1. Сконфигурируйте параметры доступа к метрикам платформы умного дома в файле /etc/ansible-iot/latest/templates/iot/web/base_config.j2
sudo nano /etc/ansible-iot/latest/templates/iot/web/base_config.j2
Структура файла /etc/ansible-iot/latest/templates/iot/web/base_config.j2:
# IoT server configuration
{% if iot.web.nginx.rateLimit.enable %}
limit_req_zone $binary_remote_addr zone=perip:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=api_perip:10m rate=60r/m;
{% endif %}
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=STATIC:60m max_size=256m inactive=24h use_temp_path=off;
{% if iot.web.redirectHttpToHttps %}
server {
listen {{ iot.web.httpPort }};
server_name {{ iot.serverName }};
# use internal dnsmasq for resolving hostnames from /etc/hosts inside docker container
resolver 127.0.0.1 valid=10s;
location ~ ^/api/v1/(?:ctl/.+/zway/backup|files/download/.+) {
proxy_pass http://core:{{ iot.core.port.map }}$request_uri;
add_header X-Cache-Status $upstream_cache_status;
proxy_cache STATIC;
proxy_cache_key "$request_method$host$request_uri";
proxy_ignore_headers Expires Cache-Control Set-Cookie Vary;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_cache_valid 200 24h;
client_max_body_size 20M;
}
location / {
{% if iot.web.httpsPort != 443 %}
return 301 https://$host:{{ iot.web.httpsPort }}$request_uri;
{% else %}
return 301 https://$host$request_uri;
{% endif %}
}
}
{% endif %}
server {
{% if not iot.web.redirectHttpToHttps %}
listen {{ iot.web.httpPort }};
{% endif %}
listen {{ iot.web.httpsPort }} ssl;
{% include web_ssl_parameters %}
root /usr/share/eltex-sc-web/www/;
index index.html;
server_name {{ iot.serverName }};
# use internal dnsmasq for resolving hostnames from /etc/hosts inside docker container
resolver 127.0.0.1 valid=10s;
# use gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript font/woff2;
location /api/v1/actuator/prometheus {
proxy_pass http://core:{{ iot.core.port.map }}$request_uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 20M;
deny all;
}
location =/ {
rewrite ^(.+)$ /ko permanent;
}
location ~* ^/api/v1/files/download/.+ {
proxy_pass http://core:{{ iot.core.port.map }}$request_uri;
add_header X-Cache-Status $upstream_cache_status;
proxy_cache STATIC;
proxy_cache_key "$request_method$host$request_uri";
proxy_ignore_headers Expires Cache-Control Set-Cookie Vary;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_cache_valid 200 24h;
client_max_body_size 20M;
}
location /ko/ {
# kill browser cache for all html pages
add_header Last-Modified $date_gmt;
add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
if_modified_since off;
expires off;
etag off;
try_files $uri $uri/ /ko/index.html;
}
location ~* (\.html|js/web-version\.js)$ {
# kill browser cache for all html pages
add_header Last-Modified $date_gmt;
add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
if_modified_since off;
expires off;
etag off;
try_files $uri =404;
}
location ~ ^/(firebase-messaging-sw|js/firebase-app-compat|js/firebase-messaging-compat|js/ajv.min).js {
try_files /ko/$uri =404;
}
location /ko/js/conf.js {
set $apiAddress $scheme://$http_host;
set $apiAddressJs "localStorage.setItem('apiAddress', '$apiAddress/api/v1');";
set $wsAddressJs "localStorage.setItem('wsAddress', '$apiAddress/api/v1/stomp');";
default_type application/javascript;
return 200 "$apiAddressJs\n$wsAddressJs";
}
location /ng/assets/config.json {
set $apiAddress $scheme://$http_host;
set $api "\"api\": \"$apiAddress/api/v1\"";
set $ws "\"ws\": \"$apiAddress/api/v1/stomp\"";
set $apiEvi "\"api_evi\": \"$apiAddress/evi/vsaas/api/v2\"";
set $stunUrls "\"stunUrls\":[ \"{{ iot.core.video.webrtc.stun.urls | join('\\\", \\\"') }}\" ]";
default_type application/json;
return 200 "{ $api, $ws, $apiEvi, $stunUrls }";
}
location /ng/ {
# kill browser cache for all html pages
add_header Last-Modified $date_gmt;
add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
if_modified_since off;
expires off;
etag off;
try_files $uri /ng/index.html;
}
location ~ ^/api/v1/(?:login|images|oauth2|captcha|emailChange|users/logins|user/deleteyourself|profiles|security/roles|password|registration) {
{% if iot.web.nginx.rateLimit.enable %}
limit_req zone=perip burst=20 nodelay;
{% endif %}
proxy_buffering off;
proxy_pass https://authorization-server:{{ iot.authorization.port.ssl.map }}$request_uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 15M;
}
location /api/v1/sber {
proxy_buffering off;
proxy_pass https://core:{{ iot.core.port.ssl.map }}$request_uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 15M;
}
