Tuesday, December 9, 2014

Configure WSO2 API Manager 1.8.0 with reverse proxy (with proxy context path)

Remove current installation of Nginx
sudo apt-get purge nginx nginx-common nginx-full

Install Nginx
sudo apt-get install nginx

Edit configurations
sudo vi /etc/nginx/sites-enabled/default

Create ssl certificates and copy then to ssl folder.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Then copy created .crt file to /wso2am-1.8.0/repository/resources/security directory. Use following command.

cp /etc/nginx/ssl/nginx.crt ./nginx.crt

Then we need to add that to our client trust sore. Otherwise external API publishing and some other web service calls might not work as expected. For that use following command.

keytool -import -file nginx.crt -keystore client-truststore.jks -storepass wso2carbon -alias wso2carbon2

 Sample configuration:

server {

       listen 443;
       ssl on;
       ssl_certificate /etc/nginx/ssl/nginx.crt;
       ssl_certificate_key /etc/nginx/ssl/nginx.key;
       location /apimanager/carbon {
           index index.html;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://localhost:9443/carbon/;
           proxy_redirect  https://localhost:9443/carbon/  https://localhost/apimanager/carbon/;
           proxy_cookie_path / /apimanager/carbon/;
       }

      location ~ ^/apimanager/store/(.*)registry/(.*)$ {
           index index.html;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://127.0.0.1:9443/$1registry/$2;
       }


       location ~ ^/apimanager/publisher/(.*)registry/(.*)$ {
           index index.html;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://127.0.0.1:9443/$1registry/$2;
       }

  location /apimanager/publisher {
          index index.html;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://localhost:9443/publisher;
           proxy_redirect  https://localhost:9443/publisher  https://localhost/apimanager/publisher;
           proxy_cookie_path /publisher /apimanager/publisher;

      }

      location /apimanager/store {
           index index.html;
           proxy_set_header X-Forwarded-Host $host;
           proxy_set_header X-Forwarded-Server $host;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_pass https://localhost:9443/store;
           proxy_redirect https://localhost:9443/store https://localhost/apimanager/store;
           proxy_cookie_path /store /apimanager/store;
       }
      }

To stop start us following commands

sudo /etc/init.d/nginx start
sudo /etc/init.d/nginx stop

API Manager configurations

Add following API Manager configurations:

In API store edit wso2am-1.8.0/repository/deployment/server/jaggeryapps/store/site/conf/site.json  file and add following.

  "reverseProxy" : {
       "enabled" : true,
       "host" : "localhost",
       "context":"/apimanager/store"
   }


In API publisher edit wso2am-1.8.0/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json  file and add following.

   "reverseProxy" : {
       "enabled" : true,   
       "host" : "localhost",
       "context":"/apimanager/publisher",
   }


Edit /repository/conf/carbon.xml and update following properties.

<HostName>localhost</HostName>
<MgtHostName>localhost</MgtHostName>




Then start API Manager.
Server URLs would be something like this

https://localhost/apimanager/store
https://localhost/apimanager/publisher

6 comments:

  1. Thanks for the post.

    There is a syntax error at the line 56. Near;

    location /apimanager/publisher {
    index index.html;
    proxy_set_header X-Forwarded-Host $host

    missing semi-colon.

    ReplyDelete
  2. Thank you very much for pointing it. Updated document.

    ReplyDelete
    Replies
    1. Thanks for the details. We have a scenario where we have configured the right context for the "store" in the reverse proxy configuration, but missed the configuration for the registry. This is causing an issue with custom API icons (points to the registry). Is there a way to solve this by making changes to the APIM configurations only? The reason is, we do not have access to reverser proxy configuration and making changes there can take a long process.

      Anything can be done in the site.json reverseProxy parameter? Any other internal config files which can helps us?

      Delete
  3. If you are changing the and in the carbon.xml you also need to additionally switch from using the default ThriftClient to WSClient in the api-manager.xml. This is needed because calls to the Key Manager will also start getting routed through the reverse proxy so this needs to be over HTTP instead of TCP(which is Thrifts underlying protocol)

    ReplyDelete
  4. Below blog post explains a security vulnarability we have recently identified with related to registry configurations which has explained here.
    http://ishara-cooray.blogspot.com/2017/02/configure-wso2-api-manager-200-with.html

    ReplyDelete