WSO2 API Manager - Apache Reverse Proxy Configuration

Saturday, March 19, 2016

How To Configure WSO2 API Manager in Apache Reverse Proxy :-


Architecture Like Below as Example

Public Urls

https://myexample.com/store
https://myexample.com/publisher
https://myexample.com/admin-dashboard

http://api.myexample.com
https://api.myexample.com


Apache 2

API Manager Server
apps internal Urls
https://backserver1.myexample.com:9443/store
https://backserver1.myexample.com:9443/publisher
https://backserver1.myexample.com:9443/admin-dashboard
https://backserver1.myexample.com:9443/carbon

gateway internal Urls
http://backserver1.myexample.com:8280/
http://backserver1.myexample.com:8243/

Apache Configuration

This configuration has been tested with WSO2 API Manager 1.9 on RHEL 6.6 and Apache 2.2.15 and on Debian Jessie and Apache 2.4.10.

Apache modules pre-requisites

We need modules proxy, proxy_http, ssl and rewrite.

Virtuals hosts configuration

Below, configuration for the gateway virtual host.



              DocumentRoot /var/www/apim
              ServerName api.mycompny.com
              UseCanonicalName On
              ProxyRequests Off

              ProxyPass / http://bckserver1.mycompany.com:8280/
              ProxyPassReverse / http://bckserver1.mycompany.com:8280/
              CustomLog /var/log/httpd/api.mycompany.com.access.log combined
              ErrorLog /var/log/httpd/api.mycompany.com.error.log


              DocumentRoot  /var/www/apim
              ServerName api.mycompany.com
              ProxyRequests Off
              UseCanonicalName On
              SSLEngine on
              SSLCertificateFile /etc/httpd/ssl/ssl.crt/api.mycompany.com.crt
              SSLCertificateKeyFile /etc/httpd/ssl/ssl.key/api.mycompany.com.key
              SSLCertificateChainFile /etc/httpd/ssl/ssl.crt/MyCA.crt

              SSLProxyEngine On
              SSLProxyCheckPeerCN off
              SSLProxyCheckPeerExpire off

              ProxyPass / https://bckserver1.mycompany.com:8243/
              ProxyPassReverse / https://bckserver1.mycompany.com:8243/

              CustomLog /var/log/httpd/api.mycompany.com.access.log combined
              ErrorLog /var/log/httpd/api.mycompany.com.error.log


And below configuration for apps virtual host.


        DocumentRoot /var/www/apim
        ServerName myexample.com
        UseCanonicalName On
        CustomLog /var/log/httpd/myexample.com.access.log combined
        ErrorLog /var/log/httpd/myexample.com.error.log

        RewriteEngine On
        RewriteCond %{HTTP_HOST} ^myexample.com
        RewriteRule (.*)        https://myexample.com%{REQUEST_URI} [R=permanent,L]


        ServerName myexample.com
        DocumentRoot /var/www/apim
        UseCanonicalName On

        CustomLog /var/log/httpd/myexample.com.log combined
        ErrorLog /var/log/httpd/myexample.com.error.log

        SSLEngine on
        SSLCertificateFile /etc/httpd/ssl/ssl.crt/myexample.com.crt
        SSLCertificateKeyFile /etc/httpd/ssl/ssl.key/myexample.com.key
        SSLCertificateChainFile /etc/httpd/ssl/ssl.crt/myCA.crt

        SSLProxyEngine On
        SSLProxyCheckPeerCN Off
        SSLProxyCheckPeerExpire Off
        ProxyRequests Off
       
                ProxyPass https://backserver1.myexample.com:9443/$1registry$2
       
       
                ProxyPass https://backserver1.myexample.com:9443/$1registry$2
       
       
                ProxyPass https://backserver1.myexample.com:9443/store
                ProxyPassReverse https://backserver1.myexample.com:9443/store
       
       
                ProxyPass https://serverbck1.myexample.com:9443/publisher
                ProxyPassReverse https://serverbck1.myexample.com:9443/publisher
       
       
                ProxyPass https://backserver1.myexample.com:9443/registry
                ProxyPassReverse https://backserver1.myexample.com:9443/registry
       
       
                ProxyPass https://backserver1.myexample.com:9443/admin-dashboard
                ProxyPassReverse https://backserver1.myexample.com:9443/admin-dashboard
       


Note 2 specials rules for store and publisher that needs to send some requests to registry (for example, to download pictures or resources linked to APIs).

Of course, we only expose apps ; we don’t expose carbon admin console or some others apps.

For now, that’s all I need. But I suppose that later I will have to expose other URI like/services or /oauth2. I will then edit this post in this case to update configuration.


