Loadbalancing and Proxying MENDER-API-GATEWAY-DOCKER behind an NGINX worker that is running on Host

First of all, thank you Mender team for creating this efficient and kickass OTA service and open-sourcing it.
I have been using it for a small period of time for experimenting mostly and so far everything has been pretty good so far.

Since I am experimenting, I am trying out different combinations by which the self-hosted version can be hosted. Here is one such combination I am having trouble configuring.

I would like to proxy and also load balance the Api-Gateway-Docker behind an Nginx worker alongside other services (say, service A, B and C) apart from the Mender suite.

How should I go about the nginx configuration that can forward the requests to the Mender-Api-Gateway-Docker?

Here is a diagram for reference.

Can someone provide a sample config file for referencing? It will be really helpful if someone can guide me.

Hello!

thanks a lot for using Mender.
I am not sure what you are trying exactly to achieve, but please note that the api gateway (docker pull mendersoftware/api-gateway:2.0.0) is based on openresty which is nginx-based. you can take a look at /usr/local/openresty and do any configuration modifications you want. At least that is what I would do.
What is the reason for the extra nginx? Do you want just a loadbalancer? In any case it can be something very simple, since the api-gateway is, well, the main gateway.
Let me know if you need some more details or assistance. And sorry for not giving a straight answer, perhaps I am missing the exact use case here.

peter

The idea is to run Mender in parallel with other services which run independently and may not run in a docker environment. As you will see in the link to the diagram I have provided above @peter

I see, thank you for explanation. Then maybe it is better to change the topology of your diagram and incorporate the configuration of api-gateway into your nginx config or, alternatively, slightly modify the configuration and use api-gateway for all services.
We do not have the standalone ready nginx working configuration, but I would do one of the above; if you take a look at the api-gateway openresty config you will see that it is not that complicated.

peter

Yes, I am looking at the api-gateway configuration and it actually is not complicated at all, provided some basic understanding of Load-balancing and proxying exists.

For my current use case, it will be best if I do the 1st approach, i.e., to incorporate config of api-gateway into the Nginx config, as I have a cronjob that periodically updates the SSL certificates.
If I am successfull I will definitely share the Nginx ready-to-go configuration for self-hosted Mender.

Thanks a lot for the help @peter. It was really helpful!

Thank you!
Let me know how it goes! good luck @uttaravadina!

peter

So I was able to solve the reverse-proxying without using any of the 2 methods that @peter you mentioned.

Solution:
The simple and most effective way to solve this can be to expose the mender-api-gateway to a different host port rather than the default set 443 port in prod.yml and then using the proxy_pass to forward the requests to the exposed host port for mender-api-gateway.

Confusion:
Although one interesting thing that I notice is when I do a curl request on the machine locally to the exposed port of the mender-api-gateway (curl http://localhost:$PORT/), it throws an error saying that the certificates appears to be self-signed and therefore cannot create connection, which makes sense. But the host nginx is able to proxy forward the requests to the mender-apigateway without any such errors, which is confusing to me. I haven’t even provided an proxy_ssl_* parameters in the host nginx config file.

What can be the possible explanation to this @peter?

so you have a proxy at address0:443 that points to address1:port1 and address1:port1 is a port exposed by mender-api-gateway, right? and when you do curl https://address0 you get no error, while with curl https://address1:port1 you get certificate error?
could you share the logs form the proxy?

peter