Remove current installation of Nginx
sudo apt-get purge nginx nginx-common nginx-full
Install Nginx
sudo apt-get install nginx
Edit configurations
sudo vi /etc/nginx/sites-enabled/default
Create ssl certificates and copy then to ssl folder.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
Then copy created .crt file to /wso2am-1.8.0/repository/resources/security directory. Use following command.
cp /etc/nginx/ssl/nginx.crt ./nginx.crt
Then we need to add that to our client trust sore. Otherwise external API publishing and some other web service calls might not work as expected. For that use following command.
keytool -import -file nginx.crt -keystore client-truststore.jks -storepass wso2carbon -alias wso2carbon2
Sample configuration:
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location /apimanager/carbon {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://localhost:9443/carbon/;
proxy_redirect https://localhost:9443/carbon/ https://localhost/apimanager/carbon/;
proxy_cookie_path / /apimanager/carbon/;
}
location ~ ^/apimanager/store/(.*)registry/(.*)$ {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://127.0.0.1:9443/$1registry/$2;
}
location ~ ^/apimanager/publisher/(.*)registry/(.*)$ {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://127.0.0.1:9443/$1registry/$2;
}
location /apimanager/publisher {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://localhost:9443/publisher;
proxy_redirect https://localhost:9443/publisher https://localhost/apimanager/publisher;
proxy_cookie_path /publisher /apimanager/publisher;
}
location /apimanager/store {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://localhost:9443/store;
proxy_redirect https://localhost:9443/store https://localhost/apimanager/store;
proxy_cookie_path /store /apimanager/store;
}
}
To stop start us following commands
sudo /etc/init.d/nginx start
sudo /etc/init.d/nginx stop
API Manager configurations
Add following API Manager configurations:
In API store edit wso2am-1.8.0/repository/deployment/server/jaggeryapps/store/site/conf/site.json file and add following.
"reverseProxy" : {
"enabled" : true,
"host" : "localhost",
"context":"/apimanager/store"
}
In API publisher edit wso2am-1.8.0/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json file and add following.
"reverseProxy" : {
"enabled" : true,
"host" : "localhost",
"context":"/apimanager/publisher",
}
Edit /repository/conf/carbon.xml and update following properties.
Then start API Manager.
Server URLs would be something like this
https://localhost/apimanager/store
https://localhost/apimanager/publisher
sudo apt-get purge nginx nginx-common nginx-full
Install Nginx
sudo apt-get install nginx
Edit configurations
sudo vi /etc/nginx/sites-enabled/default
Create ssl certificates and copy then to ssl folder.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
Then copy created .crt file to /wso2am-1.8.0/repository/resources/security directory. Use following command.
cp /etc/nginx/ssl/nginx.crt ./nginx.crt
Then we need to add that to our client trust sore. Otherwise external API publishing and some other web service calls might not work as expected. For that use following command.
keytool -import -file nginx.crt -keystore client-truststore.jks -storepass wso2carbon -alias wso2carbon2
Sample configuration:
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location /apimanager/carbon {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://localhost:9443/carbon/;
proxy_redirect https://localhost:9443/carbon/ https://localhost/apimanager/carbon/;
proxy_cookie_path / /apimanager/carbon/;
}
location ~ ^/apimanager/store/(.*)registry/(.*)$ {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://127.0.0.1:9443/$1registry/$2;
}
location ~ ^/apimanager/publisher/(.*)registry/(.*)$ {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://127.0.0.1:9443/$1registry/$2;
}
location /apimanager/publisher {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://localhost:9443/publisher;
proxy_redirect https://localhost:9443/publisher https://localhost/apimanager/publisher;
proxy_cookie_path /publisher /apimanager/publisher;
}
location /apimanager/store {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://localhost:9443/store;
proxy_redirect https://localhost:9443/store https://localhost/apimanager/store;
proxy_cookie_path /store /apimanager/store;
}
}
To stop start us following commands
sudo /etc/init.d/nginx start
sudo /etc/init.d/nginx stop
API Manager configurations
Add following API Manager configurations:
In API store edit wso2am-1.8.0/repository/deployment/server/jaggeryapps/store/site/conf/site.json file and add following.
"reverseProxy" : {
"enabled" : true,
"host" : "localhost",
"context":"/apimanager/store"
}
In API publisher edit wso2am-1.8.0/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json file and add following.
"reverseProxy" : {
"enabled" : true,
"host" : "localhost",
"context":"/apimanager/publisher",
}
Edit /repository/conf/carbon.xml and update following properties.
<HostName>localhost</HostName> <MgtHostName>localhost</MgtHostName>
Then start API Manager.
Server URLs would be something like this
https://localhost/apimanager/store
https://localhost/apimanager/publisher
nice
ReplyDeleteThanks for the post.
ReplyDeleteThere is a syntax error at the line 56. Near;
location /apimanager/publisher {
index index.html;
proxy_set_header X-Forwarded-Host $host
missing semi-colon.
Thank you very much for pointing it. Updated document.
ReplyDeleteThanks for the details. We have a scenario where we have configured the right context for the "store" in the reverse proxy configuration, but missed the configuration for the registry. This is causing an issue with custom API icons (points to the registry). Is there a way to solve this by making changes to the APIM configurations only? The reason is, we do not have access to reverser proxy configuration and making changes there can take a long process.
DeleteAnything can be done in the site.json reverseProxy parameter? Any other internal config files which can helps us?
If you are changing the and in the carbon.xml you also need to additionally switch from using the default ThriftClient to WSClient in the api-manager.xml. This is needed because calls to the Key Manager will also start getting routed through the reverse proxy so this needs to be over HTTP instead of TCP(which is Thrifts underlying protocol)
ReplyDeleteBelow blog post explains a security vulnarability we have recently identified with related to registry configurations which has explained here.
ReplyDeletehttp://ishara-cooray.blogspot.com/2017/02/configure-wso2-api-manager-200-with.html