Siapkan WSO2 dengan NGINX Reverse Proxy untuk URL khusus

Secara default, antarmuka WSO2 seperti Publisher, Portal Pengembang, dan Carbon masing-masing diakses melalui port :9443/publisher, :9443/devportal dan :9443/carbon. Tetapi saya tidak menyarankan untuk menawarkan titik akhir dengan nomor port kepada pelanggan untuk alasan yang baik. Jadi jika Anda seperti saya dan ingin mengatur jalur proxy khusus seperti https://hostname.com/publisher dll. maka Anda harus memiliki server proxy front-end WSO2 API Manager. Dalam tutorial ini, kita akan menyiapkan WSO2 dengan NGINX reverse proxy untuk memetakan URL proxy dengan URL sebenarnya dari layanan WSO2 yang memungkinkan klien mengakses layanan dengan URL proxy.

Pertimbangkan skenario di mana Anda ingin meng-host layanan WSO2 seperti penerbit, portal pengembang, dan konsol karbon sebagai:

https://tg.com/apim/publisher
https://tg.com/apim/devportal
https://tg.com/apim/carbon
https://tg.com/apim/admin

Di URL di atas, ‘apim ' adalah jalur konteks proxy dari Manajer API.

Cara menyiapkan WSO2 dengan NGINX Reverse Proxy

Jika Anda menyiapkan WSO2 untuk pertama kalinya, buka artikel ini untuk mengetahui langkah-langkah penginstalan.

Instal Server NGINX

Langkah 1: Instal server NGINX dengan menjalankan perintah berikut

sudo apt-get install nginx

Langkah 2: Siapkan sertifikat SSL. Anda dapat menyiapkan sertifikat yang ditandatangani sendiri untuk server pengembangan atau mendapatkannya dari LetsEncrypt untuk server produksi.

Langkah 3 :Buat file konfigurasi NGINX baru di dalam /etc/nginx/conf.d/wso2.conf dan salin-tempel teks di bawah ini.

server {
listen 443 ssl default_server;
listen [::]:443 default_server ipv6only=on;
server_name tg.com www.tg.com;
root /var/www/html;
access_log /var/log/nginx/proxy.log;


ssl_certificate /etc/letsencrypt/live/tg.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tg.com/privkey.pem; #

ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

rewrite \w*(carbon|admin|devportal|publisher|oidc)$ $1/ permanent;

location /apim/ { 
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;

proxy_pass https://tg.com:9443/;
proxy_redirect https://tg.com/authenticationendpoint/ https://tg.com/apim/authenticationendpoint/;
proxy_redirect https://tg.com/oauth2/ https://tg.com/apim/oauth2/;
proxy_redirect https://tg.com/carbon/ https://tg.com/apim/carbon/;
#proxy_redirect https://tg.com/admin/ https://tg.com/apim/admin/;


proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";


}
location /api/ {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;

proxy_pass https://tg.com:8243/;
proxy_redirect https://tg.com:8243/(.*) https://tg.com/api/$1;

}

location /carbon/admin/js/csrfPrevention.js {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
proxy_pass https://tg.com/apim/carbon/admin/js/csrfPrevention.js;

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}

location /api/am/publisher/v2 {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://tg.com:9443/api/am/publisher/v2;
proxy_redirect https://tg.com:9443/api/am/publisher/v2 https://tg.com/apim/api/am/publisher/v2;
}
location /api/am/admin/v2 {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://tg.com:9443/api/am/admin/v2;
proxy_redirect https://tg.com:9443/api/am/admin/v2 https://tg.com/apim/api/am/admin/v2;
}
location /api/am/devportal/v2 {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://tg.com:9443/api/am/devportal/v2;
proxy_redirect https://tg.com:9443/api/am/devportal/v2 https://tg.com/apim/api/am/devportal/v2;
}

location /oidc {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://tg.com:9443/oidc;
proxy_redirect https://tg.com:9443/oidc https://tg.com/apim/oidc;
}
location /authenticationendpoint{
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://tg.com:9443/authenticationendpoint;
proxy_redirect https://tg.com:9443/authenticationendpoint https://tg.com/apim/authenticationendpoint;
}

