WSO2 API Manager - Apache Reverse Proxy Configuration

Saturday, March 19, 2016

How To Configure WSO2 API Manager in Apache Reverse Proxy :-


Architecture Like Below as Example

Public Urls

https://myexample.com/store
https://myexample.com/publisher
https://myexample.com/admin-dashboard

http://api.myexample.com
https://api.myexample.com


Apache 2

API Manager Server
apps internal Urls
https://backserver1.myexample.com:9443/store
https://backserver1.myexample.com:9443/publisher
https://backserver1.myexample.com:9443/admin-dashboard
https://backserver1.myexample.com:9443/carbon

gateway internal Urls
http://backserver1.myexample.com:8280/
http://backserver1.myexample.com:8243/

Apache Configuration

This configuration has been tested with WSO2 API Manager 1.9 on RHEL 6.6 and Apache 2.2.15 and on Debian Jessie and Apache 2.4.10.

Apache modules pre-requisites

We need modules proxy, proxy_http, ssl and rewrite.

Virtuals hosts configuration

Below, configuration for the gateway virtual host.



              DocumentRoot /var/www/apim
              ServerName api.mycompny.com
              UseCanonicalName On
              ProxyRequests Off

              ProxyPass / http://bckserver1.mycompany.com:8280/
              ProxyPassReverse / http://bckserver1.mycompany.com:8280/
              CustomLog /var/log/httpd/api.mycompany.com.access.log combined
              ErrorLog /var/log/httpd/api.mycompany.com.error.log


              DocumentRoot  /var/www/apim
              ServerName api.mycompany.com
              ProxyRequests Off
              UseCanonicalName On
              SSLEngine on
              SSLCertificateFile /etc/httpd/ssl/ssl.crt/api.mycompany.com.crt
              SSLCertificateKeyFile /etc/httpd/ssl/ssl.key/api.mycompany.com.key
              SSLCertificateChainFile /etc/httpd/ssl/ssl.crt/MyCA.crt

              SSLProxyEngine On
              SSLProxyCheckPeerCN off
              SSLProxyCheckPeerExpire off

              ProxyPass / https://bckserver1.mycompany.com:8243/
              ProxyPassReverse / https://bckserver1.mycompany.com:8243/

              CustomLog /var/log/httpd/api.mycompany.com.access.log combined
              ErrorLog /var/log/httpd/api.mycompany.com.error.log


And below configuration for apps virtual host.


        DocumentRoot /var/www/apim
        ServerName myexample.com
        UseCanonicalName On
        CustomLog /var/log/httpd/myexample.com.access.log combined
        ErrorLog /var/log/httpd/myexample.com.error.log

        RewriteEngine On
        RewriteCond %{HTTP_HOST} ^myexample.com
        RewriteRule (.*)        https://myexample.com%{REQUEST_URI} [R=permanent,L]


        ServerName myexample.com
        DocumentRoot /var/www/apim
        UseCanonicalName On

        CustomLog /var/log/httpd/myexample.com.log combined
        ErrorLog /var/log/httpd/myexample.com.error.log

        SSLEngine on
        SSLCertificateFile /etc/httpd/ssl/ssl.crt/myexample.com.crt
        SSLCertificateKeyFile /etc/httpd/ssl/ssl.key/myexample.com.key
        SSLCertificateChainFile /etc/httpd/ssl/ssl.crt/myCA.crt

        SSLProxyEngine On
        SSLProxyCheckPeerCN Off
        SSLProxyCheckPeerExpire Off
        ProxyRequests Off
       
                ProxyPass https://backserver1.myexample.com:9443/$1registry$2
       
       
                ProxyPass https://backserver1.myexample.com:9443/$1registry$2
       
       
                ProxyPass https://backserver1.myexample.com:9443/store
                ProxyPassReverse https://backserver1.myexample.com:9443/store
       
       
                ProxyPass https://serverbck1.myexample.com:9443/publisher
                ProxyPassReverse https://serverbck1.myexample.com:9443/publisher
       
       
                ProxyPass https://backserver1.myexample.com:9443/registry
                ProxyPassReverse https://backserver1.myexample.com:9443/registry
       
       
                ProxyPass https://backserver1.myexample.com:9443/admin-dashboard
                ProxyPassReverse https://backserver1.myexample.com:9443/admin-dashboard
       


Note 2 specials rules for store and publisher that needs to send some requests to registry (for example, to download pictures or resources linked to APIs).

Of course, we only expose apps ; we don’t expose carbon admin console or some others apps.

For now, that’s all I need. But I suppose that later I will have to expose other URI like/services or /oauth2. I will then edit this post in this case to update configuration.


WSO2 API Manager Configuration

In the API Manger, I needed to edit some configuration files :

In $APIM_HOME/repository/conf/tomcat/catalina-server.xml, add proxyPort and hostname in the SSL Connector :

         port="9443"
         proxyPort="443"
         hostname="myexample.com"

In $APIM_HOME/repository/conf/axi2/axis2.xml, add proxyPort and hostname in the HTTP and HTTPS receiver :


        8280
        true
        80
        api.myexample.com

<...>

  
        8243
        true
        443
        api.myexample.com


In $APIM_HOME/repository/conf/api-manager.xml, modify Gateway URLs :



       
       
               
               
                        Production and Sandbox
                    Description of environment
                       
                        https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/
                       
                        admin
                       
                        admin
                       
                        http://api.myexample.com:80,https://api.myexample.com:443
               
       


Following WSO2 Documentation, I also needed need to edit store and publisher configuration files :

In $APIM_HOME/repository/deployement/server/jaggeryapps/store/site/conf/site.json :

"reverseProxy" : {
        "enabled" : true,    // values true , false , "auto" - will look for  X-Forwarded-* headers
        "host" : "myexample.com", // If reverse proxy do not have a domain name use IP
        "context":"/store",
      //"regContext":"" // Use only if different path is used for registry
    },



In $APIM_HOME/repository/deployement/server/jaggeryapps/publisher/site/conf/site.json :

"reverseProxy" : {
        "enabled" : true,    // values true , false , "auto" - will look for  X-Forwarded-* headers
        "host" : "myexample.com", // If reverse proxy do not have a domain name use IP
        "context":"/publisher",
      //"regContext":"" // Use only if different path is used for registry
    },


keytool -import -file myexample.crt -keystore client-truststore.jks -storepass wso2carbon -alias myexample


Finally, Restart everything!

Posted by Linex Helper at 5:09 AM
Labels: , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

About This Blog

Lorem Ipsum

  © Copyright 2009 Linux-HelpLine.Blogspot.com

Back to TOP