To avoid investing a lot of effort into this only to realize that there’s a requirement that can’t be satisfied, make sure that all the below requirements are satisfied early in the process. In particular we’ve had problems with customers not realizing that their setup and policies fails the no-NAT requirement, described below.
Use cases:
Positioning with DNA Spaces
FMF with DNA Spaces
This LIPI server is just a docker-based nginx server that adds some headers. It is designed to be very simple and require very few or no upgrades over time. It is started by an entrypoint that first downloads config files and ssl certificate from our servers.
Map editor configuration requirements
Your customer success contact will help you fulfill these requirements.
A mazepos.com subdomain DNS entry pointing to the local private IP of the server where the Proxy-LIPI will be running.
A network configuration set up that covers the public IP range(s) of the customer that intends to communicate with this LIPI, that points to the dns entry above (note: that also entails the public IP range from which the LIPI is going to be installed).
A position configuration with type “MM_POSITION_CONFIG_TYPE_CLOUD_POSITIONING”.
A LIPI Config set up with position provider type “MazeMap Cloud Positioning”, pointing to the position config above and the dns entry above.
Server requirements
No specific requirements except that it should have docker installed. To install docker on various platforms see https://docs.docker.com/get-docker/.
The CPU and RAM requirements will vary on traffic, but in most cases will not have any specific requirements, as this is a simple nginx proxy. E.g. running a minimum of 1x CPU and 2 GB Ram should cover most use cases.
Local network and WiFi setup requirements
The local network topology needs to be such that the source IP address of the packets received by the Proxy-LIPI server corresponds with the local IP address of that same client in Cisco Spaces.
That means there should be no NAT or proxy between the clients and the Proxy-LIPI server.
Make sure this requirement is cleared with someone who knows what they’re talking about. Ask your local networking guru early in the process.
Installation, running and basic usage
You need the API key associated with the LIPI config mentioned above. It's good practice to not expose secrets in the command line, so create a file to keep it in that is not readable to other users:
echo "LIPI_API_KEY=" >proxy-lipi-docker-env-file chmod 600 proxy-lipi-docker-env-file editor proxy-lipi-docker-env-file
In the editor, paste the API key after the equals sign.
Then run:
sudo docker run --rm --name proxy-lipi \
--env-file proxy-lipi-docker-env-file \
-p 443:4343 \
gcr.io/mazemap-public-docker/proxy-lipi:latest
Note that this starts the service in the foreground, so you can’t log out or run a different command without stopping it with ctrl+c. This is suitable when testing, but not for production. See below for instructions on how to start the service in the background.
If the operating system on which proxy-lipi is being installed has https proxy, then run with additional proxy arguments as follows by replacing <https_proxy_domain_here> with https proxy domain
sudo docker run --rm --name proxy-lipi \
--env-file proxy-lipi-docker-env-file \
-p 443:4343 \
-e use_proxy -e https_proxy=<https_proxy_domain_here> \
gcr.io/mazemap-public-docker/proxy-lipi:latest
You should see two messages about connecting to admin.mazemap.com. After this, the service should be running and can be accessed from the local network. This can be tested from the server with:
curl https://localhost:443/health -k
You can also test it from anywhere on the local network with:
curl https://<my-subdomain>.mazepos.com:443/health
Running in production
To run the container in the background by adding -d or --detached (detached mode):
sudo docker run -d --name proxy-lipi \
--env-file $LIPI_ENV_FILE \
-p 443:4343 \
gcr.io/mazemap-public-docker/proxy-lipi:latest
To access logs, run:
sudo docker ps -a sudo docker logs -f <container_id>
Upgrading and restarting
There can be many reasons why you want to restart the container. When it starts, it downloads a certificate and a configuration associated with your LIPI API key, and if any of those have changed, you need to restart in order to see the effects of those changes. Changes to these things require a restart to take effect:
LIPI API key
mazepos subdomain
resolver config
cloud positioning service hostname or port
MazeMap App Id or Key
Turning on or off SSL (https) for testing purposes.
Certificate renewal.
Also if a new version of proxy-lipi has been released, a restart is required to upgrade.
To restart the container, first remove it:
sudo docker rm -f proxy-lipi
If you want to upgrade, pull the newest version of the image:
sudo docker pull gcr.io/mazemap-public-docker/proxy-lipi:latest
Then start it again:
sudo docker run -d --name proxy-lipi \
--env-file proxy-lipi-docker-env-file \
-p 443:4343 \
gcr.io/mazemap-public-docker/proxy-lipi:latest
If you want to minimize downtime, put these commands after each other in a script file that you can then run.
LIPI-Cisco (DNA) Spaces diagram
FAQ
Q: Do we need a static NAT so that MAZEMAP can communicate with it ? Specifically this would be required if we require inbound access rules on the Firewall not just outbound.
A: We do not need inbound access.
Q: Is the network configuration in the MazeMap Admin Tool with IP adresses/ranges necessary for positioning in general or just necessary when setting up the LIPI
A: It’s required for the LIPI only
Q: Does the LIPI need internet (not just HSCN) facing IP And DNS record?
A: Yes. The lipi pull it's configs from api.mazemap.com so it needs to reach the internet for that. This is however done only on-startup.
The dns records to reach the lipi are currently on the domain mazepos.com . It's the only domain that will work with our ssl certificate.
Q: Does the LIPI need to connect out or are things connecting into the server and if so on what port.
A. Port 443. The lipi will log it's liveness to our database so that we can know if it is live or not. This is not required for the lipi to work though