Reverse Proxy Architecture
Current Architecture
Two-Tier Proxy System
┌─────────────────────────────────────────────────────────────┐
│ Client Requests │
└────────────────────┬────────────────────────────────────────┘
│
┌───────────┴───────────┐
│ │
▼ ▼
┌─────────────────┐ ┌──────────────────┐
│ API Gateway │ │ Infrastructure │
│ (NestJS) │ │ Reverse Proxy │
│ Port 3000 │ │ (Nginx) │
└────────┬────────┘ │ Port 3301, etc. │
│ └─────────┬─────────┘
│ │
Business Services Observability Tools
(user, booking, etc.) (Signoz, etc.)
1. Application API Gateway (NestJS - Port 3000)
- Purpose: Routes business API requests to microservices
- Services: user-service, booking-service, field-service, payment-service, notification-service
- Features: Authentication, authorization, rate limiting, request validation
- Location:
apps/api-gateway/
2. Infrastructure Reverse Proxy (Nginx)
- Purpose: Routes requests to infrastructure/admin tools
- Services: Signoz, PgAdmin, Mongo Express, Redis Commander, Kafka UI
- Features: Simple routing, CORS handling, static file serving
- Location: Currently
config/signoz/nginx.conf(should be moved)
Problem with Current Structure
Issues:
- Signoz-specific location:
config/signoz/nginx.confsuggests it's only for Signoz - Not scalable: Adding more infrastructure tools requires modifying Signoz config
- Confusion: Mixing infrastructure proxy with service-specific configs
- Maintenance: Hard to find and manage all reverse proxy configs
Proposed Structure
Option 1: Unified Infrastructure Proxy (Recommended)
config/
├── nginx/ # All nginx configs
│ ├── infrastructure.conf # Main config for all infrastructure tools
│ ├── signoz.conf # Signoz-specific routing
│ ├── admin-tools.conf # PgAdmin, Mongo Express, etc.
│ └── observability.conf # Signoz, Grafana (future), etc.
├── signoz/ # Signoz-specific configs only
│ ├── dashboards/
│ ├── alerts/
│ └── otel-collector-config.yaml
└── keycloak/
└── realm-export.json
Option 2: Service-Based Organization
config/
├── reverse-proxy/ # All reverse proxy configs
│ ├── nginx.conf # Main nginx config
│ └── services/ # Per-service configs
│ ├── signoz.conf
│ ├── pgadmin.conf
│ └── mongo-express.conf
├── signoz/ # Signoz configs
└── keycloak/
Recommended Solution: Unified Infrastructure Proxy
Benefits:
- Single entry point for all infrastructure tools
- Easy to scale - add new tools without touching existing configs
- Clear separation - infrastructure vs. application concerns
- Better organization - all nginx configs in one place
Implementation:
# config/nginx/infrastructure.conf
# Main reverse proxy for all infrastructure/admin tools
# Signoz (Observability)
server {
listen 3301;
server_name localhost;
location /api/ {
proxy_pass http://signoz-query-service:8080;
# ... proxy settings
}
location / {
proxy_pass http://signoz-frontend:3301;
# ... proxy settings
}
}
# PgAdmin (Database Admin)
server {
listen 5050;
server_name localhost;
location / {
proxy_pass http://pgadmin:80;
# ... proxy settings
}
}
# Mongo Express (MongoDB Admin)
server {
listen 8081;
server_name localhost;
location / {
proxy_pass http://mongo-express:8081;
# ... proxy settings
}
}
# Kafka UI
server {
listen 8080;
server_name localhost;
location / {
proxy_pass http://kafka-ui:8080;
# ... proxy settings
}
}
Architecture Layers
Layer 1: Client → Infrastructure Proxy (Nginx)
- Purpose: Route to infrastructure/admin tools
- Ports: 3301 (Signoz), 5050 (PgAdmin), 8081 (Mongo Express), etc.
- No authentication (internal tools, can add later)
Layer 2: Client → API Gateway (NestJS)
- Purpose: Route to business services
- Port: 3000
- With authentication (Keycloak JWT)
Layer 3: API Gateway → Microservices
- Purpose: Business logic
- Ports: 3001-3005
- Internal only (not exposed directly)
Migration Plan
Step 1: Create New Structure
mkdir -p config/nginx
mv config/signoz/nginx.conf config/nginx/signoz.conf
Step 2: Create Unified Config
Create config/nginx/infrastructure.conf that includes all infrastructure tools
Step 3: Update Docker Compose
signoz-nginx-proxy:
volumes:
- ./config/nginx/infrastructure.conf:/etc/nginx/conf.d/default.conf:ro
Step 4: Add More Tools
As you add Grafana, Prometheus, etc., add them to infrastructure.conf
Future Scalability
Adding New Observability Tools
# Grafana (future)
server {
listen 3001;
location / {
proxy_pass http://grafana:3000;
}
}
# Prometheus (future)
server {
listen 9090;
location / {
proxy_pass http://prometheus:9090;
}
}
Adding New Admin Tools
# Redis Commander (already exists, just add to unified config)
server {
listen 8082;
location / {
proxy_pass http://redis-commander:8081;
}
}
Best Practices
- Separate concerns: Infrastructure proxy vs. Application gateway
- Use subdomains (production):
signoz.example.com,api.example.com - Add authentication to infrastructure proxy in production
- Use SSL/TLS for all external-facing proxies
- Monitor proxy health with health checks
- Document routing in architecture docs
Current vs. Proposed
| Aspect | Current | Proposed |
|---|---|---|
| Location | config/signoz/nginx.conf |
config/nginx/infrastructure.conf |
| Scope | Signoz only | All infrastructure tools |
| Scalability | Hard to add tools | Easy to add tools |
| Maintenance | Scattered configs | Centralized configs |
| Clarity | Confusing | Clear separation |
Recommendation
Move nginx config to config/nginx/ and create a unified infrastructure proxy that can handle:
- Signoz (current)
- PgAdmin, Mongo Express, Redis Commander (future)
- Grafana, Prometheus (future)
- Any other infrastructure tools
This keeps config/signoz/ for Signoz-specific configs (dashboards, alerts, OTEL collector) and config/nginx/ for all reverse proxy configurations.