Using NGINX as the Proxy Server

A preferred server can be used as a proxy server between the device and the WSO2 IoT server. The steps documented below is only an example of configuring the proxy server using NGINX, which is a known reverse proxy server.

Follow the steps given below to configure the proxy Server:

Install NGINX in your production environment.
For example, refer the following to install NGINX on a MAC or Ubuntu environment.
Get an SSL certificate. Make sure that the common name of the certificate you are getting matches the constructed URI.

The WSO2 IoTS client sends requests to the WSO2 IoTS server through a Proxy Server. The Windows WSO2 IoTS protocol constructs a URI that uses the hostname by appending the domain of the email address to the subdomain, enterpriseenrollment for each device request. Therefore, you can either purchase a domain name or create a DNS entry in the http://enterpriseenrollment.<EMAIL_DOMAIN> format.
Navigate to the /usr/local/etc/nginx directory, create a folder named ssl, and add the CA certificate and the private key to this folder.

Configure the /usr/local/etc/nginx/nginx.conf file with the details of the SSL certificate and the Windows endpoints as explained below.

Compare the sample configuration file given below with your nginx.conf file and add the missing properties.

Compare this sample configuration with your nginx.conf file.

What's given below is only an example. Compare your configuration file with what's given below and add the missing configurations or uncomment the commented configurations in the nginx.conf file.

#user  nobody;
worker_processes  1;
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
#pid        logs/nginx.pid;
events {
worker_connections  1024;
}
http {
include       mime.types;
default_type  application/octet-stream;
#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
#                  '$status $body_bytes_sent "$http_referer" '
#                  '"$http_user_agent" "$http_x_forwarded_for"';
#access_log  logs/access.log  main;
sendfile        on;
#tcp_nopush     on;
#keepalive_timeout  0;
keepalive_timeout  65;
#gzip  on;
server {
listen       8080;
server_name  localhost;
#charset koi8-r;
#access_log  logs/host.access.log  main;
location / {
root   html;
index  index.html index.htm;
}
#error_page  404              /404.html;
# redirect server error pages to the static page /50x.html
#
error_page   500 502 503 504  /50x.html;
location = /50x.html {
root   html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
#    proxy_pass   http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
#    root           html;
#    fastcgi_pass   127.0.0.1:9000;
#    fastcgi_index  index.php;
#    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
#    include        fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
#    deny  all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
#    listen       8000;
# listen       enterpriseenrollment.dilan.me;
#    server_name  somename  alias  another.alias;
#    location / {
#        root   html;
#        index  index.html index.htm;
#    }
#}
# HTTPS server
#
#server {
#    listen       443 ssl;
#    server_name  localhost;
#    ssl_certificate      cert.pem;
#    ssl_certificate_key  cert.key;
#    ssl_session_cache    shared:SSL:1m;
#    ssl_session_timeout  5m;
#    ssl_ciphers  HIGH:!aNULL:!MD5;
#    ssl_prefer_server_ciphers  on;
#    location / {
#        root   html;
#        index  index.html index.htm;
#    }
#}
server {
listen 443 ssl;
server_name enterpriseenrollment.dilan.me;
ssl on;
ssl_certificate /usr/local/etc/nginx/ssl/certificate.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/private.key;
location /EnrollmentServer/Discovery.svc {
if ($request_method = GET) {
return 200;
}
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.8.100:8280/api/device-mgt/windows/v1.0/discovery/post;
proxy_http_version 1.1;
}
location /ENROLLMENTSERVER/PolicyEnrollmentWebservice.svc {
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.8.100:8280/api/device-mgt/windows/v1.0/certificatepolicy/xcep/1.0.0;
proxy_http_version 1.1;
}
location /windows-web-agent {
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.8.100:9763/windows-web-agent;

proxy_http_version 1.1;
}
location /ENROLLMENTSERVER/DeviceEnrollmentWebservice.svc {
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.8.100:8280/api/device-mgt/windows/v1.0/deviceenrolment/wstep/;
proxy_http_version 1.1;
}
location /ENROLLMENTSERVER/Win10DeviceEnrollmentWebservice.svc {
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.8.100:8280/api/device-mgt/windows/v1.0/deviceenrolment/enrollment;

proxy_http_version 1.1;
}
location /Syncml/initialquery {
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.8.100:8280/api/device-mgt/windows/v1.0/syncml/devicemanagement/1.0.0/request/;
proxy_http_version 1.1;
}
location /devicemgt {
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.8.100:8280/api/device-mgt/windows/v1.0/management/devicemgt/1.0.0/pending-operations/;
proxy_http_version 1.1;
}
}
include servers/*;
}

Configure the SSL certificate details.

server {
        listen 443;
        server_name enterpriseenrollment.wso2.com;
        ssl on;
        ssl_certificate /usr/local/etc/nginx/ssl/star_wso2_com.crt;
        ssl_certificate_key /usr/local/etc/nginx/ssl/enterpriseenrollment_wso2_com.key;

You need to configure the following properties:

Property	Description	Example
`server_name`	Define the common name of the certificate.	`enterpriseenrollment.wso2.com`
`ssl_certificate`	Define where you saved the SSL certificate.	`/usr/local/etc/nginx/ssl/wso2_com_SSL.crt`
ssl_certificate_key	Define where you saved the private key of the certificate.	`/usr/local/etc/nginx/ssl/enterpriseenrollment_wso2_com.key`

Configure the Windows endpoints.

Click here to know more on the required Windows endpoints.

The GATEWAY_PORT used by default in WSO2 IoTS for device management is 8280.
For more information on how the Windows endpoints are used, see how the Windows device enrollment process message flow works.

Click here to see a sample Windows endpoint configuration.

Example:

location /ENROLLMENTSERVER/PolicyEnrollmentWebservice.svc {  
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_pass http://10.10.10.10:8280/api/device-mgt/windows/v1.0/certificatepolicy/xcep;

    proxy_http_version 1.1;
}

Property	Description
`location`	This property specifies the "`/"` prefix that needs to be compared with the URI sent from the request. For more information, see the NGINX documentation.
`proxy_set_header`	Required to configure Windows for reverse proxy.
`proxy_pass`	Define the respective Windows endpoint.