location /oauth2 {
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://tg.com:9443/oauth2;
proxy_redirect https://tg.com:9443/oauth2 https://tg.com/apim/oauth2;
proxy_redirect https://tg.com:9443/authenticationendpoint https://tg.com/apim/authenticationendpoint;
proxy_redirect https://tg.com:9443/devportal https://tg.com/apim/devportal;
proxy_redirect https://tg.com:9443/publisher https://tg.com/apim/publisher;
}
location /logincontext{
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://tg.com:9443/logincontext;
proxy_redirect https://tg.com:9443/logincontext https://tg.com/apim/logincontext;
}
location /commonauth{
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://tg.com:9443/commonauth;
proxy_redirect https://tg.com:9443/commonauth https://tg.com/apim/commonauth;
}

location /api/am/service-catalog/v0{
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://tg.com:9443/api/am/service-catalog/v0;
proxy_redirect https://tg.com:9443/api/am/service-catalog/v0 https://tg.com/apim/api/am/service-catalog/v0;
}
location /uansandbox{
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://tg.com:8443/uansandbox;
proxy_redirect https://tg.com:8443/uansandbox https://tg.com/uansandbox;
}
location /uansandbox/uploadtoken{
index index.html;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://tg.com:8443/uansandbox/uploadtoken;
proxy_redirect https://tg.com:8443/uansandbox/uploadtoken https://tg.com/uansandbox/uploadtoken;
}

}

Langkah 4: Simpan file dan jalankan perintah di bawah ini untuk memastikan konfigurasi bebas dari kesalahan.

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Langkah 5: Mulai ulang server NGINX

# systemctl restart nginx

Perbarui konfigurasi pengelola API

Langkah 6: Tambahkan entri host berikut

127.0.0.1 tg.com

Langkah 7: Perbarui file konfigurasi penerapan seperti di bawah ini dan tambahkan atau perbarui dengan konfigurasi berikut.

# vim <API_M>/repository/conf/deployment.toml

[server]
hostname = "tg.com"
base_path = "${carbon.protocol}://${carbon.host}:${carbon.management.port}/apim"
server_role = "default"
node_ip = "127.0.0.1"
mode = "single" #single or ha
proxy_context_path = "/apim"

[apim.devportal]
url = "https://tg.com/apim/devportal"

[transport.https.properties]
proxyPort = 443

Catatan: Ingatlah untuk mengubah nama host, base_path dengan akhiran “/apim ‘ dan proxy_context_path yaitu ‘/apim ‘.

Langkah 7: Perbarui web.xml.j2 file terletak di ‘//repository/resources/conf/templates/repository/conf/tomcat/carbon/WEB-INF/web.xml.j2 ‘

Dan tambahkan konfigurasi di bawah ini pada level yang sama <context-param> node.

<context-param>
<param-name>contextPath</param-name>
<param-value>apim</param-value>
</context-param>

Langkah 8: Perbarui file konfigurasi web di bawah aplikasi:{}

#vim /repository/deployment/server/jaggeryapps/publisher/site/public/conf/settings.js

context: '/apim/publisher', // Note the leading `/` and no trailing `/`
proxy_context_path: '/apim',
customUrl: { // Dynamically set the redirect origin according to the forwardedHeader host|proxyPort combination
enabled: true,
forwardedHeader: 'X-Forwarded-Host',
},

#vim /repository/deployment/server/jaggeryapps/devportal/site/public/theme/settings.js

context: '/apim/devportal',
proxy_context_path: '/apim',
customUrl: {
enabled: true,
forwardedHeader: 'X-Forwarded-Host',
},

#vim /repository/deployment/server/jaggeryapps/admin/site/public/conf/settings.js

context: '/apim/admin', // Note the leading `/` and no trailing `/`
proxy_context_path: '/apim',
customUrl: { // Dynamically set the redirect origin according to the forwardedHeader host|proxyPort combination
enabled: true,
forwardedHeader: 'X-Forwarded-Host',
},

Langkah 9: Mulai ulang Pengelola API WSO2

#<API_M/bin/api-manager -restart

Itu dia! Sekarang lanjutkan dan akses semua layanan WSO2 melalui URL proxy khusus.

Referensi:

• Siapkan WSO2 dengan NGINX Reverse Proxy
• Alasan menambahkan setelan X-Forwarded-For-header.
• Masalah dengan proxy terbalik untuk DevPortal dan Publisher.