In this blog, I am going to explain step by step guide to how to configure WSO2 Identity Server 5.1.0 with a proxy port and proxy host.
Configuring Proxy Port
By default WSO2 Identity Server is running on 9443 port. Here I am going to explain the way of configuring a proxy port of 443.
- Open <wso2is-5.1.0>/repository/conf/tomcat/catalina-server.xml file and add the proxy port 443 in https connector as follows.
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="9443" proxyPort="443"
Note: It is not possible to configure proxy port from load balancer itself since there is a post request while authenticating to IS Dashboard. So, If you are planning to use Identity server Dashboard, this configuration is a must.
Configuring Proxy Host
1. Use the same hostname in both Identity Server and Loadbalancer
- Open <wso2is-5.1.0>/repository/conf/carbon.xml file and configure the hostname and management hostname as follows
<HostName>wso2.is.com</HostName> <MgtHostName>wso2.is.com</MgtHostName>
- Create a new Keystore with the new hostname. Following is the keytool command to create new
keytool -genkey -alias wso2carbon -keyalg RSA -keysize 1024 -dname "CN=wso2.is.com,OU=Home,O=Home,L=SL,S=WS,C=LK" -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon
Create new two keystores for client-trustore.jks and wso2carbon.jks.
You can follow [1] for more information on how to configure keystores in WSO2 servers.
- Configure Nginx configuration as follows
upstream ssl.wso2.as.com { server wso2.is.com:9443; } server { listen 443; server_name wso2.is.com; client_max_body_size 100M; ssl on; ssl_certificate /etc/ssl/nginx/nginx-repo.crt; ssl_certificate_key /etc/ssl/nginx/nginx-repo.key; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect https://ssl.wso2.as.com https://wso2.is.com; proxy_pass https://ssl.wso2.as.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }
You need to change the path of certificate and certificate_key.
- Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/jaggeryapps/dashboard/conf/site.json file as follows
{
"proxy" : {
"proxyHost" : "wso2.is.com",
"proxyHTTPSPort" : "443",
"proxyContextPath" : "",
"servicePath" : "/services"
}
}
- Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/jaggeryapps/portal/conf/site.json file as follows
{
{
"proxy" : {
"proxyHost" : "wso2.is.com",
"proxyHTTPSPort" : "443",
"proxyContextPath" : ""
},
"fido" : {
"appId" : ""
}
}
- Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/webapps/shindig/WEB-INF/web.xml
<context-param> <param-name>system.properties</param-name> <param-value> <![CDATA[ shindig.host=wso2.is.com shindig.port=443 aKey=/shindig/gadgets/proxy?container=default&url= ]]>
- Import the load balancer certificate into client-trustore.jks file.
Note: Load balancer certificate should be IS hostname.
2. Configure a proxyName in catalina-server.xml file.
If you want to use a proxyname which is diffrent from the Identity Server hostname, you can do it configuring catalina-server.xml file.If your load balancer hostname is is.wso2.com and Identity Server hostname a-s00001572, following configurations need to be done inorder to work Identity Server behind that proxy name and port.
- Open <wso2is-5.1.0>/repository/conf/carbon.xml file and configure the hostname and management hostname as follows
<HostName>a-s00001572</HostName> <MgtHostName>a-s00001572</MgtHostName>
- Create a new Keystore with the new hostname. Following is the keytool command to create new
keytool -genkey -alias wso2carbon -keyalg RSA -keysize 1024 -dname "a-s00001572,OU=Home,O=Home,L=SL,S=WS,C=LK" -keypass wso2carbon -keystore wso2carbon.jks -storepass wso2carbon
Create new two keystores for client-trustore.jks and wso2carbon.jks.
You can follow [1] for more information on how to configure keystores in WSO2 servers.
- Configure Nginx configuration as follows
upstream ssl.wso2.as.com { server A-S00001572:9443; } server { listen 443; server_name is.wso2.com; client_max_body_size 100M; ssl on; ssl_certificate /etc/ssl/nginx/nginx-repo.crt; ssl_certificate_key /etc/ssl/nginx/nginx-repo.key; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect https://A-S00001572:9443 https://A-S00001572; proxy_pass https://ssl.wso2.as.com; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }
You need to change the path of certificate and certificate_key.
- Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/jaggeryapps/dashboard/conf/site.json file as follows
{
"proxy" : {
"proxyHost" : "wso2.is.com",
"proxyHTTPSPort" : "443",
"proxyContextPath" : "",
"servicePath" : "/services"
}
}
- Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/jaggeryapps/portal/conf/site.json file as follows
{
{
"proxy" : {
"proxyHost" : "wso2.is.com",
"proxyHTTPSPort" : "443",
"proxyContextPath" : ""
},
"fido" : {
"appId" : ""
}
}
- Configure proxy port and host in <wso2is-5.1.0> /repository/deployment/server/webapps/shindig/WEB-INF/web.xml
<context-param> <param-name>system.properties</param-name> <param-value> <![CDATA[ shindig.host=wso2.is.com shindig.port=443 aKey=/shindig/gadgets/proxy?container=default&url= ]]>
- Import the load balancer certificate into client-trustore.jks file.
Note : Load balancer certificate should be IS hostname.
Running the Server.
Now you are done. You will be able to log into Identity Server Management Console and Dashboard web app from following URLs.
Management Console : https://wso2.is.com/carbon/
Dashboard :https://wso2.is.com/dashboard
[1] https://docs.wso2.com/display/Carbon440/Configuring+Keystores+in+WSO2+Products
Thank you very much, especially the nginx http upgrade for the shindig websocket was needed
ReplyDeleteThanks! this really helps a lot
ReplyDeleteSo when having more than one nodes behind a nginx RP , only the second approach will work or am i wrong?
ReplyDeleteDo you write configuration?
DeleteHi Isura, helpful info! I am still having an issue. Maybe my situation is different from your example? I just want to proxy from nginx to wso2-is. My wso2-is is already doing SSL on 9443, I have one server block in nginx for the proxy resembling the first proxy example above (but not exactly the same). I have edited the 3 files in repository/deployment/... as well as catalina-server.xml (https connector proxy port/name), set EnableThriftService false in identity.xml (may have been that way by default), and set host and mgthost in carbon.xml. Everything seems to work, nginx proxies to wso2-is on 9443, I can login to the console without :9443. So I closed 9443 on the firewall thinking it's no longer required with my local proxy, but trying to make a comment here, I am redirected to :9443/authenticationendpoint/login.do?... - note the 9443 :(, I still need to keep 9443 open (on the firewall) for this comment to work, ideally, I'd like everything to go through https/443 on nginx. Maybe this is an issue with nginx following redirects from wso2-is? Thanks for any help.
ReplyDeleteHere are 2 unrelated questions I also asked here:
ReplyDeletehttp://manulachathurika.blogspot.com/2014/01/import-ssl-certificate-to-wso2-identity.html
- Is is possible to configure wso2-is so Blogger displays not my uid but rather my preferred/friendly name?
- Is it possible to set an avatar on my /openid/ page (right now a broken image), and one that blogger might display?
Thanks again!
This is an incredible rousing article.I am basically satisfied with your great work.You put truly exceptionally accommodating data... privacy online
ReplyDeleteAwesome review, I am a major devotee to remarking on web journals to educate the web journal scholars realize that they've added something beneficial to the internet!.. prywatnoscwsieci.pl
ReplyDeleteExcellent .. Amazing .. I’ll bookmark your blog and take the feeds also…I’m happy to find so many useful info here in the post, we need work out more techniques in this regard, thanks for sharing. internetprivatsphare
ReplyDeleteIn any event it ended a really fantastic trip for us on an absolute high. A case of being in the right place at the right time!" lesmeilleursvpn
ReplyDeleteHmm!! This blog is really cool, I’m so lucky that I have reached here and got this awesome information. die besten vpn
ReplyDeleteI am all that much satisfied with the substance you have specified. I needed to thank you for this extraordinary article. mejores vpn
ReplyDeleteGood job, it was worth reading. I need to try it while implementing more security with polskivpn
ReplyDeleteI was surfing net and fortunately came across this site and found very interesting stuff here. Its really fun to read. I enjoyed a lot. Thanks for sharing this wonderful information. vpncritic
ReplyDeleteThanks a lot for sharing us about this update. Hope you will not get tired on making posts as informative as this. bezoek website
ReplyDeleteGreat job for publishing such a beneficial web site. Your web log isn’t only useful but it is additionally really creative too. There tend to be not many people who can certainly write not so simple posts that artistically. Continue the nice writing https://internetetsecurite.fr
ReplyDeleteSands Casino: Homepage | Vegas.com
ReplyDeleteLocated in kadangpintar Las Vegas, Sands Casino is 샌즈카지노 a luxurious destination resort for gaming and entertainment. The gaming floor 메리트카지노 offers 24/7 Vegas-style gaming