Accessing WSO2-APIM using Nginx

1
votes

I am accessing my wso2 apim,store and publisher using Nginx. and want to access using the following:

  1. wso2 api manager to be accessed using nginx url as: https://nginx-ip/wso2am/carbon

  2. wso2 store to be accessed using nginx url as: https://nginx-ip/wso2am/store

  3. wso2 store to be accessed using nginx url as: https://nginx-ip/wso2am/publisher

I tried using nested location block inside location block but wasn't successful. So, now I am working by having a location block for all of them separately but the same also doesn't works.

Here is my nginx configuration file for store:

location /wso2am/store/ 
   {
     proxy_set_header   Host                $host;
     proxy_set_header   X-Real-IP           $remote_addr;
     proxy_set_header   X-Forwarded-Host    $host;
     proxy_set_header   X-Forwarded-For     $proxy_add_x_forwarded_for;

     proxy_pass https://wso2-ip:9443/store/;

     proxy_redirect https://$http_host/store/ /wso2am/store/;

     proxy_cookie_path / /wso2am/;

     limit_rate 25M;
     #limit_req zone=wso2am burst=100 nodelay;
   }

For the above configuration the GUI for store doesn't appears properly.

enter image description here

Similarly for publisher and carbon(for apim management console). And the nested nginx configuration is as follows:

   location /wso2am/ {
         location /wso2am/store/
            {
            proxy_set_header   Host                $host;
            proxy_set_header   X-Real-IP           $remote_addr;
            proxy_set_header   X-Forwarded-Host    $host;
            proxy_set_header   X-Forwarded-For     $proxy_add_x_forwarded_for;

            proxy_pass https://wso2-ip:9443/store/;

            proxy_redirect https://$http_host/oauth2/callback /oauth2/callback;
            proxy_redirect https://$http_host/ /wso2am/store/;
            proxy_redirect https://$http_host/wso2am/ /wso2am/store/;


            proxy_redirect https://$http_host/store/ /wso2am/store/;

            proxy_cookie_path / /wso2am/;

            limit_rate 25M;

         }
   }

Where do I have to change in headers or any other location to go correct?

Update 1:

My wso2am store and publisher are working after incorporating the comments and using the following nginx conf:

   location /wso2am/ {

            proxy_set_header   Host                $host;
            proxy_set_header   X-Real-IP           $remote_addr;
            proxy_set_header   X-Forwarded-Host    $host;
            proxy_set_header   X-Forwarded-For     $proxy_add_x_forwarded_for;

            proxy_pass https://wso2-apim-ip:9443/;
            proxy_redirect https://$http_host/carbon/ /wso2am/carbon/;
            proxy_redirect https://$http_host/store/ /wso2am/store/;
            proxy_redirect https://$http_host/publisher/ /wso2am/publisher/;


            proxy_cookie_path / /wso2am/;

           }

Note: But using the above configuration,I login to apim-carbon,I get logged in and then if I click on any of the options on the home page such as list,add.I get logged out and the reason behind it after investigation was the CSRF token is not being sent in the request while accessing it using Nginx.

How can the csrfprevention.js issue be resolved keeping it true.?

2
nginxwso2wso2-amwso2carbonnginx-reverse-proxy
try to edit <ProxyContextPath>/wso2am</ProxyContextPath> in /repository/conf/carbon.xmlzar3bski

2 Answers

1
votes

Disclamer: this is an incomplete answer, for I am myself digging into this question

I faced the very same issue with both wso2am and wso2ei. I am pretty sure that we need to edit /repository/conf/carbon.xml in this section (I must admit that the comments are not crystal clear):

<!--
       Webapp context root of WSO2 Carbon management console.
    -->
    <WebContextRoot>/wso2am</WebContextRoot>

<!--
        Proxy context path is a useful parameter to add a proxy path when a Carbon server is fronted by reverse proxy. In addition
        to the proxy host and proxy port this parameter allows you add a path component to external URLs. e.g.
            URL of the Carbon server -> https://10.100.1.1:9443/carbon
        URL of the reverse proxy -> https://prod.abc.com/appserver/carbon

    appserver - proxy context path. This specially required whenever you are generating URLs to displace in
    Carbon UI components.
    -->

        <MgtProxyContextPath>/</MgtProxyContextPath> 
        <ProxyContextPath>/wso2am</ProxyContextPath>

The following works if your Nginx listen to 443 in SSL mode (couldn't do it with HTTP because of the redirections -> make a self signed certificate if you plan to use it on a local network) 

    location /wso2am {
        proxy_pass https://wso2_apimanager_container:9443;
        proxy_set_header   Host                $host;
        proxy_set_header   X-Real-IP           $remote_addr;
        proxy_set_header   X-Forwarded-Host    $host;
        proxy_ssl_verify   off;
        proxy_set_header   X-Forwarded-For     $proxy_add_x_forwarded_for;
        }

        location /wso2am/store {
            proxy_pass https://wso2_apimanager:9443/store;
        }
        location /wso2am/publisher {
            proxy_pass https://wso2_apimanager:9443/publisher;
        }
        location /wso2am/admin {
            proxy_pass https://wso2_apimanager:9443/admin;
        }
    }

It works but I am not completely sure why. Can someone explain to me in which aspect <MgtProxyContextPath> differs from </MgtProxyContextPath> and from <WebContextRoot>?

allow proxy for admin publisher and store: to make /publisher, /store and /admin accessible, you need to edit the end of their respective site.json located in /repository/deployment/server/jaggeryapps/name_of_the_service/site/conf/site.json . For /publisher, you would write: 

"reverseProxy" : {
        "enabled" : "auto",    // values true , false , "auto" - will look for  X-Forwarded-* headers
        "host" : "some.ip.or.domain", // If reverse proxy do not have a domain name use IP
        "context":"/wso2am/publisher",
      //"regContext":"" // Use only if different path is used for registry
    },

Still have issue with the login though

0
votes

You can follow this guide [1] to configure WSO2 API Manager with Nginx.

[1] - https://docs.wso2.com/display/AM260/Configuring+the+Proxy+Server+and+the+Load+Balancer