How to expose Omni with Nginx (HTTPS)

This guide will show you how to expose a self-hosted Omni with Nginx and secure it with TLS

Omni deployment configuration

You need to deploy an omni instance the how to deploy omni on prem guide, with the following flags set:

--name=$OMNI_NAME
--private-key-source=file:///omni.asc
--bind-addr=127.0.0.1:8080
--advertised-api-url=https://$OMNI_DOMAIN/
--siderolink-api-bind-addr=127.0.0.1:8090
--siderolink-api-advertised-url=https://api.$OMNI_DOMAIN:443
--k8s-proxy-bind-addr=127.0.0.1:8100
--advertised-kubernetes-proxy-url=https://kube.$OMNI_DOMAIN/
--account-id=$OMNI_UUID
## Also add the authentication flags according to your setup

Certificates

You can use acme or certbot to generate certificates for your domain. In the following nginx config, the are stored in /var/lib/acme/omni/ and /var/lib/acme/omni_api/ and /var/lib/acme/omni_kube/. Make sure to change the paths to your own or to output the certificates to those paths.

Nginx configuration

Use the following configuration to expose omni with nginx. Make sure to change the domain name ($OMNI_DOMAIN) to your own domain and to update the certificate paths if applicable.

http {
	proxy_redirect off;
	proxy_http_version 1.1;

	proxy_connect_timeout 60s;

	# Omni needs long timeouts for the long-lived connections
	proxy_send_timeout 1h;
	proxy_read_timeout 1h;

	# $connection_upgrade is used for websocket proxying
	map $http_upgrade $connection_upgrade {
		default upgrade;
		'' close;
	}

	# Omni HTTPS redirection
	server {
		listen 0.0.0.0:80;
		listen [::0]:80;
		server_name $OMNI_DOMAIN;
		location / {
			return 301 https://$host$request_uri;
		}
	}

	map $http_content_type $is_grpc {
		default 0;
		"application/grpc" 1;
	}

	# Omni main API
	server {
		listen 0.0.0.0:443 http2 ssl;
		listen [::0]:443 http2 ssl;
		server_name $OMNI_DOMAIN;
		ssl_certificate /var/lib/acme/omni/fullchain.pem;
		ssl_certificate_key /var/lib/acme/omni/key.pem;
		ssl_trusted_certificate /var/lib/acme/omni/chain.pem;
		location / {
			error_page 418 = @grpc;
			error_page 419 = @http;

			if ($is_grpc) {
				return 418;
			}

			return 419;
		}

		# Omni main GRPC API
		location @grpc {
			# Omni needs long timeouts for the long-lived GRPC stream connections
			grpc_read_timeout 1h;
			grpc_send_timeout 1h;
			grpc_pass grpc://127.0.0.1:8080;
		}

		# Omni main HTTP API
		location @http {
			proxy_pass http://127.0.0.1:8080;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection $connection_upgrade;
		}
	}

	# Omni SideroLink (a.k.a. Machine) API
	server {
		listen 0.0.0.0:443 http2 ssl;
		listen [::0]:443 http2 ssl;
		server_name api.$OMNI_DOMAIN;
		ssl_certificate /var/lib/acme/omni_api/fullchain.pem;
		ssl_certificate_key /var/lib/acme/omni_api/key.pem;
		ssl_trusted_certificate /var/lib/acme/omni_api/chain.pem;
		location / {
			# Omni needs long timeouts for the long-lived GRPC stream connections
			grpc_read_timeout 1h;
			grpc_send_timeout 1h;
			grpc_pass grpc://127.0.0.1:8090;
		}
	}

	# Omni Kube API
	server {
		listen 0.0.0.0:443 http2 ssl;
		listen [::0]:443 http2 ssl;
		server_name kube.$OMNI_DOMAIN;
		ssl_certificate /var/lib/acme/omni_kube/fullchain.pem;
		ssl_certificate_key /var/lib/acme/omni_kube/key.pem;
		ssl_trusted_certificate /var/lib/acme/omni_kube/chain.pem;
		location / {
			proxy_pass http://127.0.0.1:8100;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection $connection_upgrade;
		}
	}
}

How to use

The omni instance will be available at https://$OMNI_DOMAIN/, the API at https://api.$OMNI_DOMAIN/ and the kubernetes proxy at https://kube.$OMNI_DOMAIN/.

Last updated