WSO2 API manager behind reverse proxy (Apache) - wso2-api-manager

I'm trying to put the WSO2 API Manager 1.8.0 behind an Apache proxy but it does not work.
I modified catalina-server.xml and set proxyPort but it still redirects met to port 9443. Other pages (like publish/) redirect to localhost.
I also set the correct hostname (using <HostName> and <MgtHostName>) in carbon.xml.
I suspect there are some other configuration settings which must be changed. Is there an overview available with everything you need to change in order to put the API Manager behind a reverse proxy?

in catalina-server.xml you can set proxy port for http and https. so for management console you need to add proxyport for https as follow
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="9443"
**proxyPort="443"**
bindOnInit="false"
sslProtocol="TLS"
maxHttpHeaderSize="8192"
acceptorThreadCount="2"
check this post on how publisher app site.json and store app site.json should be modified for reverse proxy.there you can set host name(your proxy) and even message contextpath.(this post explains with nginx same applicable to apache)
http://sanjeewamalalgoda.blogspot.in/2014/12/configure-wso2-api-manager-with-reverse.html

Related

Reverse proxy with http inbound, https outbound, and parent proxy

I have an application that needs to use a proxy (call it proxy1) to access some https endpoints outside of its network. The application doesn't support proxy settings, so I'd like to provide it a reverse proxy url, and I would prefer not to provide tls certs for proxy1, so I would use http for application -> proxy1.
I don't have access to the application host or forward proxy mentioned below, so I cannot configure networking there.
The endpoints the application needs are https, so proxy1 must make its outbound connections via https.
Finally, this whole setup is within a corporate network that requires a forward proxy (call it proxy2) for outbound internet, so my proxy1 needs to chain to proxy2 / use it as a parent.
I tried squid and it worked well for http only, but I couldn't get it to accept http inbound while using https outbound. Squid easily supported the parent proxy2.
I tried haproxy, but had the same result as with squid.
I tried nginx and it did what I wanted with http -> proxy -> https, but doesn't support a parent proxy. I considered setting up socat as in this answer, or using proxy_pass and proxy_set_header as in this answer, but I can't shake the feeling there's a cleaner way to achieve the requirements.
This doesn't seem like an outlandish setup, is it? Or is there a preferred approach for it? Ideally one using squid or nginx.
You can achive this without the complexity by using a port forwarder like socat. Just install it on a host to do the forwarding (or locally on the app server if you wish to) and create a listener that forwards connections through the proxy server. Then on your application host use a local name resolution overide to map the FQDN to the forwarder.
So, the final config should be the app server using a URI that points to the forwarding server (using its address if no name resolution excists), which has a socat listener that points to the the corporate proxy. No reverse proxy required.
socat TCP4-LISTEN:443,reuseaddr,fork \
PROXY:{proxy_address}:{endpoint_fqdn}:443,proxyport={proxy_port}
Just update with your parameters.

Rancher 2 disable HTTP to HTTPS redirect

SSL redirect is enabled by default in a Kubernetes NGINX ingress on Rancher 2. We changed the config map and redeployed the nginx -ingres in the system namespace, but the redirect still happens. Has someone managed to disable it?
Unfortunately I don't think you will be able to disable SSL in Rancher v2.
As per Randcher documentation:
For security purposes, SSL (Secure Sockets Layer) is required when using Rancher. SSL secures all Rancher network communication, like when you login or interact with a cluster.
You can find there few ways to apply this certs:
Default Rancher-generated Self-signed Certificate
Bring Your Own Certificate, Self-signedlink
Bring Your Own Certificate, Signed by a Recognized CA
Let’s Encrypt Certificatelink
Inside this doc you have hyerlinks to further Rancher docs.
As Rancher by default deploying nginx controller you should also check Rancher docs about Nginx Controller.
As an update, rancher can disable http -> https redirection by disabling ingress's TLS and set a custom header "X-Forwarded-Proto: https" from ingress controller -> rancher,
reference:
https://github.com/rancher/rancher/issues/35088

