||
Skip to end of metadata
Go to start of metadata

A reverse proxy server retrieves information from a server and sends it to a client as though the information originated from the reverse proxy sever rather than the actual server. You can use a reverse proxy server to block access to selected applications in a server. For example, this is useful when you want to expose the token API in such a way that the clients can authenticate it against OAuth2 using the same port that their APIs are on.

Follow the instructions below to configure WSO2 API Manager (WSO2 API-M) with reverse proxy (with a proxy context path):

The following instructions focuses on exposing WSO2 API-M user interfaces, namely the API Store, API Publisher and the API-M Management Console, over NGINX.

  1. Install and configure NGINX.
    1. Remove the current installation of NGINX.

      sudo apt-get purge nginx nginx-common nginx-full
    2. Install NGINX.

      sudo apt-get install nginx
    3. Edit the NGINX server configurations in the /etc/nginx/sites-enabled/default/nginx.conf file.

      Tip: The location of the NGINX configuration file varies based on the OS that you are using and the installation location of NGINX.

      sudo vi /etc/nginx/sites-enabled/default/nginx.conf
      Example
      server {
      
             listen 443;
             ssl on;
             ssl_certificate /etc/nginx/ssl/nginx.crt;
             ssl_certificate_key /etc/nginx/ssl/nginx.key;
             location /apimanager/carbon {
                 index index.html;
                 proxy_set_header X-Forwarded-Host $host;
                 proxy_set_header X-Forwarded-Server $host;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_pass https://localhost:9443/carbon/;
                 proxy_redirect  https://localhost:9443/carbon/  https://localhost/apimanager/carbon/;
                 proxy_cookie_path / /apimanager/carbon/;
             }
      
             location ~ ^/apimanager/store/(.*)registry/resource/_system/governance/apimgt/applicationdata/icons/(.*)$ {
                 index index.html;
                 proxy_set_header X-Forwarded-Host $host;
                 proxy_set_header X-Forwarded-Server $host;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_pass https://127.0.0.1:9443/$1registry/resource/_system/governance/apimgt/applicationdata/icons/$2;
             }
      
      
             location ~ ^/apimanager/publisher/(.*)registry/resource/_system/governance/apimgt/applicationdata/icons/(.*)$ {
                 index index.html;
                 proxy_set_header X-Forwarded-Host $host;
                 proxy_set_header X-Forwarded-Server $host;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_pass https://127.0.0.1:9443/$1registry/resource/_system/governance/apimgt/applicationdata/icons/$2;
             }
      
        	   location /apimanager/publisher {
                index index.html;
                 proxy_set_header X-Forwarded-Host $host;
                 proxy_set_header X-Forwarded-Server $host;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_pass https://localhost:9443/publisher;
                 proxy_redirect  https://localhost:9443/publisher  https://localhost/apimanager/publisher;
                 proxy_cookie_path /publisher /apimanager/publisher;
      
            }
      
            location /apimanager/store {
                 index index.html;
                 proxy_set_header X-Forwarded-Host $host;
                 proxy_set_header X-Forwarded-Server $host;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_pass https://localhost:9443/store;
                 proxy_redirect https://localhost:9443/store https://localhost/apimanager/store;
                 proxy_cookie_path /store /apimanager/store;
             } 
            }
  2. Secure NGINX.

    1. Create a SSL certificate and copy it to the ssl folder.

      sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
    2. Copy the SSL certificate  (.crt file) to the <APIM_HOME>/repository/resources/security directory.

      cp /etc/nginx/ssl/nginx.crt ./nginx.crt
    3. Add the SSL certificate to your client trust store.
      You do this to enable external API publishing and web service calls.

      keytool -import -file nginx.crt -keystore client-truststore.jks -storepass wso2carbon -alias wso2carbon2
  3. Start NGINX.

    sudo /etc/init.d/nginx start

    If you need to stop NGINX, run the following command:

    sudo /etc/init.d/nginx stop
  4. Configure WSO2 API Manager. 

    1. Edit the <APIM_HOME>/repository/deployment/server/jaggeryapps/store/site/conf/site.json file with the context and request URL as shown below.
      This is done to configure the reverse proxy server for WSO2 API Store, so that you can route the requests that come to the store through a proxy server.

      "reverseProxy" : {
              "enabled" : true,  
              "host" : "localhost", // If the reverse proxy does not have a domain name use the IP
              "context":"/apimanager/store",
              "regContext":"" // Use this only if a different path is used for the registry
          }
    2. Edit the <APIM_HOME>/repository/deployment/server/jaggeryapps/publisher/site/conf/site.json file with the context and request URL as shown below.
      This is done to configure the reverse proxy server for WSO2 API Publisher, so that you can route the requests that come to the publisher through a proxy server.

      "reverseProxy" : {
              "enabled" : true,  
              "host" : "localhost", // If the reverse proxy does not have a domain name use the IP
              "context":"/apimanager/publisher",
              "regContext":"" // Use this only if a different path is used for the registry
          }
    3. Update the <APIM_HOME>/repository/conf/carbon.xml file by uncommenting and updating the values of the following properties.
      The value that you give for these two properties should match the value that you gave for the host property in the previous two steps.

      <HostName>localhost</HostName>
      <MgtHostName>localhost</MgtHostName>
    4. Change the value of KeyValidatorClientType to WSClient in the  <APIM_HOME>/repository/conf/api-manager.xml file.
      You need to make this change when you change the value of the host, because requests that are made to the Key Manager will also start getting routed through the reverse proxy; therefore, this needs to be over HTTP instead of TCP, which is Thrifts underlying protocol.

      <KeyValidatorClientType>WSClient</KeyValidatorClientType>
  5. Start WSO2 API Manager.

    cd <APIM_HOME>/bin
    ./wso2server.sh
    cd <APIM_HOME>\bin
    ./wso2server.bat

    If you set up the reverse proxy server correctly, when you access the following URLs the following redirections will take place:

    Link AccessedRedirected To
    https://localhost/apimanager/storeWSO2 API Store
    https://localhost/apimanager/publisherWSO2 API Publisher

If you want to change all the default WSO2 API Manager ports, you can do so by editing the <APIM_HOME>/repository/conf/tomcat/catalina-server.xml file. 

  • No labels