Configuring NGINX

Use the following steps to configure NGINX Plus version 1.7.11 or nginx community version 1.9.2 as the load balancer for WSO2 products. (In these steps, we refer to both versions collectively as "Nginx".)

Install Nginx (NGINX Plus or nginx community) in a server configured in your cluster.

Configure Nginx to direct the HTTP requests to the two worker nodes via the HTTP 80 port using the http://as.wso2.com/<service>. To do this, create a VHost file (as.http.conf) in the /etc/nginx/conf.d directory and add the following configurations into it.

Note: Shown below is a general Nginx configuration. Click this link for more specific configuration with exposing various endpoints:

Nginx configuration with exposing /oauth2, /commonauth, and other endpoints

Nginx configuration with exposing /oauth2, /commonauth, and other endpoints

upstream ssl.nginx.com {
	server z.z.z.z:9443;  
 	server x.x.x.x:9yyy  
  ip_hash; 
}

server {
	listen 443;
	server_name nginx.mycomp.org;   
	ssl on;
	ssl_certificate /home/abc/mycomp_org.crt; 
	ssl_certificate_key /home/abc/mycomporg.key;

	location /oauth2/token {
 		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host;
		proxy_read_timeout 5m;
		proxy_send_timeout 5m;
		
		proxy_pass  https://ssl.nginx.com/oauth2/token ;
		proxy_redirect https://z.z.z.z:9443/oauth2/token https://nginx.mycomp.org/oauth2/token ;
		proxy_redirect https://server x.x.x.x:9yyy/oauth2/token https://nginx.mycomp.org/oauth2/token ; 
	}

	location /commonauth {
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host;
		proxy_read_timeout 5m;
		proxy_send_timeout 5m;
		proxy_pass https://ssl.nginx.com/commonauth;
		proxy_redirect https://z.z.z.z:9443/commonauth https://nginx.mycomp.org/commonauth ;
		proxy_redirect https://server x.x.x.x:9yyy/commomnauth https://nginx.mycomp.org/commonauth;
	}

	location /oauth2/authorize {
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host;
		proxy_read_timeout 5m;
		proxy_send_timeout 5m;
		proxy_pass https://ssl.nginx.com/oauth2/authorize;
		proxy_redirect https://z.z.z.z:9443/oauth2/authorize https://nginx.mycomp.org/oauth2/authorize ;
		proxy_redirect https://server x.x.x.x:9yyy/oauth2/authorize https://nginx.mycomp.org/oauth2/ authorize;
	}

	location /authenticationendpoint/ {
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host;
		proxy_read_timeout 5m;
		proxy_send_timeout 5m;
		proxy_pass https://ssl.nginx.com/authenticationendpoint/;
		proxy_redirect https://z.z.z.z:9443/authenticationendpoint/ https://nginx.mycomp.org/authenticationendpoint/ ;
		proxy_redirect https://server x.x.x.x:9yyy/authenticationendpoint https://nginx.mycomp.org/ authenticationendpoint;
	}

	location /oauth2/userinfo {
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host;
		proxy_read_timeout 5m;
		proxy_send_timeout 5m;
		proxy_pass https://ssl.nginx.com/oauth2/userinfo;
		proxy_redirect https://z.z.z.z:9443/oauth2/userinfo https://nginx.mycomp.org/oauth2/userinfo ;
		proxy_redirect https://server x.x.x.x:9yyy/oauth2/userinfo https://nginx.mycomp.org/oauth2/ userinfo;
	}
}

HTTP configurations

upstream wso2.as.com {
        server xxx.xxx.xxx.xx3:9763;
        server xxx.xxx.xxx.xx4:9763;
}

server {
        listen 80;
        server_name as.wso2.com;
        location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass http://wso2.as.com;
 
			   proxy_http_version 1.1;
        	   proxy_set_header Upgrade $http_upgrade;
        	   proxy_set_header Connection "upgrade";
        }
}

Now that you've configured HTTP requests, you must also configure HTTPS requests. Configure Nginx to direct the HTTPS requests to the two worker nodes via the HTTPS 443 port using https://as.wso2.com/<service>. To do this, create a VHost file (as.https.conf) in the /etc/nginx/conf.d directory and add the following configurations into it.

Note: The configurations for nginx community version and NGINX Plus are different here since the community version does not support the sticky directive.

upstream ssl.wso2.as.com {
    server xxx.xxx.xxx.xx3:9443;
    server xxx.xxx.xxx.xx4:9443;
    ip_hash;
}
 
server {
listen 443;
    server_name as.wso2.com;
    ssl on;
    ssl_certificate /etc/nginx/ssl/wrk.crt;
    ssl_certificate_key /etc/nginx/ssl/wrk.key;
    location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://ssl.wso2.as.com;
 
               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
        }
}

upstream ssl.wso2.as.com {
	server xxx.xxx.xxx.xx3:9443;
	server xxx.xxx.xxx.xx4:9443;
 
			sticky learn create=$upstream_cookie_jsessionid
			lookup=$cookie_jsessionid
			zone=client_sessions:1m;
}

server {
listen 443;
	server_name as.wso2.com;
	ssl on;
	ssl_certificate /etc/nginx/ssl/wrk.crt;
	ssl_certificate_key /etc/nginx/ssl/wrk.key;
	location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
			   proxy_pass https://ssl.wso2.as.com;
 
			   proxy_http_version 1.1;
			   proxy_set_header Upgrade $http_upgrade;
			   proxy_set_header Connection "upgrade";
    	}
}

Configure Nginx to access the Management Console as https://mgt.as.wso2.com/carbon via HTTPS 443 port. This is to direct requests to the manager node. To do this, create a VHost file (mgt.as.https.conf) in the /etc/nginx/conf.d directory and add the following configurations into it.

Management Console configurations

server {
	listen 443;
	server_name mgt.as.wso2.com;
	ssl on;
	ssl_certificate /etc/nginx/ssl/mgt.crt;
	ssl_certificate_key /etc/nginx/ssl/mgt.key;

	location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
			   proxy_pass https://xxx.xxx.xxx.xx2:9443/;
 
			   proxy_http_version 1.1;
			   proxy_set_header Upgrade $http_upgrade;
			   proxy_set_header Connection "upgrade";
    	}
	error_log  /var/log/nginx/mgt-error.log ;
           access_log  /var/log/nginx/mgt-access.log;
}

Reload the Nginx server.
$sudo service nginx reload

If you have made modifications to anything other than the VHost files, you may need to restart the Nginx server instead of reloading:
$sudo service nginx restart

Create SSL certificates

Create SSL certificates for both the manager and worker nodes using the instructions that follow:

Create the server key.
$sudo openssl genrsa -des3 -out server.key 1024
Create the certificate signing request.
$sudo openssl req -new -key server.key -out server.csr
Remove the password.
$sudo cp server.key server.key.org
$sudo openssl rsa -in server.key.org -out server.key
Sign your SSL certificate.
$sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

While creating keys, enter the host name (as.wso2.com or mgt.as.wso2.com) as the common name.

Configure the Proxy Port in IS nodes

By default, WSO2 Identity Server runs on 9443 port. The following steps describe how you can configure a proxy port of 443.

Open <wso2is-5.3.0>/repository/conf/tomcat/catalina-server.xml file and add the proxy port 443 in https connector as follows.
```
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
	port="9443"
	proxyPort="443" 	
```
It is not possible to configure proxy port from load balancer itself since there is a post request while authenticating to IS Dashboard. So, If you are planning to use Identity server Dashboard, you must do this configuration. Below configurations are also needed if you are using the dashboard.

Configure proxy port and host in <wso2is-5.3.0> /repository/deployment/server/jaggeryapps/dashboard/conf/site.json file as follows:

{
  "proxy":{
 	"proxyHost":"nginx.mycomp.org" 
  	"proxyHTTPSPort":"443", 
  	"proxyContextPath":"", 
  	"servicePath":"/services"
  }		
}

Configure proxy port and host in <wso2is-5.3.0> /repository/deployment/server/jaggeryapps/portal/conf/site.json file as follows:

{
  "proxy":{
 	"proxyHost":"nginx.mycomp.org" 
  	"proxyHTTPSPort":"443", 
  	"proxyContextPath":"" 
  },
  "fido":{
  	"appId":""
  }		
}

Configure proxy port and host in <wso2is-5.3.0> /repository/deployment/server/webapps/shindig/WEB-INF/web.xml

<context-param>
	<param-name> system.properties </param-name>
	<param-value>
  		<![CDATA[
 	shindig.host= 
 	shindig.port=443
 	aKey=/shindig/gadgets/proxy?container=default&url=
 	]]>