Skip to main content

Reverse Proxy configuration with WSO2 Identity Server 5.0.0


Reverse proxy is a type of a proxy which can hide back end servers from the client applications.

According to the above figure, Original servers are not exposed to the internet. Only reverse proxy is exposed to the internet.Client knows only the reverse proxy IP address. So he thinks that he is sending a request to the reverse proxy.He doesn't know anything about the original server. You can avoid some attacks using this architecture.

Today I'm going to configure Apache HTTPD server(reverse proxy) and WSO2 identity server 5.0.

Please download WSO2 identity server 5.0 from here

You can install apache httpd server using below commands

sudo apt-get update


sudo apt-get install apache2

Restart the newly install apache server

sudo service apache2 restart

Apache is a modular server. This implies that only the most basic functionality is included in the core server.So You have to enable few other required features. Please use below command

sudo a2enmod proxy_http
sudo a2enmod ssl
sudo a2enmod proxy_balancer

Generate a RSA private key using below command. This key is involved in signing process.

sudo openssl genrsa -out ca.key 1024


Generate a Certificate Signing Request (CSR)

sudo openssl req -new -key ca.key -out ca.csr

Generate a self-signed key

sudo openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt


Create a new keystore with a private and public key pair

keytool -genkey -keyalg RSA -alias wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -validity 360 -keysize 2048

 Export the certificate

keytool -export -alias wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -file wso2carbon.pem


Import public certificate into client-truststore.jks.

keytool -import -alias wso2carbon -file wso2carbon.pem -keystore client-truststore.jks -storepass wso2carbon

Create a virtual host using below command and use below sample proxy configurations.

sudovi /etc/apache2/sites-available/wso2.is.com.conf


Sample mapping for HTTP request to Identity server

 <ifModule mod_proxy.c>
<VirtualHost *:443>
 ServerAdmin techops@wso2.com
 ServerName localhost
 ServerAlias localhost

 ProxyRequests Off

 SSLEngine On
 SSLProxyEngine On

 SSLCertificateFile /home/madura/certs/ca.crt
 SSLCertificateKeyFile /home/madura/certs/ca.key

<Proxy>
Order deny,allow
Allow from all
</Proxy>

ProxyPass /carbon "https://localhost:9443/carbon"
ProxyPassReverse /carbon "https://localhost:9443/carbon"

ProxyPass /commonauth "https://localhost:9443/commonauth"
ProxyPassReverse /commonauth "https://localhost:9443/commonauth"

ProxyPass /authenticationendpoint "https://localhost:9443/authenticationendpoint"
ProxyPassReverse /authenticationendpoint "https://localhost:9443/authenticationendpoint"

ProxyPass /samlsso "https://localhost:9443/samlsso"
ProxyPassReverse /samlsso "https://localhost:9443/samlsso"
</VirtualHost>
</ifModule>


As a final step you have to enable virtual host configurations and restart the server as below

sudo a2ensite wso2.is.com.conf

sudo service apache2 restart

Its time to test this. you have to follow this url https://localhost/carbon
When you navigate to other pages, you should not see any port inside the url.

There are some other configurations to complete this setup(Define a host name in a product, Modify catalina-server.xml and configure proxy port and name ). Please refer Asela's blog[1] for more information.

[1] http://xacmlinfo.org/2014/11/16/how-to-developing-identity-server-behind-proxy-or-load-balancer/

Thanks for reading this post.

Comments

Post a Comment

Popular posts from this blog

Essential Debug Logs for WSO2 Identity Server

Essential Debug loggers for WSO2 Identity Server  When you are working with WSO2 products, you have to enable debug logs to investigate issues. Its better to enable debug logs only for particular module that you need to investigate. It reduce debug writing time and unnecessary debug reading time.So you can easily understand the root cause when you are reading the console.I'm going to discuss about debug lines one by one. You have to add debug line to [WSO2_HOME]\repository\conf\log4j.properties file, all debug lines are displayed in the console and write to the wso2carbon.log file. To enable loggers for user core.This is helpful to investigate user related issues. log4j.logger.org.wso2.carbon.user.core=DEBUG      To enable debug logs for identity module. This debug log will be helpful to investigate identity related issues. log4j.logger.org.wso2.carbon.identity=DEBUG If you need to investigate saml assertion or assertion related issue, you can enable debug
Post a Comment
Read more

CURL commands to get access token from WSO2 Identity Server

WSO2 Identity server supports all grant types those are defined in oAuth2 core specification Four grant types: Authorization Code Grant Implicit Grant Resource Owner Password Credentials Grant (password) Client Credentials Grant We cannot use curl command directly to get an access token for Authorization code grant type and Implicit grant type. I'm going through other two grant types one by one and provide the curl command to get access token. 3. Get access token using password grant type curl -k -d "grant_type=password&username=admin&password=admin" -H "Authorization: Basic ME5fbXdWRXpTVnhfalJIbDV2cmc4RHIycHZBYTp0RmZjcHVFRFM5V1d2eFFEc1ZCd0tWVGd0dE1h, Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token ME5fbXdWRXpTVnhfalJIbDV2cmc4RHIycHZBYTp0RmZjcHVFRFM5V1d2eFFEc1ZCd0tWVGd is the encoded value of 0N_mwVEzSVx_jRHl5vrg8Dr2pvAa:tFfcpuEDS9WWvxQDsVBwKVTgttMa (<client_id>:<client_secret>). these
Post a Comment
Read more