Skip to content

Instantly share code, notes, and snippets.

@toddysm
Created May 11, 2021 01:47
Show Gist options
  • Save toddysm/d3f6a656a182105d0842bc33a3e6d133 to your computer and use it in GitHub Desktop.
Save toddysm/d3f6a656a182105d0842bc33a3e6d133 to your computer and use it in GitHub Desktop.
Azure IoT Edge API Proxy Configuration
events { }
http {
proxy_buffers 32 160k;
proxy_buffer_size 160k;
proxy_read_timeout 3600;
error_log /dev/stdout info;
access_log /dev/stdout;
map $http_authorization $auth {
default $http_authorization;
"" "${SAS_TOKEN}";
}
server {
listen ${NGINX_DEFAULT_PORT} ssl default_server;
chunked_transfer_encoding on;
ssl_certificate server.crt;
ssl_certificate_key private_key_server.pem;
ssl_client_certificate trustedCA.crt;
ssl_verify_depth 7;
ssl_verify_client optional_no_ca;
#if_tag ${BLOB_UPLOAD_ROUTE_ADDRESS}
if ($http_x_ms_version)
{
rewrite ^(.*)$ /storage$1 last;
}
#endif_tag ${BLOB_UPLOAD_ROUTE_ADDRESS}
#if_tag !${BLOB_UPLOAD_ROUTE_ADDRESS}
if ($http_x_ms_version)
{
rewrite ^(.*)$ /parent$1 last;
}
#endif_tag ${BLOB_UPLOAD_ROUTE_ADDRESS}
#if_tag ${DOCKER_REQUEST_ROUTE_ADDRESS}
if ($uri ~ ^/v2*.)
{
rewrite ^(.*)$ /registry$1 last;
}
#endif_tag ${DOCKER_REQUEST_ROUTE_ADDRESS}
#if_tag !${DOCKER_REQUEST_ROUTE_ADDRESS}
if ($uri ~ ^/v2*.)
{
rewrite ^(.*)$ /parent$1 last;
}
#endif_tag ${DOCKER_REQUEST_ROUTE_ADDRESS}
#if_tag ${DOCKER_REQUEST_ROUTE_ADDRESS}
location ~^/registry/(.*) {
proxy_http_version 1.1;
resolver 127.0.0.11;
set $upstream_endpoint http://${DOCKER_REQUEST_ROUTE_ADDRESS}/$1$is_args$args;
proxy_pass $upstream_endpoint;
}
#endif_tag ${DOCKER_REQUEST_ROUTE_ADDRESS}
#if_tag ${BLOB_UPLOAD_ROUTE_ADDRESS}
location ~^/storage/(.*){
resolver 127.0.0.11;
proxy_http_version 1.1;
set $upstream_endpoint http://${BLOB_UPLOAD_ROUTE_ADDRESS}/$1$is_args$args;
proxy_pass $upstream_endpoint;
}
#endif_tag ${BLOB_UPLOAD_ROUTE_ADDRESS}
#if_tag ${CONNECTED_ACR_ROUTE_ADDRESS}
location /v2 {
resolver 127.0.0.11;
proxy_http_version 1.1;
proxy_pass http://${CONNECTED_ACR_ROUTE_ADDRESS};
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /acr {
resolver 127.0.0.11;
proxy_http_version 1.1;
proxy_pass http://${CONNECTED_ACR_ROUTE_ADDRESS};
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
}
#endif_tag ${CONNECTED_ACR_ROUTE_ADDRESS}
#if_tag ${IOTEDGE_PARENTHOSTNAME}
location ~^/parent/(.*) {
proxy_http_version 1.1;
resolver 127.0.0.11;
#proxy_ssl_certificate identity.crt;
#proxy_ssl_certificate_key private_key_identity.pem;
proxy_ssl_server_name on;
proxy_ssl_name ${IOTEDGE_PARENTAPIPROXYNAME};
proxy_ssl_trusted_certificate trustedCA.crt;
proxy_ssl_verify_depth 7;
proxy_ssl_verify on;
proxy_pass https://${IOTEDGE_PARENTHOSTNAME}:${NGINX_DEFAULT_PORT}/$1$is_args$args;
}
#endif_tag ${IOTEDGE_PARENTHOSTNAME}
location ~^/devices|twins/ {
resolver 127.0.0.11;
proxy_http_version 1.1;
proxy_ssl_verify off;
proxy_set_header x-ms-edge-clientcert $ssl_client_escaped_cert;
proxy_set_header Authorization $auth;
set $upstream_endpoint https://edgeHub;
proxy_pass $upstream_endpoint;
}
location ~^/.iothub/websocket {
resolver 127.0.0.11;
proxy_ssl_verify off;
proxy_set_header x-ms-edge-clientcert $ssl_client_escaped_cert;
proxy_set_header Authorization $auth;
set $upstream_endpoint https://edgeHub;
proxy_pass $upstream_endpoint;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment