Nginx: Expose Web Service
Module:
Categories:
Pigsty will install Nginx on INFRA Node, as a Web service proxy.
Nginx is the access entry for all WebUI services of Pigsty, and it defaults to the use the 80/443
port on INFRA nodes.
Pigsty provides a global parameter infra_portal
to configure Nginx proxy rules and corresponding upstream services.
infra_portal: # domain names and upstream servers
home : { domain: h.pigsty }
grafana : { domain: g.pigsty ,endpoint: "${admin_ip}:3000" , websocket: true }
prometheus : { domain: p.pigsty ,endpoint: "${admin_ip}:9090" }
alertmanager : { domain: a.pigsty ,endpoint: "${admin_ip}:9093" }
blackbox : { endpoint: "${admin_ip}:9115" }
loki : { endpoint: "${admin_ip}:3100" }
#minio : { domain: sss.pigsty ,endpoint: "${admin_ip}:9001" ,scheme: https ,websocket: true }
If you access Nginx directly through the ip:port, it will route to h.pigsty
, which is the Pigsty homepage (/www/
directory, served as software repo).
Because Nginx provides multiple services through the same port, it must be distinguished by the domain name (HOST
header by the browser). Therefore, by default, Nginx only exposes services with the domain
parameter.
And Pigsty will expose grafana
, prometheus
, and alertmanager
services by default in addition to the home
server.
How to configure nginx upstream?
Pigsty has a built-in configuration template full.yml
, could be used as a reference, and also exposes some Web services in addition to the default services.
infra_portal: # domain names and upstream servers
home : { domain: h.pigsty }
grafana : { domain: g.pigsty ,endpoint: "${admin_ip}:3000" , websocket: true }
prometheus : { domain: p.pigsty ,endpoint: "${admin_ip}:9090" }
alertmanager : { domain: a.pigsty ,endpoint: "${admin_ip}:9093" }
blackbox : { endpoint: "${admin_ip}:9115" }
loki : { endpoint: "${admin_ip}:3100" }
minio : { domain: sss.pigsty ,endpoint: "${admin_ip}:9001" ,scheme: https ,websocket: true }
postgrest : { domain: api.pigsty ,endpoint: "127.0.0.1:8884" }
pgadmin : { domain: adm.pigsty ,endpoint: "127.0.0.1:8885" }
pgweb : { domain: cli.pigsty ,endpoint: "127.0.0.1:8886" }
bytebase : { domain: ddl.pigsty ,endpoint: "127.0.0.1:8887" }
jupyter : { domain: lab.pigsty ,endpoint: "127.0.0.1:8888", websocket: true }
gitea : { domain: git.pigsty ,endpoint: "127.0.0.1:8889" }
wiki : { domain: wiki.pigsty ,endpoint: "127.0.0.1:9002" }
noco : { domain: noco.pigsty ,endpoint: "127.0.0.1:9003" }
supa : { domain: supa.pigsty ,endpoint: "10.10.10.10:8000", websocket: true }
Each record in infra_portal
is a key-value pair, where the key
is the name
of the service, and the value
is a dictionary.
Currently, there are four available configuration items in the configuration dictionary:
endpoint
: REQUIRED, specifies the address of the upstream service, which can beIP:PORT
orDOMAIN:PORT
.- In this parameter, you can use the placeholder
${admin_ip}
, and Pigsty will fill in the value ofadmin_ip
.
- In this parameter, you can use the placeholder
domain
: OPTIONAL, specifies the domain name of the proxy. If not filled in, Nginx will not expose this service.- For services that need to know the endpoint address but do not want to expose them (such as Loki, Blackbox Exporter), you can leave the
domain
blank.
- For services that need to know the endpoint address but do not want to expose them (such as Loki, Blackbox Exporter), you can leave the
scheme
: OPTIONAL, specifies the protocol (http
/https
) when forwarding, leave it blank to default to http.- For services that require HTTPS access (such as the MinIO management interface), you need to specify
scheme: https
.
- For services that require HTTPS access (such as the MinIO management interface), you need to specify
websocket
: OPTIONAL, specifies whether to enable WebSocket, leave it blank to default to off.- Services that require WebSocket (such as Grafana, Jupyter) need to be set to
true
to work properly.
- Services that require WebSocket (such as Grafana, Jupyter) need to be set to
If you need to add a new Web service exposed by Nginx, you need to add the corresponding record in the infra_portal
parameter in the pigsty.yml
file, and then execute the playbook to take effect:
./infra.yml -t nginx # Tune nginx into desired state
To avoid service interruption, you can also execute the following tasks separately:
./infra.yml -t nginx_config # re-generate nginx upstream config in /etc/nginx/conf.d
./infra.yml -t nginx_cert # re-generate nginx ssl cert to include new domain names
nginx -s reload # online reload nginx configuration
Or the simple way:
Nginx related configuration parameters are located at: Parameters: INFRA - NGINX
How to access via domain names?
Nginx distinguishes between different services using the domain name in the HOST
header set by the browser. Thus, by default, except for the software repository, you need to access services via domain name.
You can directly access these services via IP address + port, but we recommend accessing all components through Nginx on ports 80/443 using domain names.
When accessing the Pigsty WebUI via domain name, you need to configure DNS resolution or modify the local /etc/hosts
file for static resolution. There are several typical methods:
- If your service needs to be publicly accessible, you should resolve the internet domain name via a DNS provider (Cloudflare, Aliyun DNS, etc.). Note that in this case, you usually need to modify the Pigsty
infra_portal
parameter, as the default*.pigsty
is not suitable for public use. - If your service needs to be shared within an office network, you should resolve the internal domain name via an internal DNS provider (company internal DNS server) and point it to the IP of the Nginx server. You can request the network administrator to add the appropriate resolution records in the internal DNS server, or ask the system users to manually configure static DNS resolution records.
- If your service is only for personal use or a few users (e.g., DBA), you can ask these users to use static domain name resolution records. On Linux/MacOS systems, modify the
/etc/hosts
file (requires sudo permissions) orC:\Windows\System32\drivers\etc\hosts
(Windows) file.
We recommend ordinary single-machine users use the third method, adding the following resolution records on the machine used to access the web system via a browser:
<your_public_ip_address> h.pigsty a.pigsty p.pigsty g.pigsty
The IP address here is the public IP address where the Pigsty service is installed, and then you can access Pigsty subsystems in the browser via a domain like: http://g.pigsty.
Other web services and custom domains can be added similarly. For example, the following are possible domain resolution records for the Pigsty sandbox demo:
10.10.10.10 h.pigsty a.pigsty p.pigsty g.pigsty
10.10.10.10 api.pigsty ddl.pigsty adm.pigsty cli.pigsty lab.pigsty
10.10.10.10 supa.pigsty noco.pigsty odoo.pigsty dify.pigsty
How to access via HTTPS?
If nginx_sslmode
is set to enabled
or enforced
, you can trust self-signed ca: files/pki/ca/ca.crt
to use https
in your browser.
Pigsty will generate self-signed certs for Nginx, if you wish to access via HTTPS without “Warning”, here are some options:
- Apply & add real certs from trusted CA: such as Let’s Encrypt
- Trust your generated CA crt as root ca in your OS and browser
- Type
thisisunsafe
in Chrome will supress the warning
You can access these web UI directly via IP + port. While the common best practice would be access them through Nginx and distinguish via domain names. You’ll need configure DNS records, or use the local static records (/etc/hosts
) for that.
How to access Pigsty Web UI by domain name?
There are several options:
- Resolve internet domain names through a DNS service provider, suitable for systems accessible from the public internet.
- Configure internal network DNS server resolution records for internal domain name resolution.
- Modify the local machine’s
/etc/hosts
file to add static resolution records. (For Windows, it’s located at:)
We recommend the third method for common users. On the machine (which runs the browser), add the following record into /etc/hosts
(sudo required) or C:\Windows\System32\drivers\etc\hosts
in Windows:
<your_public_ip_address> h.pigsty a.pigsty p.pigsty g.pigsty
You have to use the external IP address of the node here.
How to configure server side domain names?
The server-side domain name is configured with Nginx. If you want to replace the default domain name, simply enter the domain you wish to use in the parameter infra_portal
. When you access the Grafana monitoring homepage via http://g.pigsty
, it is actually accessed through the Nginx proxy to Grafana’s WebUI:
http://g.pigsty ️-> http://10.10.10.10:80 (nginx) -> http://10.10.10.10:3000 (grafana)
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.