Access WSO2 API Manager through a custom proxy path¶
Adding a custom proxy path is useful when you have a proxy server fronting your product server. In this scenario, the "custom proxy path" is used for mapping a proxy URL with the actual URL of your server, which allows clients to access the server with the proxy URL.
In the following hypothetical scenario, devportal, publisher, admin, and carbon console apps are hosted in the knnect.lk domain as follows.
https://knnect.lk/apim/devportal/https://knnect.lk/apim/publisher/https://knnect.lk/apim/admin/https://knnect.lk/apim/carbon/
Note
Once you have configured your products with a proxy server, it will no longer be possible to access the product behind the proxy.
In the above example, "apim" is the "proxy context paths" of API Manager.
When a client sends a request to the proxy entry URL path, e.g.
https://knnect.lk/apim , the request is directed to the
back-end service URL https://<server-ip>:9443/carbon
where the original service lies. Eventually, the client has to be
served via the requested proxy entry URL path. The mapping between the
proxy URL path and the back-end service URL path is resolved by the
reverse proxy server fronting the back-end service.
Step 1: Install and configure a reverse proxy¶
- Download nginx server .
-
Install the nginx server in your deployment server by executing the following command:
sudo apt-get install nginx -
Create a folder called "ssl" inside /etc/nginx, and create the ssl certificates inside this folder by executing the following commands:
sudo mkdir /etc/nginx/ssl cd /etc/nginx/ssl -
The next step is to create the server key and certificates. First create the private key as shown below. Note that a passphrase is prompted when creating the private key.
sudo openssl genrsa -des3 -out server.key 1024 -
Next, create the certificate signing request as shown below.
Fill in the required details. The most important entry is the Common Name. Enter the domain name or the IP address if there is no domain name. In the current example, we can give
knnect.lksudo openssl req -new -key server.key -out server.csr -
Next step is to sign the SSL certificate using the following command:
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crtThe certificate is now created.
-
The last step is to set up the virtual host displaying the new certificate. Create a copy of the default, "sites-enabled" configuration using the following command:
cp /etc/nginx/sites-available/default /etc/nginx/sites-available/wso2If your Nginx installation does not contain "sites-enabled" and "sites-available" folders, follow the steps given below.
- Create /etc/nginx/sites-available and /etc/nginx/sites-enabled.
- Open /etc/nginx/nginx.conf
- Add
include /etc/nginx/sites-enabled/*;into the http block.
-
Now, create a symbolic between the "sites-enabled" directory and the "sites-available" directory using the following command:
ln -s /etc/nginx/sites-available/wso2 /etc/nginx/sites-enabled/wso2The host is now activated.
-
Open the
/etc/nginx/sites-enabled/wso2file and enter the following configurations.server { listen 443 ssl default_server; listen [::]:443 default_server ipv6only=on; server_name knnect.lk office.knnect.com; access_log /var/log/nginx/proxy.log; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; ssl_session_timeout 5m; ssl_protocols TLSv1.3 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; rewrite \w*(admin|devportal|publisher)$ $1/ permanent; location /apim/ { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_read_timeout 5m; proxy_send_timeout 5m; proxy_pass https://localhost:9443/; proxy_redirect https://knnect.lk/authenticationendpoint/ https://knnect.lk/apim/authenticationendpoint/; proxy_redirect https://knnect.lk/oauth2/ https://knnect.lk/apim/oauth2/; proxy_redirect https://knnect.lk/carbon/ https://knnect.lk/apim/carbon/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } -
Save the file and restart the Nginx server using the following command to complete the Nginx configuration:
Or start the Nginx server if it's not running.sudo nginx -s reloadsudo nginx
Step 2: Add host entries¶
Add the following host entries
127.0.0.1 knnect.lkStep 3: Update the API Manager configuration - deployment.toml¶
Open repository/conf/deployment.toml and add or update the following configurations.
[server]
hostname = "knnect.lk"
node_ip = "127.0.0.1"
mode = "single" #single or ha
base_path = "${carbon.protocol}://${carbon.host}:${carbon.management.port}/apim"
server_role = "default"
proxy_context_path = "/apim"
[apim.devportal]
url = "https://knnect.lk/apim/devportal"
[transport.https.properties]
proxyPort = 443Note
- The hostname is set to "knnect.lk"
- base_path has a suffix of "/apim" which is the proxy_context_path
- proxy_context_path is set to "/apim"
Step 4: Update the API Manager configuration - web.xml.j2¶
Open the following file.
repository/resources/conf/templates/repository/conf/tomcat/carbon/WEB-INF/web.xml.j2
Add the configuration below with the same level as other <context-param> nodes.
<context-param>
<param-name>contextPath</param-name>
<param-value>apim</param-value>
</context-param>Step 5: Update the API Manager web app configurations¶
Add the following configuration to each web application.
devportal/site/public/theme/settings.js
context: '/apim/devportal',
proxy_context_path: '/apim',publisher/site/public/conf/settings.js
context: '/apim/publisher',
proxy_context_path: '/apim',admin/site/public/conf/settings.js
context: '/apim/admin',
proxy_context_path: '/apim',Now start/restart the API Manager server
The API Manager web applications will be accessible as expected.
Top