Versions Compared

Old Version 14

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Inosh J

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Open the nginx.conf file and do the following configurations for the worker node.

    Note

    Note: The URL used by the worker nodes is work.emm.wso2.com. (make sure this is properly set up in DNS pointing to the load balancer)

       

    Code Block
    languagexml
    upstream work.emm.wso2.com {
        ip_hash;
        server xxx.xxx.xxx.xxx:9763;
        server xxx.xxx.xxx.xxx:9763;
}

server {
        listen 80;
        server_name work.emm.wso2.com;
        location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass http://work.emm.wso2.com;

               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
        }
}



upstream ssl.work.emm.wso2.com {
    ip_hash;
    server xxx.xxx.xxx.xxx:9443;
    server xxx.xxx.xxx.xxx:9443;

}

server {
listen 443;
    server_name work.emm.wso2.com;
    ssl on;
    ssl_certificate /Users/geeth/Documents/Product-Testing/clustering/emm/conf/keys/server.crt;
    ssl_certificate_key /Users/geeth/Documents/Product-Testing/clustering/emm/conf/keys/server.key;
    location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://ssl.work.emm.wso2.com;

               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
        }
}

    For Mutual SSL enabled setup, please note the following changes

    Code Block
    languagexml
    titleChanges for Mutual SSL enabled deployeement
     server {
          listen 443;
               server_name ssl.work.emm.wso2.com;
               ssl                         on;
               ssl_certificate      /etc/nginx/certs/server.crt;
               ssl_certificate_key  /etc/nginx/certs/server.key;
               ssl_client_certificate /etc/nginx/certs/ca.crt;
               ssl_verify_client optional;


          location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_set_header PROXY-MUTUAL-AUTH-HEADER $ssl_client_s_dn;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://ssl.work.emm.wso2.com;

 
               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
          }
       }




    ssl_certificate             - This is used to define the SSL certificate of nginx
ssl_certificate_key         - This is used to define the private key of the SSL certificate of nginx
    ssl_client_certificate      - CA certificate used to sign the client certificates.
    ssl_verify_client           - on | off | optional | optional_no_ca Please refer the nginx documentation for more details
                                  http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client;
    proxy_set_header PROXY-MUTUAL-AUTH-HEADER $ssl_client_s_dn; This header is set so that the EMM server can validate the client details.

    With latest nginx versions, the behaviour has changed and $ssl_client_s_dn_legacy must be used instead of ssl_client_s_dn


  2. Open the nginx.conf file and do the following configurations for the manager node.

    Note

    Note: The URL used by the manager nodes is mgt.emm.wso2.com. (make sure this is properly set up in DNS pointing to the load balancer)

    Code Block
    languagexml
    upstream mgt.emm.wso2.com {
        ip_hash;
        server xxx.xxx.xxx.xxx:9763;
        server xxx.xxx.xxx.xxx:9763;
}

server {
        listen 80;
        server_name mgt.emm.wso2.com;
        location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass http://mgt.emm.wso2.com;

               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
        }
}



upstream ssl.mgt.emm.wso2.com {
    ip_hash;
    server xxx.xxx.xxx.xxx:9443;
    server xxx.xxx.xxx.xxx:9443;

}

server {
listen 443;
    server_name mgt.emm.wso2.com;
    ssl on;
    ssl_certificate /Users/geeth/Documents/Product-Testing/clustering/emm/conf/keys/server.crt;
    ssl_certificate_key /Users/geeth/Documents/Product-Testing/clustering/emm/conf/keys/server.key;
    location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://ssl.mgt.emm.wso2.com;

               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
        }
}

  3. Open the nginx.conf file and do the following configurations for the key manager or identity provider node.

    Note

    Note: The key manager’s URL is keymgt.emm.wso2.com. (make sure this is properly set up in DNS pointing to the load balancer)

    Code Block
    languagexml
    upstream keymgt.emm.wso2.com {
        ip_hash;
        server xxx.xxx.xxx.xxx:9763;
        server xxx.xxx.xxx.xxx:9763;
}
 
server {
        listen 80;
        server_name keymgt.emm.wso2.com;
        location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass http://keymgt.emm.wso2.com;
 
               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
        }
}



upstream ssl.keymgt.emm.wso2.com {
    ip_hash;
    server xxx.xxx.xxx.xxx:9443;
    server xxx.xxx.xxx.xxx:9443;
 
}
 
server {
listen 443;
    server_name keymgt.emm.wso2.com;
 

    ssl on;
    ssl_certificate /Users/geeth/Documents/Product-Testing/clustering/emm/conf/keys/server.crt;
    ssl_certificate_key /Users/geeth/Documents/Product-Testing/clustering/emm/conf/keys/server.key;


    location / {
               proxy_set_header X-Forwarded-Host $host;
               proxy_set_header X-Forwarded-Server $host;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header Host $http_host;
               proxy_read_timeout 5m;
               proxy_send_timeout 5m;
               proxy_pass https://ssl.keymgt.emm.wso2.com;
 
               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
        }
}

...