Visit Kubernetes dashboard through nginx proxy

I wanted to visit my dashboard on a local Kubernetes installation (using docker for mac). I was 'blocked'. I have to provide a token or my config which is normal since the RBAC updates.
Now I don't want to kubectl proxy or enable port forwarding every time I want to visit my dashboard so I installed an nginx proxy with a ingress (tls) which redirects me to https://kubernetes-dashboard.kube-system.svc.cluster.local:443.
This works fine but now I'm a bit confused because I can see the dashboard now, without facing the RBAC issue.
I read this here:
To make Dashboard use authorization header you simply need to pass
Authorization: Bearer in every request to Dashboard. This can
be achieved i.e. by configuring reverse proxy in front of Dashboard.
Proxy will be responsible for authentication with identity provider
and will pass generated token in request header to Dashboard. Note
that Kubernetes API server needs to be configured properly to accept
these tokens.
But it's still not very clear for me. Can someone explain we why I can see the dashboard when I create a proxy in front of it?
Proxy is usually needed to transfer data between different segments of the network without connecting them directly.
Each segment of the network is "talking" to proxy host without any knowledge of the existence of the other network segment.
The Proxy Server is responsible for all negotiations and operations concerning requests and response packets. So, to enable authentication, authorization, SSL termination and many other things you need to configure your proxy server according to your needs.
If you can see the kubernetes dashboard via proxy in front of it it just means that you did not configure any security on that proxy.
For example, to learn how to configure Nginx Ingress to protect a service with basic authentication in your cluster consider to read this article.
For more complex security setup read the article about securing Kubernetes services with Ingress, TLS and LetsEncrypt.

How to force wso2 api manager keymanager component using http?

Currently in the gateway configuration I have to set the protocol to https like:
<ServerURL>https://10.130.10.110:9443/services/</ServerURL>
10.130.10.110:9443 is the https end point of the keymanager. If I switch to the http end point, the token validation will fail.
I searched all the WSO2 AM document and all the config sample are pointing to keymanager using https. It looks like the key manager only supports https, is it possible to change it to http? Because all the servers are deployed inside one VPC, there is no need to use http. The https is too heavy and the overall API gateway performance doesn't look good.
Thanks!

Atlasssian Crucible through AWS ELB with HTTPS

I've recently setup a Crucible instances in AWS connected via a HTTPS ELB. I have a nginx reverse proxy setup on the instance as well to redirect HTTP requests to HTTPS.
This partially works. However Crucible itself doesn't know it's running over HTTPS so serves up mixed content, and ajax queries often break due to HTTP -> HTTPS conflicts.
I've found documentation for installing a certificate in Crucible directly...
https://confluence.atlassian.com/fisheye/fisheye-ssl-configuration-298976938.html
However I'd really rather not have to do it this way. I want to have the HTTPS terminated at the ELB, to make it easier to manage centrally through AWS.
I've also found documentation for using Crucible through a reverse proxy...
https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html
However this doesn't specifically deal with HTTPS.
All I really need is a way to ensure that Crucible doesn't serve up content with hard coded internal HTTP references. It needs to either leave off the protocol, or set HTTPS for the links.
Setting up the reverse proxy configuration should help accomplish this. Under Administration >> Global Settings >> Server >> Web Server set the following:
Proxy scheme: https
Proxy host: elb.hostname.com
Proxy port: 443
And restart Crucible.
Making configuration on UI is one way. You can also change config.xml in $FISHEYE_HOME:
<web-server site-url="https://your-public-crucible-url">
<http bind=":8060" proxy-host=“your-public-crucible-url" proxy-port="443" proxy-scheme="https"/>
</web-server>
Make sure to shutdown FishEye/Crucible before making this change.
AFAIK, this configuration is the only way to tell internal Jetty of FishEye/Crucible to be aware of the reversed proxy in front of them.

Resources