Versions Compared

Old Version 5

changes.mady.by.user Former user

Saved on

compared with

New Version 6

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

Although the following section instructs you to use NGINX as the Load Balancerload balancer, you can use any load balancer in your deployment based on your preference.

...

Note
  • All ports are default ports assuming no port offsets are used.
  • The key and the certificate for SSL is assumed to be at the <NGINX_HOME>/ssl/ location. The placeholders {cert_name} and {key_name} are the name of the certificate and key generated.
  • The directories used for acess logs access and error logs should be created if they do not exist.
Localtabgroup
Localtab
activetrue
idSingle-node
titleSingle node deployment
Info
  • The placeholder {node-ip-address} corresponds to the IP address of the backend node in which the WSO2 API-M server is running.
  • In the sample configuration given below, the hostname api.am.wso2.com is used to access all portals (publisher, store, admin, and carbon) and gw.am.wso2.com is used to invoke APIs. Only HTTPS is allowed.
Code Block
upstream sslapi.am.wso2.com {
    server {node-ip-address}:9443;
}

upstream sslgw.am.wso2.com {
    server {node-ip-address}:8243;
}

server {
    listen 80;
    server_name api.am.wso2.com;
    rewrite ^/(.*) https://api.am.wso2.com/$1 permanent;

}

server {
    listen 443;
    server_name api.am.wso2.com;
    proxy_set_header X-Forwarded-Port 443;
    ssl on;
    ssl_certificate /etc/nginx/ssl/{cert_name};
    ssl_certificate_key /etc/nginx/ssl/{key_name};
    location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://sslapi.am.wso2.com;
        }

        access_log /etc/nginx/log/am/https/access.log;
        error_log /etc/nginx/log/am/https/error.log;
}

server {
    listen 443;
    server_name gw.am.wso2.com;
    proxy_set_header X-Forwarded-Port 443;
    ssl on;
    ssl_certificate /etc/nginx/ssl/{cert_name};
    ssl_certificate_key /etc/nginx/ssl/{key_name};
    location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://sslgw.am.wso2.com;
        }

        access_log /etc/nginx/log/gw/https/access.log;
        error_log /etc/nginx/log/gw/https/error.log;
}
Localtab
idActive-Active-Deployment
titleActive-Active Deployment
Info
  • The placeholders {node-1-ip-address} and {node-2-ip-address} correspond to the IP addresses of the backend nodes in which APIM servers are running.
  • In the sample configuration given below, the hostname api.am.wso2.com is used to access all portals (publisher, store, admin and carbon) and gw.am.wso2.com is used to invoke APIs. Only HTTPS is allowed.
  • This configuration uses a session cookie to configure stickiness. However, if you are using Nginx community version, configuring sticky sessions based on session cookie is not supported. It is possible to use ip_hash method instead.
Note

In a an Active-Active setupdeployment, It is mandatory to set up sticky sesions sessions (session affinity) in the load balancers that front the Publisher and Store, and it is optional in the load balancer (if any) that fronts Key Manager or Gateway.

However, authentication via session ID fails when sticky sesions sessions are disabled in the load balancers of Publisher and store.


Code Block
upstream sslapi.am.wso2.com {
    server {node-1-ip-address}:9443;
    server {node-2-ip-address}:9443;
    #ip_hash;
    sticky learn create=$upstream_cookie_jsessionid
    	lookup=$cookie_jsessionid
    zone=client_sessions:1m;
}

upstream sslgw.am.wso2.com {
    server {node-1-ip-address}:8243;
    server {node-2-ip-address}:8243;
}

server {
    listen 80;
    server_name api.am.wso2.com;
    rewrite ^/(.*) https://api.am.wso2.com/$1 permanent;
}

server {
    listen 443;
    server_name api.am.wso2.com;
    proxy_set_header X-Forwarded-Port 443;
    ssl on;
    ssl_certificate /etc/nginx/ssl/{cert_name};
    ssl_certificate_key /etc/nginx/ssl/{key_name};
    location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://sslapi.am.wso2.com;
        }

        access_log /etc/nginx/log/am/https/access.log;
        error_log /etc/nginx/log/am/https/error.log;
}

server {
    listen 443;
    server_name gw.am.wso2.com;
    proxy_set_header X-Forwarded-Port 443;
    ssl on;
    ssl_certificate /etc/nginx/ssl/{cert_name};
    ssl_certificate_key /etc/nginx/ssl/{key_name};
    location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://sslgw.am.wso2.com;
        }

        access_log /etc/nginx/log/gw/https/access.log;
        error_log /etc/nginx/log/gw/https/error.log;
}
Localtab
idHA-Gateway
titleHA for Gateway
Info
  • The placeholder {gwm-ip-address} corresponds to the IP addresses of the backend nodes in which Gateway Manager server is running. Similarly, {gw-1-ip-address} and {gw-2-ip-address} are the nodes in which Gateway Workers are running.
  • In the sample configuration given below, the hostname mgtgw.am.wso2.com is used to access management console of of the Gateway Manager and gw.am.wso2.com is used to invoke APIs. Only HTTPS is allowed.
Code Block
upstream mgtgw.am.wso2.com {
    server {gwm-ip-address}:9443;
}

upstream sslgw.am.wso2.com {
    server {gw-1-ip-address}:8243;
    server {gw-2-ip-address}:8243;
}