WSO2 API Manager Configuration

In the API Manger, I needed to edit some configuration files :

In $APIM_HOME/repository/conf/tomcat/catalina-server.xml, add proxyPort and hostname in the SSL Connector :

         port="9443"
         proxyPort="443"
         hostname="myexample.com"

In $APIM_HOME/repository/conf/axi2/axis2.xml, add proxyPort and hostname in the HTTP and HTTPS receiver :


        8280
        true
        80
        api.myexample.com

<...>

  
        8243
        true
        443
        api.myexample.com


In $APIM_HOME/repository/conf/api-manager.xml, modify Gateway URLs :



       
       
               
               
                        Production and Sandbox
                    Description of environment
                       
                        https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/
                       
                        admin
                       
                        admin
                       
                        http://api.myexample.com:80,https://api.myexample.com:443
               
       


Following WSO2 Documentation, I also needed need to edit store and publisher configuration files :

In $APIM_HOME/repository/deployement/server/jaggeryapps/store/site/conf/site.json :

"reverseProxy" : {
        "enabled" : true,    // values true , false , "auto" - will look for  X-Forwarded-* headers
        "host" : "myexample.com", // If reverse proxy do not have a domain name use IP
        "context":"/store",
      //"regContext":"" // Use only if different path is used for registry
    },



In $APIM_HOME/repository/deployement/server/jaggeryapps/publisher/site/conf/site.json :

"reverseProxy" : {
        "enabled" : true,    // values true , false , "auto" - will look for  X-Forwarded-* headers
        "host" : "myexample.com", // If reverse proxy do not have a domain name use IP
        "context":"/publisher",
      //"regContext":"" // Use only if different path is used for registry
    },


keytool -import -file myexample.crt -keystore client-truststore.jks -storepass wso2carbon -alias myexample


Finally, Restart everything!

Read more...
Posted by Linex Helper at 5:09 AM 0 comments
Labels: , , ,

User-Agent based redirect in haproxy

How To Do User-Agent based redirect in haproxy :-


below are the steps:-

1) Create new ACL to identifiy user-agent:

acl mobile_user_agent hdr_sub(User-Agent) -i iphone

2) We didn't want to redirect any requests for .css, .js, .bmp, .jpg, .png, .jpeg, .gif and .ico so created a new ACL


acl is_static_file url_reg .*\.(css|js)\?[0-9.]+
acl is_static_img url_reg .*\.(png|bmp|jpg|jpeg|gif|ico)\?[0-9a-z.]+
acl is_static url_reg .*\.(css|js|png|bmp|jpg|jpeg|gif|ico)

3) If request was for /mobile/* we didn't want to redirect so yet another ACL :)

acl is_mobile url_reg ^\/mobile.*

4) Do a URL rewrite as follows:

reqrep ^([^\ ]*)\ /(.*)   \1\ /mobile/\2 if iphone !is_static_file !is_static_img !is_static !is_mobile

So now any request coming from a mobile device for any thing other than .css, .js, .png, .gif, .bmp, .jpg, .jpeg, ico will be redirected to /mobile/.

So a request like www.example.com/pqr will become www.example.com/mobile/pqr !

Read more...
Posted by Linex Helper at 4:51 AM 0 comments
Labels: , ,

Nginx - Redirect Mobile / Smart Phone Traffic To Mobile Version Of the Web Site

How to Redirect Mobile / Smart Phone Traffic To Mobile Version Of the Web Site Via Nginx :-


Nginx configurations:-
Edit nginx.conf file and append the following after server directive:-

set $mobile_rewrite do_not_perform;

## chi http_user_agent for mobile / smart phones ##
if ($http_user_agent ~* "(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino") {
  set $mobile_rewrite perform;
}

if ($http_user_agent ~* "^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-)") {
  set $mobile_rewrite perform;
}

## redirect to m.example.com ##
if ($mobile_rewrite = perform) {
  rewrite ^ http://m.example.com$request_uri? redirect;
  break;
}



Adding exceptions:-
You can allow user to browse and view desktop version of your site if url has www.example.com/?desktop=true. You can set cookie as follows:-

set $force_dt_cookie  "";
if ($args ~ 'desktop=true') {
  set $mobile_rewrite do_not_perform;
  set $force_dt_cookie  "desktop=true";
}
add_header Set-Cookie $force_dt_cookie;
if ($http_cookie ~ 'desktop=true') {
  set $mobile_rewrite do_not_perform;
}

Save and close the file. Restart or reload the nginx server, enter:
# /usr/sbin/nginx -s reload
OR
# /etc/init.d/nginx reload


Test it:-

Use the curl command as follows to see redirection:

curl -I -A "UserAgentString" http://www.example.com
curl -I -A "Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3" http://www.example.com
curl -I -A "Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3" 'http://www.example.com/?desktop=true'


Read more...
Posted by Linex Helper at 4:36 AM 0 comments
Labels: , , ,
Subscribe to: Posts (Atom)

About This Blog

Lorem Ipsum

  © Copyright 2009 Linux-HelpLine.Blogspot.com

Back to TOP