# link websockets to ws-proxy
location /api/v1/stomp {
{% if not iot.wsproxy.external.enable %}
proxy_pass http://wsproxy:8075$request_uri;
{% else %}
proxy_pass http://{{ iot.wsproxy.external.host }}:{{ iot.wsproxy.external.port }}$request_uri;
{% endif %}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
location /api/v1/event_ws {
{% if not iot.wsproxy.external.enable %}
proxy_pass http://wsproxy:8075$request_uri;
{% else %}
proxy_pass http://{{ iot.wsproxy.external.host }}:{{ iot.wsproxy.external.port }}$request_uri;
{% endif %}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
{% if iot.core.video.evi.url != '' and iot.core.video.evi.apiKey != '' %}
#--------------------- Proxy auth for evi admin --------------------------------
location ~ ^/evi/(?<suffix>.*) {
auth_request /auth;
proxy_pass {{ iot.core.video.evi.url }}/$suffix?$args;
proxy_set_header X-Vsaas-Api-Key {{ iot.core.video.evi.apiKey }};
}
location = /auth {
if ($request_method = OPTIONS) {
return 200;
}
internal;
proxy_pass https://authorization-server:{{ iot.authorization.port.ssl.map }}/api/v1/authorization/verify?roleId=admin;
proxy_http_version 1.1;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
#-------------------------------------------------------------------------------
{% endif %}
# firmware files for rule upload
# TODO delete after http://red.eltex.loc/issues/352170
location /api/v1/firmware/rule/upload {
proxy_pass http://core:{{ iot.core.port.map }}$request_uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 256M;
}
# firmware files for direct upload
location /api/v1/files/upload {
proxy_pass http://core:{{ iot.core.port.map }}$request_uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 40M;
}
location /api {
{% if iot.web.nginx.rateLimit.enable %}
limit_req zone=api_perip burst=100 nodelay;
{% endif %}
proxy_pass http://core:{{ iot.core.port.map }}$request_uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 20M;
}
location /stomp {
proxy_pass http://core:{{ iot.core.port.map }}$request_uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
location /.well-known/apple-app-site-association {
add_header Content-Type application/json;
default_type application/json;
try_files $uri /.well-known/apple-app-site-association.json;
}
location /.well-known/assetlinks.json {
add_header Content-Type application/json;
default_type application/json;
try_files $uri /.well-known/assetlinks.json;
}
location /nginx_status {
stub_status on;
access_log off;
allow 172.16.0.0/12;
deny all;
}
location /authorization-server/actuator/prometheus {
proxy_pass https://authorization-server:{{ iot.authorization.port.ssl.map }}/api/v1/actuator/prometheus;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 20M;
deny all;
}
location /broker/actuator/prometheus {
proxy_pass http://{{ iot.broker.external.host if iot.broker.external.enable else 'broker' }}:{{ iot.broker.internal.port.map }}/actuator/prometheus;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 20M;
deny all;
}
}
{% include web_additional_server_blocks ignore missing %}
В данный файл требуется внести IP-адреса, с которых будет разрешено собирать метрики платформы умного дома:
- В
location /authorization-server/actuator/prometheus добавить строки allow <IP-адрес или CIDR>; в соответствии с необходимым количеством IP-адресов или подсетей, для которых требуется разрешить сбор метрик сервера авторизации.
location /authorization-server/actuator/prometheus {
proxy_pass https://authorization-server:{{ iot.authorization.port.ssl.map }}/api/v1/actuator/prometheus;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 20M;
allow 172.16.0.0/12;
allow 10.10.50.0/24;
deny all;
}
- В
location /broker/actuator/prometheus добавить строки allow <IP-адрес или CIDR>; в соответствии с необходимым количеством IP-адресов или подсетей, для которых требуется разрешить сбор метрик сервера авторизации.
location /broker/actuator/prometheus {
proxy_pass http://{{ iot.broker.external.host if iot.broker.external.enable else 'broker' }}:{{ iot.broker.internal.port.map }}/actuator/prometheus;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 20M;
allow 172.16.0.0/12;
allow 10.10.50.0/24;
deny all;
}
- В
location /api/v1/actuator/prometheus добавить строки allow <IP-адрес или CIDR>; в соответствии с необходимым количеством IP-адресов или подсетей, для которых требуется разрешить сбор метрик сервера авторизации.
location /api/v1/actuator/prometheus {
proxy_pass http://core:{{ iot.core.port.map }}$request_uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 20M;
allow 172.16.0.0/12;
allow 10.10.50.0/24;
deny all;
}