server {
    listen 80;
    server_name mgtgw.am.wso2.com;
    rewrite ^/(.*) https://mgtgw.am.wso2.com/$1 permanent;
}

server {
    listen 443;
    server_name mgtgw.am.wso2.com;
    proxy_set_header X-Forwarded-Port 443;
    ssl on;
    ssl_certificate /etc/nginx/ssl/{cert_name};
    ssl_certificate_key /etc/nginx/ssl/{key_name};
    location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://mgtgw.am.wso2.com;
        }

        access_log /etc/nginx/log/gwm/https/access.log;
        error_log /etc/nginx/log/gwm/https/error.log;
}

server {
    listen 443;
    server_name gw.am.wso2.com;
    proxy_set_header X-Forwarded-Port 443;
    ssl on;
    ssl_certificate /etc/nginx/ssl/{cert_name};
    ssl_certificate_key /etc/nginx/ssl/{key_name};
    location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://sslgw.am.wso2.com;
        }

        access_log /etc/nginx/log/gw/https/access.log;
        error_log /etc/nginx/log/gw/https/error.log;
}
Localtab
idHA-Publisher
titleHA for Publisher
Info
  • The placeholders {publisher-1-ip-address} and {publisher-2-ip-address} correspond to the IP addresses of the backend nodes in which APIM Publishers are running.
  • In the sample configuration given below, the hostname publisher.am.wso2.com is used to access publisher portal. Only HTTPS is allowed.
  • This configuration uses a session cookie to configure stickiness. However, if you are using Nginx community version, configuring sticky sessions based on session cookie is not supported. It is possible to use the ip_hash method instead.
Code Block
upstream publisher.am.wso2.com {
    server {publisher-1-ip-address}:9443;
    server {publisher-2-ip-address}:9443;
    #ip_hash;
    sticky learn create=$upstream_cookie_jsessionid
    	lookup=$cookie_jsessionid
    zone=client_sessions:1m;
}

server {
    listen 80;
    server_name publisher.am.wso2.com;
    rewrite ^/(.*) https://publisher.am.wso2.com/$1 permanent;
}

server {
    listen 443;
    server_name publisher.am.wso2.com;
    proxy_set_header X-Forwarded-Port 443;
    ssl on;
    ssl_certificate /etc/nginx/ssl/{cert_name};
    ssl_certificate_key /etc/nginx/ssl/{key_name};
    location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://publisher.am.wso2.com;
        }

        access_log /etc/nginx/log/publisher/https/access.log;
        error_log /etc/nginx/log/publisher/https/error.log;
}
Localtab
idHA-Store
titleHA for Store
Info
  • The placeholders {store-1-ip-address} and {store-2-ip-address} correspond to the IP addresses of the backend nodes in which APIM Stores are running.
  • In the sample configuration given below, the hostname store.am.wso2.com is used to access Publisher portal. Only HTTPS is allowed.
  • This configuration uses a session cookie to configure stickiness. However, if you are using Nginx community version, configuring sticky sessions based on session cookie is not supported. It is possible to use ip_hash method instead.
Code Block
upstream store.am.wso2.com {
    server {store-1-ip-address}:9443;
    server {store-2-ip-address}:9443;
    #ip_hash;
    sticky learn create=$upstream_cookie_jsessionid
    	lookup=$cookie_jsessionid
    zone=client_sessions:1m;
}

server {
    listen 80;
    server_name store.am.wso2.com;
    rewrite ^/(.*) https://store.am.wso2.com/$1 permanent;
}

server {
    listen 443;
    server_name store.am.wso2.com;
    proxy_set_header X-Forwarded-Port 443;
    ssl on;
    ssl_certificate /etc/nginx/ssl/{cert_name};
    ssl_certificate_key /etc/nginx/ssl/{key_name};
    location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://publisher.am.wso2.com;
        }

        access_log /etc/nginx/log/store/https/access.log;
        error_log /etc/nginx/logs/store/https/error.log;
}
Localtab
idHA-Key-Manager
titleHA for Key Manager
Info
  • The placeholders {km-1-ip-address} and {km-2-ip-address} correspond to the IP addresses of the backend nodes in which APIM Key Managers are running.
  • In the sample configuration given below, the hostname km.am.wso2.com is used to access Key Manager. Only HTTPS is allowed.
  • This configuration uses a session cookie to configure stickiness. However, if you are using Nginx community version, configuring sticky sessions based on session cookie is not supported. It is possible to use ip_hash method instead.
Code Block
upstream km.am.wso2.com {
    server {km-1-ip-address}:9443;
    server {km-2-ip-address}:9443;
    #ip_hash;
    sticky learn create=$upstream_cookie_jsessionid
    	lookup=$cookie_jsessionid
    zone=client_sessions:1m;
}

server {
    listen 80;
    server_name km.am.wso2.com;
    rewrite ^/(.*) https://km.am.wso2.com/$1 permanent;
}

server {
    listen 443;
    server_name km.am.wso2.com;
    proxy_set_header X-Forwarded-Port 443;
    ssl on;
    ssl_certificate /etc/nginx/ssl/{cert_name};
    ssl_certificate_key /etc/nginx/ssl/{key_name};
    location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://km.am.wso2.com;
        }

        access_log /etc/nginx/log/km/https/access.log;
        error_log /etc/nginx/log/km/https/error.log;
}

...