Router server { # Disable size limit on request bodies client_max_body_size 0; listen 443 ssl; # Correct server name here. # Note that SSL cert and hostname here should match # SSL_INGRESS_HOST as configured in your base Nucleus stack. server_name 20.78.122.74.nip.io; # Configure your SSL options as required by your security practices ssl_certificate /letsencrypt/live/20.78.122.74.nip.io/fullchain.pem; ssl_certificate_key /letsencrypt/live/20.78.122.74.nip.io/privkey.pem; ssl_dhparam /letsencrypt/dhparam-2048.pem; # ... # "Canonical Name" endpoint - configured the same way as on your # default server. location = /_sys/canon-name { default_type text/plain; add_header Access-Control-Allow-Origin *; # Return server's hostname name as it is on the SSL cert return 200 '20.78.122.74.nip.io'; } location = /_sys/canonical-name { default_type text/plain; add_header Access-Control-Allow-Origin *; # Return server's hostname name as it is on our SSL cert return 200 '20.78.122.74.nip.io'; } # ---------- # Ingress Router configuration and endpoints proxy_buffering off; proxy_request_buffering off; # Routes (endpoints). Each target port name here is the name # of the port as defined in `nucleus-stack.env` of the Base Stack # When configuring, please note that trailing slashes (or their absence) # is crucial - deleting them where they are or # adding them where they weren't will cause problems. # Target host will be your SERVER_IP_OR_HOST as configured in your # base Nucleus stack. # # Targets ports will depend on how they were configured: # values here are the same as defaults as provided in the base # stack, and will work, unless any base stack's ports were tweaked. # # Exception to this is Navigator: here, we target port 8080. # Core API: use API_PORT_2 here. Do NOT use API_PORT. location /omni/api { proxy_pass http://10.2.0.7:3019; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host:3019; } # LFT: use LFT_PORT here location /omni/lft/ { proxy_pass http://10.2.0.7:3030/; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # Discovery Service: use DISCOVERY_PORT here location /omni/discovery { proxy_pass http://10.2.0.7:3333; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; add_header Access-Control-Allow-Origin * always; add_header Access-Control-Allow-Headers * always; add_header Access-Control-Allow-Methods * always; proxy_set_header Connection "upgrade"; } # Auth Service: use AUTH_PORT here location /omni/auth { proxy_pass http://10.2.0.7:3100; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # Auth Service's Login Form: use AUTH_LOGIN_FORM_PORT here location /omni/auth/login { proxy_pass http://10.2.0.7:3180/; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; add_header Access-Control-Allow-Origin *; proxy_set_header Connection "upgrade"; } # Navigator # Default root redirect to Navigator (routed via `/omni/web2`) location = / { return 302 https://20.78.122.74.nip.io/omni/web2; } # Actual Navigator route, use WEB_PORT here # (and we recommend using something other than 80 to avoid default # direct connections to it - here, we use 8080). location /omni/web2/ { proxy_pass http://10.2.0.7:8080/; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; } # Redirect for browser links produced by Apps and Connectors. # Basically, we want to "catch" every URL that contains an # `omniverse://` URL in it and route those to Navigator. # Note: re-writing to `omni/web2` due to browser links not # including `omni/web2` # !!! Note - one slash after omniverse: in the regexp because NGINX # !!! collapses two slashes into one. location ~* "^/omniverse:/(.*)$" { return 302 https://20.78.122.74.nip.io/omni/web2/omniverse://$1; } # Tagging Service: use TAGGING_PORT here location /omni/tagging3 { proxy_pass http://10.2.0.7:3020; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # Search Service: use SEARCH_PORT here location /omni/search3 { proxy_pass http://10.2.0.7:3400; proxy_http_version 1.1; proxy_read_timeout 60s; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }