Apache Reverse Proxy Configuration for WSO2 API Manager
I recently have to dealt with WSO2 API Manager and the installation and configuration with a reverse proxy. In fact, I wanted to be able to use the store, publisher, dashboard with one public URL and the gateway with another public URL. Of course, I wanted to ensure that I only allowed https access on the apps and I didn’t want expose the carbon admin console, only available behind firewall.
I have found some documentation on the Internet but not exactly what I wanted to do :
- WSO2 Documentation : only deal with apps configuration
- Sanjeewa Malalgoda Blog : not exactly my needs and based on nginx
- Shavanthas Blog : not exactly my needs and based on nginx
- And some posts on Stackoverflow
Since I have encountered some problems and tested many configurations to figure out corrects settings, I have decided to publish a post about this story.
Schema
My need in picture
Apache Configuration
This configuration has been tested with WSO2 API Manager 1.9 on RHEL 6.6 and Apache 2.2.15 and on Debian Jessie and Apache 2.4.10.
Apache modules pre-requisites
We need modules proxy, proxy_http, ssl and rewrite.
Virtuals hosts configuration
Below, configuration for the gateway virtual host.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
<VirtualHost *:80> DocumentRoot /var/www/apim ServerName api.mycompny.com UseCanonicalName On ProxyRequests Off ProxyPass / http://bckserver1.mycompany.com:8280/ ProxyPassReverse / http://bckserver1.mycompany.com:8280/ CustomLog /var/log/httpd/api.mycompany.com.access.log combined ErrorLog /var/log/httpd/api.mycompany.com.error.log </VirtualHost> <VirtualHost *:443> DocumentRoot /var/www/apim ServerName api.mycompany.com ProxyRequests Off UseCanonicalName On SSLEngine on SSLCertificateFile /etc/httpd/ssl/ssl.crt/api.mycompany.com.crt SSLCertificateKeyFile /etc/httpd/ssl/ssl.key/api.mycompany.com.key SSLCertificateChainFile /etc/httpd/ssl/ssl.crt/MyCA.crt SSLProxyEngine On SSLProxyCheckPeerCN off SSLProxyCheckPeerExpire off ProxyPass / https://bckserver1.mycompany.com:8243/ ProxyPassReverse / https://bckserver1.mycompany.com:8243/ CustomLog /var/log/httpd/api.mycompany.com.access.log combined ErrorLog /var/log/httpd/api.mycompany.com.error.log </VirtualHost> |
And below configuration for apps virtual host.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
<VirtualHost *:80> DocumentRoot /var/www/apim ServerName mycompany.com UseCanonicalName On CustomLog /var/log/httpd/mycompany.com.access.log combined ErrorLog /var/log/httpd/mycompany.com.error.log RewriteEngine On RewriteCond %{HTTP_HOST} ^mycompany.com RewriteRule (.*) https://mycompany.com%{REQUEST_URI} [R=permanent,L] </VirtualHost> <VirtualHost *:443> ServerName mycompany.com DocumentRoot /var/www/apim UseCanonicalName On CustomLog /var/log/httpd/mycompany.com.log combined ErrorLog /var/log/httpd/mycompany.com.error.log SSLEngine on SSLCertificateFile /etc/httpd/ssl/ssl.crt/mycompany.com.crt SSLCertificateKeyFile /etc/httpd/ssl/ssl.key/mycompany.com.key SSLCertificateChainFile /etc/httpd/ssl/ssl.crt/myCA.crt SSLProxyEngine On SSLProxyCheckPeerCN Off SSLProxyCheckPeerExpire Off ProxyRequests Off <Location ~^/store/(.*)registry/(.*)$> ProxyPass https://bckserver1.mycompany.com:9443/$1registry$2 </Location> <Location ~^/publisher/(.*)registry/(.*)$> ProxyPass https://bckserver1.mycompany.com:9443/$1registry$2 </Location> <Location /store> ProxyPass https://bckserver1.mycompany.com:9443/store ProxyPassReverse https://bckserver1.mycompany.com:9443/store </Location> <Location /publisher> ProxyPass https://serverbck1.mycompany.com:9443/publisher ProxyPassReverse https://serverbck1.mycompany.com:9443/publisher </Location> <Location /registry> ProxyPass https://bckserver1.mycompany.com:9443/registry ProxyPassReverse https://bckserver1.mycompany.com:9443/registry </Location> <Location /admin-dashboard> ProxyPass https://bckserver1.mycompany.com:9443/admin-dashboard ProxyPassReverse https://bckserver1.mycompany.com:9443/admin-dashboard </Location> </VirtualHost> |
Note 2 specials rules for store and publisher that needs to send some requests to registry (for example, to download pictures or resources linked to APIs).
Of course, we only expose apps ; we don’t expose carbon admin console or some others apps.
For now, that’s all I need. But I suppose that later I will have to expose other URI like/services or /oauth2. I will then edit this post in this case to update configuration.
WSO2 API Manager Configuration
In the API Manger, I needed to edit some configuration files :
In $APIM_HOME/repository/conf/tomcat/catalina-server.xml, add proxyPort and hostname in the SSL Connector :
1 2 3 4 |
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9443" proxyPort="443" hostname="mycompany.com" |
In $APIM_HOME/repository/conf/axi2/axis2.xml, add proxyPort and hostname in the HTTP and HTTPS receiver :
1 2 3 4 5 6 7 8 9 10 11 12 13 |
<transportReceiver name="http" class="org.apache.synapse.transport.passthru.PassThroughHttpListener"> <parameter name="port" locked="false">8280</parameter> <parameter name="non-blocking" locked="false">true</parameter> <parameter name="proxyPort" locked="false">80</parameter> <parameter name="hostname" locked="false">api.mycompany.com</parameter> <...> <transportReceiver name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLListener"> <parameter name="port" locked="false">8243</parameter> <parameter name="non-blocking" locked="false">true</parameter> <parameter name="proxyPort" locked="false">443</parameter> <parameter name="hostname" locked="false">api.mycompany.com</parameter> |
In $APIM_HOME/repository/conf/api-manager.xml, modify Gateway URLs :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
<APIGateway> <!-- The environments to which an API will be published --> <Environments> <!-- Environments can be of different types. Allowed values are 'hybrid', 'production' and 'sandbox'. An API deployed on a 'production' type gateway will only support production keys An API deployed on a 'sandbox' type gateway will only support sandbox keys An API deployed on a 'hybrid' type gateway will support both production and sandbox keys --> <Environment type="hybrid" api-console="true"> <Name>Production and Sandbox</Name> <Description> Description of environment</Description> <!-- Server URL of the API gateway. --> <ServerURL>https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/</ServerURL> <!-- Admin username for the API gateway. --> <Username>admin</Username> <!-- Admin password for the API gateway. --> <Password>admin</Password> <!-- Endpoint URLs for the APIs hosted in this API gateway. --> <GatewayEndpoint>http://api.mycompany.com:80,https://api.mycompany.com:443</GatewayEndpoint> </Environment> </Environments> |
Following WSO2 Documentation, I also needed need to edit store and publisher configuration files :
In $APIM_HOME/repository/deployement/server/jaggeryapps/store/site/conf/site.json :
1 2 3 4 5 6 |
"reverseProxy" : { "enabled" : true, // values true , false , "auto" - will look for X-Forwarded-* headers "host" : "mycompany.com", // If reverse proxy do not have a domain name use IP "context":"/store", //"regContext":"" // Use only if different path is used for registry }, |
In $APIM_HOME/repository/deployement/server/jaggeryapps/publisher/site/conf/site.json :
1 2 3 4 5 6 |
"reverseProxy" : { "enabled" : true, // values true , false , "auto" - will look for X-Forwarded-* headers "host" : "mycompany.com", // If reverse proxy do not have a domain name use IP "context":"/publisher", //"regContext":"" // Use only if different path is used for registry }, |
Following Sanjeewa Malalgoda Blog, I also imported public SSL certificate into WSO2 keystore (but I didn’t see problems without doing this step).
1 |
keytool -import -file mycompany.crt -keystore client-truststore.jks -storepass wso2carbon -alias mycompany |
Finally, Restart everything!
hi, could u pls help me. im now configuring API Manager to be publish by apache httpd
1. what is the file to edit this? ; configuration for the gateway virtual host.
2. what is the file to edit this? ; configuration for the apps virtual host.
Hi,
The configuration files of your httpd installation depends on your Linux distro.
Even if you can edit directly httpd.conf (redhat based) / apache2.conf (debian based) to add virtual host, best way is to create configuration file for each virtual host.
On Debian-based in /etc/apache2/sites-available, on redhat based in /etc/httpd/vh or /etc/httpd/sites-available.
Maybe you can find some useful information by googling “apache2 virtual host”. See : https://www.linode.com/docs/websites/apache/apache-web-server-debian-8, https://www.linux.com/blog/multiple-virtual-hosts-centos-7-or-rhel-7 and https://httpd.apache.org/docs/2.4/en/vhosts/examples.html.