nginx.conf
setup NGINX and PingIntelligence sideband
integration. Following is a summary of steps to configure NGINX for PingIntelligence:- Create
modules
directory inside NGINX - Download PingIntelligence modules
- Copy PingIntelligence modules in the
modules
directory - Edit
nginx.conf
for PingIntelligence
Create modules
directory and download PingIntelligence
modules
- Create a
modules
directory in NGINX:# mkdir /usr/local/nginx/modules
- Download the NGINX - PingIntelligence modules from the download site
- Untar the downloaded file.
The three PingIntelligence modules are:tar -xvzf ubuntu_modules_1.14.2.tgz modules/ modules/nginx-oss-list.txt modules/ngx_ase_integration_module.so modules/ngx_http_ase_integration_response_module.so modules/ngx_http_ase_integration_request_module.so
-
ngx_ase_integration_module.so
-
ngx_http_ase_integration_request_module.so
-
ngx_http_ase_integration_response_module.so
-
- Copy the three PingIntelligence modules for Ubuntu to the
modules
directory of NGINX.# cp ngx_ase_integration_module.so /usr/local/nginx/modules # cp ngx_http_ase_integration_request_module.so /usr/local/nginx/modules # cp ngx_http_ase_integration_response_module.so /usr/local/nginx/modules
Configure nginx.conf:
Complete the following steps to configure nginx.conf
for
PingIntelligence. Make sure that the PingIntelligence module and other
configurations are added at the correct place in nginx.conf
as
shown in the sample file at the end of the section.
- Load PingIntelligence modules: Edit the
nginx.conf
file to load the PingIntelligence modules. Following is a snippet ofnginx.conf
file showing the loaded PingIntelligence modules:worker_processes 1; error_log /usr/local/nginx/logs/error.log debug; worker_rlimit_core 500M; working_directory /usr/local/nginx; pid /usr/local/nginx/pid/nginx.pid; load_module modules/ngx_ase_integration_module.so; load_module modules/ngx_http_ase_integration_request_module.so; load_module modules/ngx_http_ase_integration_response_module.so; events { worker_connections 1024; } http { keepalive_timeout 65; upstream pi.ase { server IP:PORT max_fails=1 max_conns=1024 fail_timeout=10; server IP:PORT max_fails=1 max_conns=1024 fail_timeout=10 backup; keepalive 32; } truncated nginx.conf
IP:PORT
is the IP address of primary and secondary ASE. - Add primary and secondary ASE hosts in
nginx.conf
in the upstream section. Following is a snippet ofnginx.conf
file with an ASE primary and secondary host configuration:http { keepalive_timeout 65; upstream pi.ase { server 192.168.11.12:443 max_fails=3 max_conns=1024 fail_timeout=10; server 192.168.11.13:443 max_fails=3 max_conns=1024 fail_timeout=10 backup; keepalive 32; }
- Configure SSL certificate:
Configure a SSL certificate location and ASE sideband authentication token in
nginx.conf
. ASE certificate was extracted from ASE in Prerequisites. Copy the certificate to /usr/local/nginx/ssl/test.ase.pi on the NGINX machine and configure the certificate path innginx.conf
file.The sideband authentication token was created as part of the Prerequisites in the PingIntelligence section. Following is a snippet the showing certificate location and sideband authentication token:
#Certificiate location of ASE set $certificate /usr/local/nginx/ssl/test.ase.pi; #ASE Token for sideband authentication set $ase_token <YOUR ASE SIDEBAND TOKEN>;
Note: You can also use your own SSL certificate by providing the path to the certificate inset $certificate
. Make sure that ASE has the updated certificate. - Configure ASE request and response: Configure ASE request and
response API endpoints in
nginx.conf
. Following snippet ofnginx.conf
shows ASE request and response:#ASE Request Proxy Configuration location = /ase/request { internal; ase_integration https://pi.ase; ase_integration_method "POST"; ase_integration_http_version 1.1; ase_integration_ase_token $ase_token; ase_integration_correlation_id $correlationid; ase_integration_host pi.ase; ase_integration_ssl_trusted_certificate /usr/local/nginx/ssl/test.ase.pi; ase_integration_ssl_verify off; ase_integration_ssl_verify_depth 1; ase_integration_ssl_server_name on; ase_integration_ssl_name test.ase.pi; ase_integration_next_upstream error timeout non_idempotent; #ASE Response Proxy Configuration location = /ase/response { internal; ase_integration https://pi.ase; ase_integration_method "POST"; ase_integration_http_version 1.1; ase_integration_ase_token $ase_token; ase_integration_correlation_id $correlationid; ase_integration_host pi.ase; ase_integration_ssl_trusted_certificate /usr/local/nginx/ssl/test.ase.pi; ase_integration_ssl_verify off; ase_integration_ssl_verify_depth 1; ase_integration_ssl_server_name on; ase_integration_ssl_name test.ase.pi; ase_integration_next_upstream error timeout non_idempotent;
