Skip to content

Nginx configuration for IEDK

NOTICE

Starting with IEDK version 1.23, Nginx is no longer installed as a prerequisite.

Overview

Prior to version 1.23, the Industrial Edge Device Kit (IEDK) required the installation of Nginx to manage and host its services. This legacy Nginx configuration facilitated certain functionalities, such as API hosting and certificate management. While this configuration process is no longer required with the current versions of IEDK, understanding these settings can be valuable for historical reference or ongoing support scenarios.

If you are exposing the IEDK through a reverse proxy, you can follow this documentation if you choose Nginx as your reverse proxy server.

Installation and Configuration Process (Deprecated)

Certificate Management

  • During the installation of Industrial Edge Packages, self-signed certificates were generated. These certificates resided at:
  • /etc/pki/tls/certs/c2g-nginx-rp.crt
  • /etc/pki/tls/private/c2g-nginx-rp.key

These were initially configured to be used on port 443, with subsequent replacement by IEM-provided certificates during device onboarding.

Nginx Configuration Files

To support IED APIs and various other components, the IEDK setup resulted in the creation of the following configuration files on the host system:

File Description
/etc/nginx/nginx.conf The main Nginx configuration file.
/etc/nginx/conf.d/default.conf Configured the default Nginx virtual host, listening on port 80 on localhost, crucial for the software update process. It referenced /etc/nginx/conf.d/auth/edge-auth.conf for specific locations.
/etc/nginx/conf.d/edge.conf Configured the exposure of IED APIs running in the edge-iot-core container on port 443 on localhost. This file made use of /etc/nginx/conf.d/edge.conf.locations for location definitions and consumed the self-signed certificates.
/etc/nginx/conf.d/redirect80.conf Redirected HTTP traffic to HTTPS, conditioned upon port 80 being open via firewall.
/etc/nginx/conf.d/iems.url Previously used for redirection to IEM, now deprecated and slated for removal.
/var/opt/www/html/device/* Contained custom error pages for Nginx.

Explanation of edge.conf file

Rate Limiting

limit_req_zone $binary_remote_addr zone=pixlimit:32m rate=10000r/s;
  • limit_req_zone: Defines a shared memory zone named pixlimit with a size of 32MB to store the state of rate limiting.
  • $binary_remote_addr: Uses the binary representation of the client’s IP address as the key.
  • rate=10000r/s: Limits the request rate to 10,000 requests per second.

Conditional Logging

map $request $loggable {
    ~*/a.service/api/v1/auth/token 0;
    default 1;
}
  • map: Creates a variable $loggable based on the request URI.
  • ~*/a.service/api/v1/auth/token 0: If the request URI matches this pattern, $loggable is set to 0 (do not log).
  • default 1: For all other requests, $loggable is set to 1 (log).

Server Block

server {
    server_name localhost;
    server_tokens off;
    listen 443 ssl http2 reuseport;
    #ssl on;
    ssl_certificate /etc/pki/tls/certs/c2g-nginx-rp.crt;
    ssl_certificate_key /etc/pki/tls/private/c2g-nginx-rp.key;

    client_max_body_size 0;
    client_body_temp_path /tmp/;
    proxy_temp_path /tmp/;

    proxy_read_timeout 6000s;
    client_body_timeout 6000s;
    proxy_connect_timeout 6000s;
    proxy_send_timeout 6000s;
    client_header_timeout 6000s;

    proxy_busy_buffers_size 512k;
    proxy_buffer_size 512k;
    proxy_buffers 4 512k;
    proxy_buffering on;
    proxy_max_temp_file_size 0;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    #ssl_stapling on;
    #ssl_stapling_verify on;

    access_log syslog:server=unix:/dev/log combined if=$loggable;

    limit_req zone=pixlimit burst=100 nodelay;
    limit_req_status 429;

    include /etc/nginx/conf.d/edge.conf.locations;
}

General Settings

  • server_name localhost: Sets the server name to localhost.
  • server_tokens off: Disables the server tokens in the response headers.
  • listen 443 ssl http2 reuseport: Listens on port 443 with SSL and HTTP/2 enabled, and allows multiple worker processes to bind to the same port.

SSL Configuration

  • ssl_certificate: Specifies the path to the SSL certificate.
  • ssl_certificate_key: Specifies the path to the SSL certificate key.
  • ssl_protocols TLSv1.2 TLSv1.3: Enables TLSv1.2 and TLSv1.3 protocols.
  • ssl_prefer_server_ciphers on: Prefers the server's cipher suite over the client's.
  • ssl_ciphers: Specifies the list of ciphers to use.
  • ssl_ecdh_curve secp384r1: Sets the elliptic curve for ECDH.
  • ssl_session_timeout 10m: Sets the SSL session timeout to 10 minutes.
  • ssl_session_cache shared: SSL:10m: Configures a shared cache for SSL sessions.
  • ssl_session_tickets off: Disables SSL session tickets.

Client and Proxy Settings

  • client_max_body_size 0: Disables the limit on the size of the client request body.
  • client_body_temp_path /tmp/: Sets the directory for storing temporary files for client request bodies.
  • proxy_temp_path /tmp/: Sets the directory for storing temporary files for proxy responses.
  • proxy_read_timeout 6000s: Sets the timeout for reading a response from the proxied server.
  • client_body_timeout 6000s: Sets the timeout for reading the client request body.
  • proxy_connect_timeout 6000s: Sets the timeout for establishing a connection with the proxied server.
  • proxy_send_timeout 6000s: Sets the timeout for sending a request to the proxied server.
  • client_header_timeout 6000s: Sets the timeout for reading the client request header.
  • proxy_busy_buffers_size 512k: Sets the size of the buffer for busy proxy responses.
  • proxy_buffer_size 512k: Sets the size of the buffer for proxy responses.
  • proxy_buffers 4 512k: Sets the number and size of the buffers for proxy responses.
  • proxy_buffering on: Enables buffering of responses from the proxied server.
  • proxy_max_temp_file_size 0: Disables the limit on the size of temporary files for proxy responses.

Logging

  • access_log syslog:server=unix:/dev/log combined if=$loggable: Logs access requests to the syslog server if $loggable is 1.

Rate Limiting

  • limit_req zone=pixlimit burst=100 nodelay: Applies rate limiting with a burst of 100 requests and no delay.
  • limit_req_status 429: Returns a 429 status code when the rate limit is exceeded.

Include Locations

  • include /etc/nginx/conf.d/edge.conf.locations: Includes additional configuration files from the specified path.