Configuring the NGINX proxy server for Customizer Lite HA
The configuration of NGINX is slightly different for load balancing multiple Customizer Lite services when using multiple Docker nodes than for the single instance.
Procedure
- Edit the NGINX_INSTALL_DIR/conf/nginx.conf .
-
Insert an upstream {} definition for each of the
mw-proxy,appregistry-serviceandappregistry-clientapplications and identify the host names and ports of the multiple Docker instances for each service. Add nested locations for the http server for /appreg and /appregistry URIs referencing their corresponding upstream applications in both the http server (port 80) and https server (port 443) sections. Add a nested location for themw-proxyupstream application in the https server (port 443) section.worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; upstream appregistry-client_nodes { server docker_host_1.com:7000; server docker_host_2.com:7000; } upstream appregistry-service_nodes { server docker_host_1.com:3002; server docker_host_2.com:3002; } upstream mw-proxy_nodes { server docker_host_1.com:3001; server docker_host_2.com:3001; } server { listen 80; server_name localhost; location / { root html; index index.html index.htm; location ~ ^(/appregistry/) { proxy_pass http://appregistry-service_nodes; } location ~* “^/appreg\/?(?<baseuri>.*)” { rewrite "(?i)/appreg/(.*)" /$1 break; rewrite "(?i)/appreg$" / break; proxy_pass http://appregistry-client_nodes; } # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } } proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffers 32 4k; server { listen 443 ssl; server_name 127.0.0.1; ssl_certificate Path_to_NGINX-self-signed/nginx-selfsigned.crt; ssl_certificate_key Path_to_NGINX-self-signed/nginx-selfsigned.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { location ~ ^(/appregistry/) { proxy_pass http://appregistry-service_nodes; } location ~* "^/appreg\/?(?<baseuri>.*)" { rewrite "(?i)/appreg/(.*)" /$1 break; rewrite "(?i)/appreg$" / break; proxy_pass http://appregistry-client_nodes; } #Points to the master with mw-proxy. proxy_pass http://mw-proxy_nodes; } } } -
To only route required Customizer URLs to
mw-proxyand filter out all other requests directly to IHS, create additional nested location(s) in thenginx.configfile in the https server section as follows referencing the upstream application name:location / { location ~ ^(/appregistry/) { proxy_pass http://appregistry-service_nodes; } location ~* "^/appreg\/?(?<baseuri>.*)" { rewrite "(?i)/appreg/(.*)" /$1 break; rewrite "(?i)/appreg$" / break; proxy_pass http://appregistry-client_nodes; } location ~ ^/(files/app|files/customizer|communities/service/html/|forums/html|search/web/) { proxy_passhttp://mw_proxy_nodes; } location ~ ^/(homepage/web/|social|mycontacts) { proxy_pass http://mw_proxy_nodes; } proxy_pass https://IHS_SERVER; } -
(Linux® only) Disable the firewall between the Kubernetes masters and the NGINX server. If the
NGINX server runs on Linux®, ensure that the firewall is not enabled between the Kubernetes masters
and the NGINX server. Disable the firewall by running the following command on the NGINX server:
sudo setsebool -P httpd_can_network_connect true -
Modify the service configuration to support starting the NGINX server using systemctl:
-
Edit the
/etc/nginx/nginx.conffile and add the following statements:
The value shown here is an example; you might need to use a different value for your environment.events { worker_connections 16384; } -
Start the NGINX server with the following command:
sudo systemctl start nginx