Note:ase_integration_ssl_verify
is optional for non-SSL ASE connection. - Apply PingIntelligence policy: Apply PingIntelligence modules for
APIs by configuring
location
innginx.conf
.ase_integration_request
should be the first and aase_integration_response
should be the last.location /shop { ase_integration_request; proxy_pass http://localhost:8000/; ase_integration_response; }
If you have more than more than one API, configure a
location
for each API as shown above. - Verify: Verify that
nginx.conf
is syntactically correct by running the following command:# sudo /usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
- Restart: Restart NGINX by entering the following
command:
# sudo /usr/local/nginx/sbin/nginx -s stop # sudo /usr/local/nginx/sbin/nginx
- Run the following command to verify if
--with-compat
and--with-http_ssl_module
is in the list of flags under configured arguments.# sudo /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.14.2 built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11) built with OpenSSL 1.0.2g 1 Mar 2016 TLS SNI support enabled configure arguments: --with-compat --with-http_ssl_module
- Verify that NGINX has restarted by entering the following
command:
# netstat -tulpn | grep 4443
nginx.conf
for reference:
worker_processes 1;
error_log /usr/local/nginx/logs/error.log debug;
worker_rlimit_core 500M;
working_directory /usr/local/nginx;
pid /usr/local/nginx/pid/nginx.pid;
load_module modules/ngx_ase_integration_module.so;
load_module modules/ngx_http_ase_integration_request_module.so;
load_module modules/ngx_http_ase_integration_response_module.so;
events {
worker_connections 1024;
}
http {
keepalive_timeout 65;
upstream pi.ase {
server IP:PORT max_fails=1 max_conns=100 fail_timeout=10;
server IP:PORT max_fails=1 max_conns=100 fail_timeout=10 backup;
keepalive 32;
}
server {
# remove "ssl" from the below line for a non-SSL frontend
listen 4443 ssl bind;
server_name localhost;
# Comment out the next 5-lines for a non-SSL frontend
ssl_certificate /usr/local/nginx/ssl/cert.pem;
ssl_certificate_key /usr/local/nginx/ssl/key.pem;
ssl_password_file /usr/local/nginx/ssl/password_file;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
#root /usr/share/nginx/html;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
resolver 8.8.8.8 ipv6=off;
#The following location configuration is to configure your application. A corresponding API JSON should be present in ASE.
location / {
ase_integration_request;
proxy_pass http://localhost:8080/;
ase_integration_response;
}
#The following configuration is a Ping Intelligence configuration and do not edit
set $correlationid $pid-$request_id-$server_addr-$remote_addr-$remote_port-$request_length-$connection;
# ASE token must be configured
# ASE certificate must be copied under /usr/local/nginx/ssl/ and update the set $certificate to the # certificate file path
#Certificate location of ASE
set $certificate /usr/local/nginx/ssl/test.ase.pi;
#ASE Token for sideband authentication
set $ase_token <YOUR ASE SIDEBAND TOKEN HERE>;
#Host header which should be send to ASE
set $ase_host pi.ase;
#SNI value to use for ASE
set $ase_ssl_host pi.ase;
#ASE Request Proxy Configuration
location = /ase/request {
internal;
ase_integration https://pi.ase;
ase_integration_method "POST";
ase_integration_http_version 1.1;
ase_integration_ase_token $ase_token;
ase_integration_correlation_id $correlationid;
ase_integration_host $ase_host;
ase_integration_ssl_trusted_certificate $certificate;
ase_integration_ssl_verify off;
ase_integration_ssl_verify_depth 1;
ase_integration_ssl_server_name off;
ase_integration_ssl_name $ase_ssl_host;
ase_integration_next_upstream error timeout non_idempotent;
}
#ASE Response Proxy Configuration
location = /ase/response {
internal;
ase_integration https://pi.ase;
ase_integration_method "POST";
ase_integration_http_version 1.1;
ase_integration_ase_token $ase_token;
ase_integration_correlation_id $correlationid;
ase_integration_host $ase_host;
ase_integration_ssl_trusted_certificate $certificate;
ase_integration_ssl_verify off;
ase_integration_ssl_verify_depth 1;
ase_integration_ssl_server_name off;
ase_integration_ssl_name $ase_ssl_host;
ase_integration_next_upstream error timeout non_idempotent;
}
}