Bỏ qua

Reverse Proxy Architecture

Current Architecture

Two-Tier Proxy System

┌─────────────────────────────────────────────────────────────┐
│                    Client Requests                          │
└────────────────────┬────────────────────────────────────────┘
                     │
         ┌───────────┴───────────┐
         │                       │
         ▼                       ▼
┌─────────────────┐      ┌──────────────────┐
│  API Gateway    │      │  Infrastructure  │
│  (NestJS)       │      │  Reverse Proxy    │
│  Port 3000      │      │  (Nginx)          │
└────────┬────────┘      │  Port 3301, etc.  │
         │               └─────────┬─────────┘
         │                         │
    Business Services          Observability Tools
    (user, booking, etc.)      (Signoz, etc.)

1. Application API Gateway (NestJS - Port 3000)

  • Purpose: Routes business API requests to microservices
  • Services: user-service, booking-service, field-service, payment-service, notification-service
  • Features: Authentication, authorization, rate limiting, request validation
  • Location: apps/api-gateway/

2. Infrastructure Reverse Proxy (Nginx)

  • Purpose: Routes requests to infrastructure/admin tools
  • Services: Signoz, PgAdmin, Mongo Express, Redis Commander, Kafka UI
  • Features: Simple routing, CORS handling, static file serving
  • Location: Currently config/signoz/nginx.conf (should be moved)

Problem with Current Structure

Issues:

  1. Signoz-specific location: config/signoz/nginx.conf suggests it's only for Signoz
  2. Not scalable: Adding more infrastructure tools requires modifying Signoz config
  3. Confusion: Mixing infrastructure proxy with service-specific configs
  4. Maintenance: Hard to find and manage all reverse proxy configs

Proposed Structure

config/
├── nginx/                          # All nginx configs
│   ├── infrastructure.conf         # Main config for all infrastructure tools
│   ├── signoz.conf                 # Signoz-specific routing
│   ├── admin-tools.conf            # PgAdmin, Mongo Express, etc.
│   └── observability.conf          # Signoz, Grafana (future), etc.
├── signoz/                         # Signoz-specific configs only
│   ├── dashboards/
│   ├── alerts/
│   └── otel-collector-config.yaml
└── keycloak/
    └── realm-export.json

Option 2: Service-Based Organization

config/
├── reverse-proxy/                  # All reverse proxy configs
│   ├── nginx.conf                  # Main nginx config
│   └── services/                   # Per-service configs
│       ├── signoz.conf
│       ├── pgadmin.conf
│       └── mongo-express.conf
├── signoz/                         # Signoz configs
└── keycloak/

Benefits:

  1. Single entry point for all infrastructure tools
  2. Easy to scale - add new tools without touching existing configs
  3. Clear separation - infrastructure vs. application concerns
  4. Better organization - all nginx configs in one place

Implementation:

# config/nginx/infrastructure.conf
# Main reverse proxy for all infrastructure/admin tools

# Signoz (Observability)
server {
    listen 3301;
    server_name localhost;

    location /api/ {
        proxy_pass http://signoz-query-service:8080;
        # ... proxy settings
    }

    location / {
        proxy_pass http://signoz-frontend:3301;
        # ... proxy settings
    }
}

# PgAdmin (Database Admin)
server {
    listen 5050;
    server_name localhost;

    location / {
        proxy_pass http://pgadmin:80;
        # ... proxy settings
    }
}

# Mongo Express (MongoDB Admin)
server {
    listen 8081;
    server_name localhost;

    location / {
        proxy_pass http://mongo-express:8081;
        # ... proxy settings
    }
}

# Kafka UI
server {
    listen 8080;
    server_name localhost;

    location / {
        proxy_pass http://kafka-ui:8080;
        # ... proxy settings
    }
}

Architecture Layers

Layer 1: Client → Infrastructure Proxy (Nginx)

  • Purpose: Route to infrastructure/admin tools
  • Ports: 3301 (Signoz), 5050 (PgAdmin), 8081 (Mongo Express), etc.
  • No authentication (internal tools, can add later)

Layer 2: Client → API Gateway (NestJS)

  • Purpose: Route to business services
  • Port: 3000
  • With authentication (Keycloak JWT)

Layer 3: API Gateway → Microservices

  • Purpose: Business logic
  • Ports: 3001-3005
  • Internal only (not exposed directly)

Migration Plan

Step 1: Create New Structure

mkdir -p config/nginx
mv config/signoz/nginx.conf config/nginx/signoz.conf

Step 2: Create Unified Config

Create config/nginx/infrastructure.conf that includes all infrastructure tools

Step 3: Update Docker Compose

signoz-nginx-proxy:
  volumes:
    - ./config/nginx/infrastructure.conf:/etc/nginx/conf.d/default.conf:ro

Step 4: Add More Tools

As you add Grafana, Prometheus, etc., add them to infrastructure.conf

Future Scalability

Adding New Observability Tools

# Grafana (future)
server {
    listen 3001;
    location / {
        proxy_pass http://grafana:3000;
    }
}

# Prometheus (future)
server {
    listen 9090;
    location / {
        proxy_pass http://prometheus:9090;
    }
}

Adding New Admin Tools

# Redis Commander (already exists, just add to unified config)
server {
    listen 8082;
    location / {
        proxy_pass http://redis-commander:8081;
    }
}

Best Practices

  1. Separate concerns: Infrastructure proxy vs. Application gateway
  2. Use subdomains (production): signoz.example.com, api.example.com
  3. Add authentication to infrastructure proxy in production
  4. Use SSL/TLS for all external-facing proxies
  5. Monitor proxy health with health checks
  6. Document routing in architecture docs

Current vs. Proposed

Aspect Current Proposed
Location config/signoz/nginx.conf config/nginx/infrastructure.conf
Scope Signoz only All infrastructure tools
Scalability Hard to add tools Easy to add tools
Maintenance Scattered configs Centralized configs
Clarity Confusing Clear separation

Recommendation

Move nginx config to config/nginx/ and create a unified infrastructure proxy that can handle:

  • Signoz (current)
  • PgAdmin, Mongo Express, Redis Commander (future)
  • Grafana, Prometheus (future)
  • Any other infrastructure tools

This keeps config/signoz/ for Signoz-specific configs (dashboards, alerts, OTEL collector) and config/nginx/ for all reverse proxy configurations.